Guides

Build the Air-Gap Bundle

This guide covers the prep-host build phase only: how to install the manifest-installer CLI, configure AWS credentials, download the platform and vulnerability-data packages, and export-bundle them into a single tarball for transfer to an air-gapped environment.

Run every command below on an internet-connected prep host. The prep host may run Linux, macOS, or Windows — it does not need to match the target host. The bundle it produces always targets linux/amd64, the only supported deployment architecture.

1. Install the CLI

The manifest-installer binary is published to the public manifest-self-hosted Releases and is downloadable anonymously — no GitHub account or token required. Each binary ships with a matching .sha256 checksum file. Replace <version> with the version you've been instructed to install (e.g. 2.0.0); the release tag is that version prefixed with v.

Linux / macOS

base=https://github.com/manifest-cyber/manifest-self-hosted/releases/download/v<version>
curl -fsSL -O "$base/manifest-installer-linux-amd64"
curl -fsSL -O "$base/manifest-installer-linux-amd64.sha256"
sha256sum -c manifest-installer-linux-amd64.sha256   # prints "OK" on a match
chmod +x manifest-installer-linux-amd64
sudo mv manifest-installer-linux-amd64 /usr/local/bin/manifest-installer

(On macOS substitute the manifest-installer-darwin-* asset for your prep host, and use shasum -a 256 -c if sha256sum is unavailable.)

Windows (PowerShell)

The Windows installer ships as a .zip (the Linux and macOS builds are bare binaries). Download the zip and its checksum, verify, then extract the .exe:

$base = "https://github.com/manifest-cyber/manifest-self-hosted/releases/download/v<version>"
Invoke-WebRequest -Uri "$base/manifest-installer-windows-amd64.zip" `
  -OutFile "$env:USERPROFILE\manifest-installer.zip"
Invoke-WebRequest -Uri "$base/manifest-installer-windows-amd64.zip.sha256" `
  -OutFile "$env:USERPROFILE\manifest-installer.zip.sha256"
# Verify: the computed hash must match the first field of the .sha256 file.
(Get-FileHash "$env:USERPROFILE\manifest-installer.zip" -Algorithm SHA256).Hash.ToLower()
(Get-Content "$env:USERPROFILE\manifest-installer.zip.sha256").Split()[0]
# Extract manifest-installer-windows-amd64.exe, then move it onto your PATH
# (e.g. into a directory already listed in $env:Path).
Expand-Archive -Path "$env:USERPROFILE\manifest-installer.zip" `
  -DestinationPath "$env:USERPROFILE\manifest-installer" -Force
🚧

SmartScreen warning

If Windows blocks the extracted .exe with a SmartScreen ("Windows protected your PC") warning, clear the downloaded-file mark and retry:

Unblock-File "$env:USERPROFILE\manifest-installer\manifest-installer-windows-amd64.exe"

Verify the install:

manifest-installer --version

The CLI stores downloaded packages and data under the XDG data directory: ~/.local/share/manifest/ on Linux/macOS (%LOCALAPPDATA%\manifest\ on Windows). Export XDG_DATA_HOME before running the CLI to relocate it — for example, onto a mounted volume with room for several gigabytes of packages.

2. Configure AWS credentials

The installer pulls platform and data packages from Manifest's private ECR registry in us-east-1. Configure the IAM credentials Manifest provided during onboarding using either of the following.

Option A — persist them via the CLI (recommended):

manifest-installer config set aws.accessKeyID <provided-by-manifest>
manifest-installer config set aws.secretAccessKey <provided-by-manifest>

The values are written to ~/.config/manifest/installer-config.yaml (mode 0600); do not edit the file by hand. Region is derived from the registry URL — you do not need to set it. Only long-lived IAM-user keys are accepted; for short-lived STS credentials, use the environment-variable path below.

Option B — export them in the environment (useful for one-off runs):

export AWS_ACCESS_KEY_ID=<provided-by-manifest>
export AWS_SECRET_ACCESS_KEY=<provided-by-manifest>
export AWS_REGION=us-east-1

Environment variables (and any other AWS SDK credential source) take precedence over the persisted values.

3. Download the platform packages

# Pin the version you were instructed to install
manifest-installer download --version <x.x.x>

# Or omit --version to pull the latest published release
manifest-installer download

This pulls the platform Zarf packages into ~/.local/share/manifest/versions/<x.x.x>/pkgs/ and fetches the matching linux/amd64 manifest-installer binary alongside them (it gets embedded in the bundle so the target host doesn't need a separate download).

The download always targets linux/amd64 regardless of the prep host's own architecture — there is no architecture flag to set. The command is idempotent: re-running it skips packages already on disk and completes in seconds once a version is fully downloaded.

4. Download the vulnerability data

An air-gapped platform cannot reach the internet to refresh vulnerability feeds (NVD, OSV, KEV, EPSS), so the data must be bundled and carried in. On a first-time build, pull a full snapshot:

manifest-installer download-data

This pulls a baseline snapshot plus a 7-day refresh into ~/.local/share/manifest/data/ and records the selection in data/current.json.

For an incremental update to an already-installed air-gap deployment, pass the date of your last sync so only the covering refresh window is pulled:

manifest-installer download-data --since <YYYYMMDD>

download-data is idempotent and air-gap-only — a connected install ingests feeds directly at runtime and does not need this step.

5. Build the bundle

manifest-installer export-bundle --version <x.x.x>

This produces, in your current directory:

  • manifest-self-hosted-<version>-<YYYYMMDD>.tar — the Zarf packages, the manifest-installer binary (under bin/ in the tarball), and a metadata.json.
  • manifest-self-hosted-<version>-<YYYYMMDD>.tar.sha256 — a checksum for verifying the transfer.

The date suffix is the UTC build date. Omit --version to bundle the latest version present under versions/.

To include the vulnerability data you pulled in step 4, add --include-data:

manifest-installer export-bundle --version <x.x.x> --include-data

--include-data bundles exactly the data packages recorded by your most recent download-data run (via data/current.json), so an incremental-update bundle doesn't re-carry snapshots the cluster already has. There is no separate date flag on export-bundle — control the data coverage with download-data --since in step 4, then bundle what it selected.

📘

If a package isn't downloaded yet

When you pass --version for a version whose packages aren't on disk, export-bundle prompts to fetch it first (Fetch now? [y/N]). Answer y, or pre-run download. Pass --no-fetch to make a missing package a hard error instead of a prompt — useful for scripted builds.

6. Verify the bundle

export-bundle writes the .sha256 next to the tarball. Confirm the bundle is intact before transferring it, and again on the target host after transfer:

sha256sum -c manifest-self-hosted-<version>-<YYYYMMDD>.tar.sha256

Run this from the directory holding both files; it prints OK when the tarball matches. (On macOS without sha256sum, use shasum -a 256 -c.)

The binaries and bundle are not code-signed today — checksum verification is the integrity mechanism. Distribution-signing (cosign/sigstore) is tracked as a separate hardening item.

For help, contact Manifest support at [email protected].

Updated 2 days ago