So, the internet seems to have a lot of software with the installation method being in the infamous
curl .. | sh format. People don't like this because what
curl downloads might have been messed with by someone in between depending on the specifics. But people still use this method because it is convenient.
Awal is here to present a solution. Included in this repo is a script, which you can put in your
$PATH by the name
tap. And now whenever you are about to run:
curl foo/bar | sh
Simply run the following instead:
curl foo/bar | tap | sh
tap will first collect all the data from curl, save it to a temp file, open that file in your
vim if not specified), and you can review it. You can make changes to it if you want. If you write the file and close the editor successfully (i.e., the editor returns exit code 0), then
tap sends the saved output (including your edits, if any) along the pipe. Else it doesn't (so you can exit with
:cq in vim if you don't want to run the script after reviewing). This also shields against a timing attack which detects
curl | sh server-side.
tap deletes the temporary file after this :)
There is also
vipe from the excellent moreutils toolkit, written as a perl script. It does pretty much the same thing.
There is hashpipe, written in Go, which verifies stdin based on a checksum passed to it. This is a pretty good idea too, but it requires the distributor of the script to provide an up-to-date checksum at all times, and you need to be sure that the medium through which you are obtaining the checksum has not been meddled with.
Awal Garg [email protected], @awalGarg
This repo is released under WTFPL.