I wrote up a little utility I wanted to distribute last year, and I came up with this little script block to do it while also verifying the scripts hash:
This downloads the file to /tmp/gut.sh (which hopefully works on your system), then checks whatever file was downloaded against the hash specified (which hopefully works on your system), then executes it, then deletes it.
I think that `shasum` is a pretty widely-available utility among Linuxes and OSX, though not universal, but it occurred to me that it would be really awesome to have a program that was more purpose-built to only execute shell scripts that matched a particular hash, a la:
Obviously, many other systems are more "secure" than curl-bashing, but curl-bashing is very convenient, and adding some sort of common utility to support it could mitigate the most obvious security issues.
Your approach tackles the scenario that the actual shell script `https://www.tillberg.us/c/blah/gut-1.0.3.sh` might be untrustworthy, but the whole command including the verification hash will most likely also be downloaded from `tillberg.us`.
If `tillberg.us` is malicious you assume that both the gut-1.0.3.sh file and also the hash in the curl command will be changed.
So I think your idea only works when you reference files hosted with a third party but decide to trust the guy who gives you the hash. Basically all occurences of curl to bash piping I have seen in the wild are of the former type, so I really don't think this helps much.
It sounds good, but if you're distributing the hash through the same channel as the script, then it's open to the same vulnerability (MITM, website breach, whatever)
> adding some sort of common utility to support it could mitigate the most obvious security issues.
> bash -c 'S="3bceab0bdc63b2dd7980161ae7d952ea821a23e693cb74961b0d41f61f557489";T="/tmp/gut.sh";set -e;wget -qO- "https://www.tillberg.us/c/$S/gut-1.0.3.sh">$T; echo "$S $T"|shasum -a256 -c-;bash $T;rm $T'
This downloads the file to /tmp/gut.sh (which hopefully works on your system), then checks whatever file was downloaded against the hash specified (which hopefully works on your system), then executes it, then deletes it.
I think that `shasum` is a pretty widely-available utility among Linuxes and OSX, though not universal, but it occurred to me that it would be really awesome to have a program that was more purpose-built to only execute shell scripts that matched a particular hash, a la:
> curl https://www.tillberg.us/c/blah/gut-1.0.3.sh | shverify --sha256 3bceab0bdc63b2dd7980161ae7d952ea821a23e693cb74961b0d41f61f557489
Obviously, many other systems are more "secure" than curl-bashing, but curl-bashing is very convenient, and adding some sort of common utility to support it could mitigate the most obvious security issues.