Skip to content


Install from GitHub Releases

$ VERSION=TODO # choose the latest version (without v prefix)
$ OS=Linux     # or Darwin
$ ARCH=x86_64  # or arm64, i386, s390x

We generate SLSA3 provenance using the OpenSSF's slsa-framework/slsa-github-generator. To verify our release, install the verification tool from slsa-framework/slsa-verifier#installation and verify as follows:

$ curl -sSfL "${VERSION}/ko_${VERSION}_${OS}_${ARCH}.tar.gz" > ko.tar.gz
$ curl -sSfL${VERSION}/multiple.intoto.jsonl > multiple.intoto.jsonl
$ slsa-verifier verify-artifact --provenance-path multiple.intoto.jsonl --source-uri --source-tag "v${VERSION}" ko.tar.gz
Verified signature against tlog entry index 24413745 at URL:
Verified build using builder "" at commit 200db7243f02b5c0303e21d8ab8e3b4ad3a229d0
Verifying artifact /Users/batuhanapaydin/workspace/ko/ko.tar.gz: PASSED

PASSED: Verified SLSA provenance
$ tar xzf ko.tar.gz ko
$ chmod +x ./ko

Install using Homebrew

brew install ko

Install using MacPorts

sudo port install ko

More info here

Install on Windows using Scoop

scoop install ko

Install on Alpine Linux

Installation on Alpine requires using the testing repository

echo >> /etc/apk/repositories
apk update
apk add ko

Build and Install from source

With Go 1.16+, build and install the latest released version:

go install

Setup on GitHub Actions

You can use the setup-ko action to install ko and setup auth to GitHub Container Registry in a GitHub Action workflow:

- uses: ko-build/setup-ko@v0.6