Install Spin

• Installing Spin
• Verifying the Release Signature
• Building Spin From Source
• Using Cargo to Install Spin
• Next Steps

Installing Spin

Spin runs on Linux (amd64 and arm64), macOS (Intel and Apple Silicon), and Windows (amd64).

$ curl -fsSL https://developer.fermyon.com/downloads/install.sh | bash

$ sudo mv spin /usr/local/bin/

$ curl -fsSL https://developer.fermyon.com/downloads/install.sh | bash -s -- -v v0.10.0

$ curl -fsSL https://developer.fermyon.com/downloads/install.sh | bash -s -- -v canary

$ curl -fsSL https://developer.fermyon.com/downloads/install.sh | bash

$ sudo mv spin /usr/local/bin/

$ curl -fsSL https://developer.fermyon.com/downloads/install.sh | bash -s -- -v v0.10.0

$ curl -fsSL https://developer.fermyon.com/downloads/install.sh | bash -s -- -v canary

Verifying the Release Signature

The Spin project signs releases using Sigstore, a project that helps with signing software and stores signatures in a tamper-resistant public log. Consumers of Spin releases can validate the integrity of the package they downloaded by performing a validation of the artifact against the signature present in the public log. Specifically, users get two main guarantees by verifying the signature: 1) that the author of the artifact is indeed the one expected (i.e. the build infrastructure associated with the Spin project, at a given revision that can be inspected), and 2) that the content generated by the build infrastructure has not been tampered with.

To verify the release signature, first configure Cosign v2.0.0+. This is the CLI tool that we will use validate the signature. The same directory where the installation script was run should also contain a signature of the Spin binary and the certificate used to perform the signature. The following command will perform the signature verification using the cosign CLI:

 $ cosign verify-blob \
    --signature spin.sig \
    --certificate crt.pem \
    --certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/ \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    # --certificate-github-workflow-sha  \
    ./spin
Verified OK

You can now move the Spin binary to the path knowing that it was indeed built by the infrastructure associated with the Spin project, and that it has not been tampered with since the build.

Building Spin From Source

Follow the contribution document for a detailed guide on building Spin from source:

$ git clone https://github.com/fermyon/spin
$ cd spin && make build
$ ./target/release/spin --help

Please note: On a fresh Linux installation, you will also need the standard build toolchain (gcc, make, etc.), the SSL library headers, and on some distributions you may need pkg-config. For example, on Debian-like distributions, including Ubuntu, you can install the standard build toolchain with this command:

$ sudo apt-get install build-essential libssl-dev pkg-config

Using Cargo to Install Spin

If you have cargo, you can clone the repo and install it to your path:

$ git clone https://github.com/fermyon/spin -b v0.10.0
$ cd spin
$ rustup target add wasm32-wasi
$ cargo install --locked --path .
$ spin --help

Please note: Spin v0.10.0 requires wasmtime v5.0.0 which requires rustc 1.66.0 or newer. You can update Rust using the following command:

$ rustup update

Next Steps

• Take Spin for a spin
• Learn about how to write a Spin application
• Try the Fermyon Cloud