Skip to main content
Use this procedure for core sitectl and every plugin you install without Homebrew or a native Linux package. Manual installation does not resolve dependencies: select a compatible core and plugin set from the installation guide, then repeat the verification for each repository.
Select an explicit release tag. Do not use a moving /latest/download URL in deployment automation. Download the archive and checksums.txt from the same version-specific GitHub release, and do not extract or execute the archive until verification succeeds.

Linux and macOS

Set the repository, release, operating system, and architecture to the exact asset you selected. GoReleaser asset names use Linux, Darwin, or Windows and architectures such as x86_64 or arm64.
Stop if the asset is absent from checksums.txt or the checksum command fails. After a successful verification, extract and install the binary:
Use OS=Darwin on macOS. Replace REPOSITORY and VERSION for a plugin, for example sitectl-ojs and its independently selected tag. Ensure ${HOME}/.local/bin is on PATH, or install into another user-owned directory already on PATH.

Windows PowerShell

After verification, move the extracted .exe into a user-owned directory on PATH. Repeat the procedure for each plugin.

Verify the installed set

Keep core and every selected plugin from one reviewed compatibility record. Verify the binaries only after all replacements are complete:
Also run sitectl validate and the relevant plugin help or verification command against a non-production project before removing the previous binaries.
The published checksum detects corruption or substitution relative to the selected GitHub release metadata. Because the archive and checksum are attached to the same release, a checksum alone does not prove who controlled the publisher. Keep the repository and explicit tag in the deployment record, apply your organization’s GitHub release trust policy, and verify a repository/workflow signing identity when a release publishes one.