Simple, secure downloads without the complexity of package managers
vfetch is a lightweight tool that downloads, verifies (integrity), and organizes files. It bridges the gap between insecure curl/wget downloads and heavyweight package managers, making you conscious of security while keeping things simple.
Package Managers (npm, etc.)
- Heavy overhead and complex dependency trees
- Lock you into specific ecosystems
- Abstract away verification, making you unaware of security
- Require learning package-specific tooling
Raw Downloads (curl, wget)
- No integrity verification by default
- Easy to forget or skip checksum validation
- Manual hash checking is error-prone
- No organized file management
Security by Design, Not by Accident
- Forces you to provide checksums for every download
- Supports multiple hash algorithms (SHA256, SHA512, SHA3, BLAKE2b, BLAKE2s)
- Makes verification failure explicit and loud
- Puts you in control - you vet the checksums, not some package registry
Simplicity Without Compromise
- Single binary, no dependencies
- Human-readable JSON configuration
- Predictable file organization
- No hidden magic or complex dependency resolution
Awareness Through Responsibility
- Every download requires a hash - no shortcuts
- You must consciously verify checksums from trusted sources
- Builds security habits through explicit verification requirements
- Makes the cost of trust visible and intentional
- Download vfetch
- Create a config file with your downloads and their checksums
- Run vfetch and get verified, organized files
# Download all items in the config
vfetch -config my-tools.json
# Download specific items by name
vfetch -config my-tools.json esbuild
# Download multiple specific items
vfetch -config my-tools.json esbuild jq nodeExample my-tools.json:
{
"output-dir": "/home/user/tools",
"bins-dir": "/home/user/.bin",
"fetch": [
{
"name": "esbuild",
"url": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-$VERSION.tgz",
"version": "0.25.10",
"hash": "sha256:25a7b968b8e5172baaa8f44f91b71c1d2d7e760042c691f22ab59527d870d145",
"bin-file": "/package/bin/esbuild",
"extract": true
}
]
}# Download all items defined in config
vfetch -config vfetch-config.json
# Download specific items by name
vfetch -config vfetch-config.json go esbuild
# Use default config file (vfetch-config.json)
vfetch go jqBenefits of selective downloading:
- Faster execution - only download what you need
- Bandwidth efficient - skip unnecessary downloads
- Testing friendly - verify individual items during development
- Deployment flexibility - different tools for different environments
If you specify a name that doesn't exist in the config, vfetch will fail with a clear error:
$ vfetch -config vfetch-config.json nonexistent-tool
Failed to filter fetch items: fetch items not found: [nonexistent-tool]This fail-fast behavior prevents partial downloads and ensures you get exactly what you expect.
- No downloads without checksums - vfetch refuses to proceed without proper hashes
- Multiple hash algorithms supported for maximum compatibility
- Fail-fast verification - stops immediately on hash mismatches
- Automatic extraction for ZIP, TAR, TAR.GZ, and GZIP archives
- Binary symlink creation for executable files
- Organized output with predictable directory structures
- Version placeholders in URLs (
$versionβ actual version) - Per-item overrides for output and binary directories
- Documentation tracking with optional URL fields for license, source, etc.
- Single statically-linked binary
- No runtime dependencies or package ecosystems
- Works anywhere Go runs
When you download files with curl or wget, you're trusting:
- The network connection isn't compromised
- The server hasn't been hacked
- The file wasn't modified in transit
- DNS hasn't been hijacked
vfetch makes this explicit by requiring you to:
- Find official checksums from the project's trusted sources
- Verify them yourself against multiple sources when possible
- Take responsibility for the integrity of what you download
This isn't paranoia - it's basic operational security that should be standard practice.
Check the releases page for pre-built binaries.
go install github.com/alvarolm/vfetch@latestgit clone https://github.com/alvarolm/vfetch
cd vfetch
go build .
cp ./vfetch /usr/local/binRemember to verify the checksum of vfetch itself!
See example-config.json for a comprehensive configuration example with all available options.
name: Human-readable identifier (used for selective downloading)url: Download URL (supports$versionplaceholders)version: Version identifierhashorhashes: Cryptographic verification
extract: Extract archives automaticallybin-file: Create executable symlinksoutput-dir: Override global output directorybin-dir: Override global binary directory
Note: The name field is used for selective downloading. When you run vfetch -config vfetch-config.json go node, vfetch will look for items with "name": "go" and "name": "node" in your configuration.
{
"name": "jq",
"url": "https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64",
"version": "1.6",
"hash": "sha256:af986793a515d500ab2d35f8d2aecd656e764504b789b66d7e1a0b727a124c44",
"bin-file": true
}{
"name": "node",
"url": "https://nodejs.org/dist/v$version/node-v$version-linux-x64.tar.gz",
"version": "18.17.0",
"hash": "sha256:...actual-hash...",
"extract": true,
"bin-file": "node-v18.17.0-linux-x64/bin/node"
}{
"name": "critical-tool",
"url": "https://example.com/tool.tar.gz",
"version": "2.1.0",
"hashes": [
"sha256:...",
"sha512:..."
],
"extract": true
}- Always verify checksums from official project sources
- Cross-reference hashes from multiple trusted sources when possible
- Use HTTPS URLs for downloads
- Keep vfetch updated to get the latest security improvements
- Review configurations before running them
- Store configurations in version control for audit trails
| Tool | Verification | Complexity | Ecosystem Lock-in | Security Awareness |
|---|---|---|---|---|
| vfetch | β Mandatory | π’ Low | β None | β High |
| npm/pip | π΄ High | β Heavy | β Hidden | |
| curl/wget | β Manual/Optional | π’ Low | β None |
vfetch is designed to stay simple and focused. When contributing:
- Maintain simplicity - avoid feature creep
- Security first - never compromise on verification requirements
- Explicit over implicit - make security decisions visible
- Test thoroughly - especially hash verification and file handling
LICENSE - Use it freely, but remember: you are responsible for verifying what you download.
Remember: Security is not a feature you can install - it's a practice you must maintain.