Installation

Goal

Install dotsecenv on your system and verify it’s working correctly.

Steps

1. Choose your installation method

   macOS (Homebrew)

   Homebrew is the recommended method for macOS:

   brew tap dotsecenv/tap
   brew install dotsecenv

   This automatically installs shell completions.

   macOS (Binary)

   Download the binary directly:

   # Apple Silicon (M1/M2/M3)
   curl -LO https://get.dotsecenv.com/darwin/dotsecenv_0.4.6_Darwin_arm64.tar.gz
   
   # Intel Mac
   curl -LO https://get.dotsecenv.com/darwin/dotsecenv_0.4.6_Darwin_x86_64.tar.gz
   
   # Verify and install
   curl -s https://get.dotsecenv.com/darwin/checksums.txt | sha256sum -c --ignore-missing
   tar -xzf dotsecenv_*.tar.gz
   sudo mv dotsecenv /usr/local/bin/

   Debian/Ubuntu

   Add the apt repository:

   # Trust the GPG key
   curl -fsSL https://get.dotsecenv.com/key.asc | \
     sudo gpg --dearmor -o /etc/apt/keyrings/dotsecenv.gpg
   
   # Add the repository
   echo "deb [signed-by=/etc/apt/keyrings/dotsecenv.gpg] \
     https://get.dotsecenv.com/apt/ ./" | \
     sudo tee /etc/apt/sources.list.d/dotsecenv.list
   
   # Install
   sudo apt-get update
   sudo apt-get install dotsecenv

   Fedora/RHEL

   Add the yum repository:

   cat <<EOF | sudo tee /etc/yum.repos.d/dotsecenv.repo
   [dotsecenv]
   name=DotSecEnv Repository
   baseurl=https://get.dotsecenv.com/yum/
   enabled=1
   gpgcheck=1
   repo_gpgcheck=1
   gpgkey=https://get.dotsecenv.com/key.asc
   EOF
   
   sudo dnf install dotsecenv

   Arch Linux

   Add to pacman:

   # Add to pacman.conf
   cat <<'EOF' | sudo tee -a /etc/pacman.conf
   [dotsecenv]
   Server = https://get.dotsecenv.com/arch/$arch
   SigLevel = Required DatabaseOptional
   EOF
   
   # Trust the key
   curl -fsSL https://get.dotsecenv.com/key.asc | sudo pacman-key --add -
   sudo pacman-key --lsign-key E60A1740BAEF49284D22EA7D3C376348F0921C59
   
   # Install
   sudo pacman -Sy dotsecenv

   mise

   If you use mise:

   mise use github:dotsecenv/dotsecenv

   Windows

   Work in Progress

   Windows support is still under development. Follow issue #8 for updates.

   Download the .zip for your architecture from the Releases page:

   • dotsecenv_vX.X.X_Windows_x86_64.zip for 64-bit Intel/AMD
   • dotsecenv_vX.X.X_Windows_arm64.zip for ARM64

   Extract and add the binary location to your PATH.

   GPG Requirement: Install Gpg4win for GPG support. When you run dotsecenv init config, it will detect GPG automatically and set the path. You can also manually configure it in your config file:

   gpg:
     program: "C:\\Program Files (x86)\\GnuPG\\bin\\gpg.exe"

   From Source

   Build from source (requires Go 1.25+):

   git clone https://github.com/dotsecenv/dotsecenv.git
   cd dotsecenv
   make build
   sudo mv bin/dotsecenv /usr/local/bin/

2. Verify the installation

   dotsecenv version

   You should see output like:

   version: v0.4.6
   commit: abc1234
   build at: 2025-01-15T10:30:00Z
   go version: go1.24.0
   crypto: GOFIPS140=v1.0.0 (FIPS 140-3 mode enabled)

3. Install shell completions (if not automatic)

   Bash

   # System-wide
   dotsecenv completion bash | sudo tee /etc/bash_completion.d/dotsecenv
   
   # Or user-level (add to ~/.bashrc)
   eval "$(dotsecenv completion bash)"

   Zsh

   # Add to ~/.zshrc
   eval "$(dotsecenv completion zsh)"

   Fish

   # Add to ~/.config/fish/config.fish
   dotsecenv completion fish | source

   PowerShell

   Work in Progress

   Windows support is still under development. Follow issue #8 for updates.

   # Add to your PowerShell profile ($PROFILE)
   dotsecenv completion powershell | Out-String | Invoke-Expression

Expected Result

After installation, you should be able to:

# Check version
dotsecenv version

# See available commands
dotsecenv --help

# Tab-complete commands (after shell restart)
dotsecenv <TAB>

Variations

Installing a Specific Version

Download a specific version from GitHub releases:

VERSION="0.4.6"
curl -LO "https://github.com/dotsecenv/dotsecenv/releases/download/v${VERSION}/dotsecenv_${VERSION}_Linux_x86_64.tar.gz"

Verifying Package Signatures

All packages are signed with the dotsecenv release key:

pub   rsa4096 2025-12-19 [SC] [expires: 2027-12-19]
      E60A1740BAEF49284D22EA7D3C376348F0921C59
uid   DotSecEnv Releases <release@dotsecenv.com>

Verify the key from multiple sources:

# OpenPGP Keyserver
gpg --keyserver keys.openpgp.org --recv-keys E60A1740BAEF49284D22EA7D3C376348F0921C59

# Keybase
curl https://keybase.io/dotsecenv/pgp_keys.asc | gpg --import

Verifying macOS Notarization

All macOS binaries are code-signed with an Apple Developer ID certificate and notarized by Apple. This ensures Gatekeeper allows the binary to run without security warnings.

Verify code signature:

codesign --verify --verbose /usr/local/bin/dotsecenv
# Expected: valid on disk

Verify notarization status:

spctl --assess --verbose /usr/local/bin/dotsecenv
# Expected: accepted
# source=Notarized Developer ID

View signature details:

codesign -dv --verbose=4 /usr/local/bin/dotsecenv

Homebrew Users

If you installed via Homebrew, the binary is located at $(brew --prefix)/bin/dotsecenv. Homebrew casks automatically handle quarantine removal, so Gatekeeper warnings are bypassed.

Uninstalling

Homebrew

brew uninstall dotsecenv
brew untap dotsecenv/tap

apt

sudo apt-get remove dotsecenv
sudo rm /etc/apt/sources.list.d/dotsecenv.list

Binary

sudo rm /usr/local/bin/dotsecenv

Note

Uninstalling dotsecenv does not remove your vault or config files. To remove all data:

rm -rf ~/.config/dotsecenv

---

Next Steps

• First Secret — Store and use your first secret
• Getting Started — Complete initial setup