Haybarn extensions — signed DuckDB extensions for production

Signed extension ecosystem

Extensions

Signed DuckDB extensions for Haybarn

Haybarn rebuilds core and community DuckDB extensions against the Haybarn engine, signs them with the Haybarn key, and serves them from a production extension channel.

Today

Same INSTALL and LOAD, Haybarn trust behind it

Haybarn resolves extensions from haybarn-extensions.query.farm, verifies signatures with the Haybarn key, and caches binaries under ~/.haybarn/extensions/.

Core extension

Haybarn shell

-- Core channel: extensions built with the Haybarn engine.
INSTALL httpfs;
LOAD httpfs;

-- Then query files over HTTPS using the normal DuckDB workflow.
SELECT *
FROM read_csv('https://raw.githubusercontent.com/mwaskom/seaborn-data/master/iris.csv')
LIMIT 10;

Community extension

Haybarn shell

-- Community channel: rebuilt from duckdb/community-extensions.
INSTALL h3 FROM community;
LOAD h3;

SELECT h3_latlng_to_cell(37.7887, -122.3931, 9);

Core extensions are built with the engine release. Community extensions are rebuilt from the upstream DuckDB community catalog and served from the community channel.

Build matrix

Which extensions are ready right now?

Haybarn tracks engine builds, core extension builds, and community extension builds for each release so teams can see what is ready before rollout.

See the build matrix →

Side by side

What changes from DuckDB?

The SQL stays familiar. The origin, trust root, and cache location move to Haybarn. DuckDB-signed extensions do not load against Haybarn; Haybarn verifies extensions with its own key.

	DuckDB	Haybarn
Install syntax	INSTALL …; LOAD …;	Same SQL
Default origin	extensions.duckdb.org	haybarn-extensions.query.farm
Trust root	DuckDB Foundation key	Haybarn key
Cache directory	~/.duckdb/extensions/	~/.haybarn/extensions/

Packaging

Lockfile-managed extensions

The signed HTTP channel remains the source of truth. Extensions are published to npm today, with PyPI wheels and deeper runtime discovery rolling out — so versions can be pinned, mirrored, and reviewed.

Available

npm packages

Every community extension is published to npm today — signed and pinnable in package.json.

In progress

PyPI wheels

Per-platform wheels so extensions can be pinned in requirements.txt and mirrored internally.

Planned

Runtime discovery

Python and Node packages discover installed extension packages without changing normal SQL.

Available now

package.json

// Signed Haybarn extensions are published to npm today.
{
  "dependencies": {
    "@haybarn/ext-httpfs-h1-5-3": "202606.9.140951"
  }
}

Coming soon

requirements.txt

# Roadmap: PyPI wheels, pinnable the same way.
haybarn-ext-httpfs-h1-5-3==202606.9.140951

Expert help

Need a private extension channel?

We help teams with internal mirrors, private signing workflows, custom extension CI, and controlled rollout.

Consulting Schedule a call