Download
Get the tools. Open source. Verifiable.
Every release is open source and free to evaluate. Install from a package manager, build from source, or grab a signed binary, and verify the checksum before you run.
Continuous compliance posture, drift detection, and a control plane for your Linux fleet.
$ sudo dnf install ./openwatch-*.rpm
$ sudo apt install ./openwatch_*.deb
No stable release yet. Signed release-candidate builds (.rpm / .deb) are on GitHub releases →
Transactional configuration management with automatic rollback, daemonless over SSH.
$ sudo dnf install kensa kensa-rules
$ sudo apt install kensa kensa-rules
| Linux x86_64 | |
|---|---|
| Linux arm64 | |
| Any noarch |
Validate, link, and type-check .spec.yaml files, and gate CI on coverage.
$ tar xzf specter_<version>_<os>_<arch>.tar.gz$ sudo mv specter /usr/local/bin/
| Linux x86_64 | |
|---|---|
| Linux arm64 | |
| macOS x86_64 | |
| macOS arm64 | |
| Windows x86_64 |
Verify before you run
Every release is signed
Packages (.rpm / .deb) are signed with the Hanalyx GPG key e239e50c (Hanalyx LLC (release signing) <ops@hanalyx.com>). The checksums file is signed with cosign; get each product's cosign.pub from its KEYS file below.
# Packages (.rpm / .deb): import the Hanalyx key, then verify the signature$ sudo rpm --import https://raw.githubusercontent.com/Hanalyx/kensa/main/KEYS$ rpm --checksig kensa_<v>_linux_<arch>.rpm# expected: Signature ... key ID e239e50c: OK# Checksums: verify the cosign signature, then the file hashes$ cosign verify-blob --key cosign.pub --signature kensa_<v>_checksums.sha256.sig kensa_<v>_checksums.sha256$ sha256sum -c kensa_<v>_checksums.sha256
Keys (GPG fingerprint 4CB70E1C 09426E43 CBBAD280 4AA0538F E239E50C): OpenWatch KEYS, Kensa KEYS
Specter releases are not yet signed.