Verifying Your Install¶
Bullpen CLI holds keys and signs trades on your behalf. Before you trust a binary on your machine, confirm it came from Bullpen and was not tampered with in transit. This page covers the official install sources, how to inspect the installer before running it, how to compare published SHA-256 checksums, and why Homebrew's tap-trust prompt is a safety signal rather than friction.
Official Install Sources¶
There are exactly two canonical sources for Bullpen CLI:
- The native installer script at
https://cli.bullpen.fi/install.sh - GitHub Releases at github.com/BullpenFi/bullpen-cli-releases/releases
The native installer is the preferred first install for most users. It downloads the latest official release binary directly:
Manual download from the GitHub Releases page is for users who want to verify checksums themselves or pin a specific version. If a third party gives you a binary or a different URL, do not run it — fetch from one of the two sources above instead.
Inspect The Script Before Running It¶
Piping a script straight into sh runs whatever the server returns. If you
prefer to read the installer first, download it, review it, then run it:
curl -fsSL https://cli.bullpen.fi/install.sh -o install.sh
less install.sh # review what it does before running
sh install.sh
This is the same script as the one-line curl … | sh flow — downloading it
first only adds a review step.
Compare The Published SHA-256 Checksum¶
If you download a release binary manually from the GitHub Releases page, confirm it matches the checksum Bullpen published for that artifact. The release page lists SHA-256 checksums for each artifact alongside the downloads.
Compute the SHA-256 of the file you downloaded:
Example output
The 64-character hex string is the checksum. The value above is an example only — yours will differ for each release.Compare the hex value against the checksum published on the release page for the same artifact (matching your OS and architecture). They must match exactly. If they differ, do not run the binary — re-download from the official Releases page, and if it still does not match, report it through Responsible Disclosure.
On Linux, sha256sum ./bullpen produces the same value if shasum is not
installed.
Homebrew Tap Trust Is A Safety Signal¶
When you install via Homebrew, you may see a prompt asking you to trust the
bullpenfi/tap tap or its formula. This is not an error — it is Homebrew
confirming that you intend to install from the BullpenFi tap rather than a
look-alike. Confirming the prompt is the legitimate way to proceed:
If Homebrew refuses to load the formula from an untrusted tap, trust it explicitly and retry:
brew trust --formula bullpenfi/tap/bullpen
brew install BullpenFi/tap/bullpen
brew link --overwrite bullpen
To trust the full Bullpen tap instead of just the formula, run
brew trust --tap bullpenfi/tap. Only trust bullpenfi/tap — if a prompt
names a different tap, stop and verify the source.
Run It And Confirm The Version¶
After installing by any path, confirm the binary runs and reports a version:
If bullpen is not found, the install location may not be on your PATH. The
native installer adds $HOME/.bullpen/bin to your shell profile; open a new
shell or source your profile, then retry.
Once the version prints, continue with the Quickstart to log in and check your account.