Install
Get running in a few steps
Copy-paste per platform.
gateway — linux server
# One command — SQLite backend, NO PostgreSQL to install or configure
# Linux (systemd)
curl -fsSL https://github.com/MonivaVN/pam-zta-gateway/releases/latest/download/install.sh | sudo sh
# macOS (launchd)
curl -fsSL https://github.com/MonivaVN/pam-zta-gateway/releases/latest/download/install-macos.sh | sudo sh
# installs the package, writes a SQLite config, auto-generates the CA token, starts
# the service — then PRINTS the gateway URL + CA WebSocket URL + token for your
# client and CA to connect, plus where to scan the root-enroll QR.
# ...with a public address + automatic HTTPS (Let's Encrypt):
curl -fsSL https://github.com/MonivaVN/pam-zta-gateway/releases/latest/download/install.sh | sudo sh -s -- --public-url https://gw.example.com --autocert gw.example.com
# HA / multi-node? Use PostgreSQL instead of SQLite — see the repo's deploy/ha.
gateway — from source (systemd service)
# Have the source? It's ONE static binary — SQLite embedded, no PostgreSQL. Build it + run as a service:
git clone https://github.com/MonivaVN/pam-zta-gateway.git && cd pam-zta-gateway
CGO_ENABLED=0 go build -trimpath -ldflags "-s -w" -o /usr/bin/pam-zta-gateway ./cmd/gateway
# service user + state dir (SQLite db + gateway key live here) + config
sudo useradd --system --home /var/lib/pam-zta --shell /usr/sbin/nologin pam-zta
sudo install -d -o pam-zta -g pam-zta /var/lib/pam-zta /etc/pam-zta
sudo cp deploy/config/gateway.example.toml /etc/pam-zta/gateway.toml # set [database] driver="sqlite", path=/var/lib/pam-zta/gateway.db + a [ca].token
# install the systemd unit shipped in the repo, then start
sudo cp packaging/linux/systemd/pam-zta-gateway.service /etc/systemd/system/
sudo systemctl enable --now pam-zta-gateway && sudo journalctl -u pam-zta-gateway -f # root-enroll QR + listen addr
# connect: OSH client → http://SERVER:8443 · CA Signer → ws://SERVER:8443/v1/ca/ws + the [ca].token above
# (test/dev only: just run it foreground → ./gateway --sqlite ./gateway.db )
desktop & ios — apps
# macOS — CA Signer (.dmg)
Open the .dmg ▸ drag "PAM-ZTA CA" to Applications ▸ open ▸ plug YubiKey ▸ enter PIN (PIV 9c) ▸ "Save PIN to Keychain".
# macOS — OSH Client (.pkg · all-in-one: GUI app + `osh` command)
Double-click OSH-1.1.0-arm64.pkg ▸ Install. # notarized · installs the OSH app + the `osh` CLI into PATH
osh connect dev@your-server # or open the OSH app and click Connect · (new terminal: run `rehash`)
# Windows — CA Signer / OSH Client (.exe · not yet code-signed)
Run the .exe ▸ on SmartScreen "Windows protected your PC" ▸ More info ▸ Run anyway.
# Ubuntu/Debian — CA Signer / OSH Client (.deb · amd64)
sudo apt install ./CA-0.1.0-amd64.deb # CA Signer (Operator Console)
sudo apt install ./OSH-0.1.0-amd64.deb # OSH Client
# iOS (OSH Approver)
1. Install TestFlight from the App Store.
2. Open the TestFlight link above ▸ Install OSH.
3. Open OSH ▸ scan the enrollment QR from the Gateway ▸ approve with Face ID.
🔐CA Signer requires a YubiKey (hardware-only, fail-closed). Pull the YubiKey and signing stops — exactly by zero-trust design.