Iguana: Zig downloader and version manager in 64 lines of code

mslapek · June 23, 2026, 12:08pm

iguana:

Zig downloader and version manager in 64 lines of code

www.codeberg.org/mslapek/iguana

It allows easy installation of various Zig versions, to use them directly from the shell:

$ iguana install 0.16.0
$ iguana install 0.15.2

$ zig version  # will print 0.16.0, by default takes the newest installed version

$ export ZIG_RELEASE=0.15.2
$ zig version  # will print 0.15.2
$ zig zen

The distinguishing feature - auditable, the self-contained script consists only of 64 lines of POSIX shell script:

$ wc -l iguana
      64 iguana

Recently there’s a lot of discussion about chain supply attacks. This prompted me to make that script and experiment how “lean” we can get our software (and the pain points resulting from that).

Explicitly README.md asks you to audit the script, with the philosophy “don’t trust me”.

Stuff I learned

It turns out that the tar shell command isn’t in the POSIX standard, instead there’s a pax tool. However, I’ve decided to go with tar in my script, because it’s more popular (battle tested!). The homepage of GNU paxutils feels abandoned (last update in 2011).
Making a documentation of this script was boring, however it displayed to me, what could be improved in it - to remove stuff from README.md (less is more). For instance:
- original instructions required user to set $ZIG_RELEASE in .bashrc - so I made the newest installed version the default - to remove this requirement,
- requirements mentioned sort utils with -V/--version-sort, which isn’t present in POSIX. So I’ve managed to sort by version without that extension with POSIX sort.
- user was requested to manually mkdir ~/.iguana, now script creates the dir before Zig’s installation.

Design decisions

To make the script lean, I’ve made a few compromises:

crude error messages, no build-in documentation,
user has to modify parameters in the script (at least it encourages to take a look at that),
limited argument verification, for instance you can pass an excessive number of parameters, like iguana install 0.16.0 foo bar.

The repo has some smoke tests in pytest - so I can test the script in various environments easily with make test. However, it isn’t TDD - had I accidentally omitted minisign invocation in the script, the current tests wouldn’t catch that.

Supported Zig versions

All published Zig releases (or at least those that have a similar tarball structure as Zig 0.16.0).

It should work on all Unix-like OSes satisfying the requirements from README.md.

matklad · June 23, 2026, 12:28pm

Like this! We also have a version of similar thing in TigerBeetle, which should be good enough to copy-paste:

github.com/tigerbeetle/tigerbeetle

zig/download.ps1

main

#!/bin/sh
echo `# <#`
./zig/download.sh
exit
#> > $null
./zig/download.win.ps1

Its a local per-project install, rather than global install
Checks hashes, rather than signatures
Hash-checking is also used to implement download caching (I believe iguana does the same, just wanted to call this out as a positive important-for-ci thing)
work on windows as well.