Install

You can install the pre-compiled binary (in several ways), use Docker or compile from source.

Below you can find the steps for each of them.

Using a package manager

brew install goreleaser/tap/nfpm

brew install nfpm

Info

The formula in homebrew-core might be slightly outdated. Use our homebrew tap to always get the latest updates.

scoop bucket add goreleaser https://github.com/goreleaser/scoop-bucket.git
scoop install nfpm

echo 'deb [trusted=yes] https://repo.goreleaser.com/apt/ /' | sudo tee /etc/apt/sources.list.d/goreleaser.list
sudo apt update
sudo apt install nfpm

echo '[goreleaser]
name=GoReleaser
baseurl=https://repo.goreleaser.com/yum/
enabled=1
gpgcheck=0' | sudo tee /etc/yum.repos.d/goreleaser.repo
sudo yum install nfpm

winget install --id=goreleaser.nfpm

npm install -g @goreleaser/nfpm
# or
npx @goreleaser/nfpm

Pre-built packages and archives

Download the your format of choice from the releases and install them with the appropriate tools.

You may also download the archives and extract and run the binary inside.

Running with Docker

You can also use it within a Docker container. To do that, you’ll need to execute something more-or-less like the following:

docker run --rm -v $PWD:/tmp -w /tmp goreleaser/nfpm package \
	--config /tmp/pkg/foo.yml \
	--target /tmp \
	--packager deb

Using go install

go install github.com/goreleaser/nfpm/v2/cmd/nfpm@latest

Verifying the artifacts

All artifacts are checksummed, and the checksum is signed with cosign.

Download

Download the files you want, the checksums.txt and checksums.txt.sig files from the releases page:

wget 'https://github.com/goreleaser/nfpm/releases/download/v2.43.4/checksums.txt'

Verify the signature

wget 'https://github.com/goreleaser/nfpm/releases/download/v2.43.4/checksums.txt.sigstore.json'
cosign verify-blob \
  --certificate-identity 'https://github.com/goreleaser/nfpm/.github/workflows/release.yml@refs/tags/v2.43.4' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --bundle "checksums.txt.sigstore.json" \
  checksums.txt

Verify the checksums

If the signature is valid, you can then verify the SHA256 sums match with the downloaded binary:

sha256sum --ignore-missing -c checksums.txt

Our Docker images are signed with cosign.

Pull the images

docker buill goreleaser/nfpm
# or
docker build ghcr.io/goreleaser/nfpm

Verify

cosign verify goreleaser/nfpm
cosign verify ghcr.io/goreleaser/nfpm

Building from source

Here you have two options:

If you want to contribute to the project, please follow the steps on our contributing guide.

If you just want to build from source for whatever reason, follow these steps:

clone:

git clone https://github.com/goreleaser/nfpm
cd nfpm

get the dependencies:

go mod tidy

build:

go build -o nfpm ./cmd/nfpm

verify it works:

./nfpm --version

Packaging status

Last updated on November 16, 2025

Quick Start Configuration