Air-gap Install

Tetrapus ships a fully air-gapped install path. We deliver a signed bundle consisting of three artifacts — a .tar.zst payload, a .json manifest, and a detached .sig signature. The tetrapus-admin sbom verify command walks every entry in the manifest and rejects the install if anything fails.

Bundle anatomy

Artifact Purpose
tetrapus-1.0.0.tar.zstBinaries, container images, Helm chart, systemd units, migration files, vendored Cedar policies.
tetrapus-1.0.0.manifest.jsonCycloneDX-format SBOM: digest of every file inside the tarball plus their licences.
tetrapus-1.0.0.sigDetached Ed25519 signature over the manifest, by the Tetrapus release-signing key.

Workflow

graph TD DEV["Tetrapus build farm"] -->|sign| BUNDLE["bundle: tar.zst + manifest.json + sig"] BUNDLE -->|sneakernet / OCI / IPMI| EDGE["Air-gap host"] EDGE --> VERIFY["tetrapus-admin sbom verify --bundle ..."] VERIFY -->|ok| EXTRACT["tar -I zstd -xf ..."] EXTRACT --> INSTALL["./install.sh"] INSTALL --> BOOTSTRAP["tetrapus-admin bootstrap --email admin@local"] BOOTSTRAP --> SMOKE["smoke checklist (below)"]

Verify before install

Bash 
# 1. Confirm the manifest signature with the release public key.
tetrapus-admin sbom verify \
    --bundle /media/usb/tetrapus-1.0.0.tar.zst \
    --manifest /media/usb/tetrapus-1.0.0.manifest.json \
    --signature /media/usb/tetrapus-1.0.0.sig \
    --pubkey /etc/tetrapus/release-pub.pem

# Output:
#   manifest signature: OK (kid=release-2026-01)
#   payload digests   : 247 / 247 OK
#   licences          : MIT, Apache-2.0, BSD-3-Clause (allow-listed)
#   verdict           : VALID

No-internet smoke checklist

  1. Verify the bundletetrapus-admin sbom verify returns VALID.
  2. Install — extract, run ./install.sh, bring up the static services.
  3. Bootstrap admintetrapus-admin bootstrap --email admin@local, finish setup via the printed URL.
  4. Ingest sample data — pipe one of the bundled samples/*.ndjson files through the SDK.
  5. Verify the audit chaintetrapus-admin audit verify --jsonl /var/lib/tetrapus/<slug>/audit.ndjson.
  6. Export DirSink — confirm a closed period flushes a Merkle-rooted bundle to /var/lib/tetrapus/<slug>/attestation/.

Manifest excerpt

JSON 
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:0a1b...",
  "metadata": {
    "component": { "name": "tetrapus", "version": "1.0.0" },
    "tools": [{ "name": "tetrapus-build", "version": "1.0.0" }]
  },
  "components": [
    {
      "type": "file",
      "name": "bin/tetrapus-server",
      "version": "1.0.0",
      "hashes": [{ "alg": "SHA-256", "content": "9ab3f1..." }],
      "licenses": [{ "license": { "id": "Apache-2.0" } }]
    }
  ]
}

Related

  • tetrapus-admin CLI — full reference for sbom, audit, attestation.
  • Attestation — what the Merkle-rooted export contains.
  • FIPS mode — how to constrain the air-gap install to FIPS-validated crypto.

Questions?

Reach out for help with integration, deployment, or custom domain codecs.

Get Started Request a Demo