(1) $EDITOR probably has syntax highlighting, which will help you understand the text better. Always do your code reviews with the supportive assistance of tools.
(2) If you intend to review a script before you run it on your computer, it is intrinsic to the task that you review the script you are about to run on the computer. As you observe, a malicious user might detect the User-Agent and give a different script. But completely non-malicious changes could happen too: for instance, there could be an update or you could type in the command wrongly and accidentally review one script but run another.
In any case, it's worth noting that the user who wants to review the install script before they run a potentially malicious installer needs to consider whether they actually trust the software they're about to install. A malware author could easily install a binary of potentially-malicious in a perfectly benign way, and it happens that once it's been running for three hours it reads exfiltrates your aws keys on apparently ordinary API requests it makes.
If you don't trust author/distributors (whether it is ad hoc distribution or appstore distribution), it is probably better to rely on third party distributors as found in traditional GNU/Linux distributions. They aren't flawless, but the delays are there partly to help making trusting a random group of independent developers more trustworthy.
If you don't trust first party author/distributors or third party distributors, I guess you have a sufficiently sandboxed setup that means `curl | sh` is actually safe, or else you download the source code, review the whole package, and build it or don't, so you don't want to `curl | sh` anyway.
I'm not sure "Any user who intends to review a script" would do this. I'd bet that most would at most open it, take a quick look and run it. But good advice!
And it has been wildly successful because it allows people to make and distribute applications without an army of volunteer packagers or forcing the user to compile from source. It wouldn't be a problem at all if Desktops had gotten around to the idea of sandboxing everything by default the way mobile did.
Not really. When I'm downloading Firefox, it's digitally signed by Mozilla. When I'm downloading VLC, it's digitally signed by the VideoLAN foundation.
I actually don't think I have a single piece of non-signed executable on my Windows PC.
And what is exactly the difference between "downloading a random executable from the Internet" and "downloading a random digitally signed with a random signature executable from the Internet"?
Either the author is random or it is not, and the signature is not really going to discriminate much in this area...
not quite "two billion" lol and the cheapest I know of is Digicert. You're looking at $499/year or$699/year for the extended validation cert (this is a higher quality cert that passes more security checks.) What is this validation you ask? All kinds of identity verification on the business and it's owner to ensure they are who they say they are and they are located where they say they are. The idea is that bad actors aren't willing to pay $$$ annually for any reason much less to expose their identity. Lockdown uses the EV cert.
It's this sort of attitude that's destroyed the hobbyist programming community for the Windows Platform.
It's also an outdated view:
1. Most Windows software is signed with an Authenticode cert which requires the author to prove who they are to the CA and hand over at least $99.
2. Windows these days has SmartScreen running all the time, which checks executable file hashes against a cloud based database and blocks apps with known issues. Doesn't help if it's an unknown but massively reduces the risk.
3. Windows has a policy that can be enforced that blocks the execution of any software that doesn't pass points #1 and #2.
I'm interested in where you can you get a code certificate for $99? My renewal is coming up and I'm paying $699/annual for a extended validation cert; I'm willing to consider a standard cert but even they are $499/annual. Buying a 3 year cert provides very little discount... that 3 year ev cert on Lockdown and my other apps is a $2000 deal.
That's a yearly cost, but you only need to keep renewing if you are signing and releasing new apps or updates. Existing apps you've signed will remain valid if if you don't renew your cert (unlike websites etc.)
Also, it seems that the LARGE cost for the EV certs is only really needed for things like Windows drivers.
wow, I hadn't researched in a while, but that looks sketchy. I purchased one that cheap some time around 2011 and the company ended up having certs revoked and went out of business, and the next best thing I found was digicert at a fraction of the cost of the comodo and the like.
they do have EV for $350/annual or $750/3 year cert so I might try that it is certainly cheaper than digicert.
and yes EV is good for more than drivers, it allows EXEs to bypass smartscreen prompts that would otherwise trigger on standard certs that have to go through reputation checks in smartscreen.
If you view Microsoft as a threat to your computer, running random unsigned internet binaries isn't going to make your computer safer, even if you're running Microsoft tools. If a random binary has a 1 in 100 chance of being malware, and a Microsoft binary has a 1 in 50 chance of ignoring your interests in the pursuit of some other gain, running Microsoft binaries doesn't make running random binaries one bit safer.
Basically: Microsoft is irrelevant to the equation.
You are better off not using Microsoft products if you don't trust them, and considering the safety and security of artefacts produced by random unsigned internet developers independently of the safety and security of artefacts produced by Microsoft.
Also, if you're subject to this kind of logical fallacy, you might consider not installing Microsoft products just to avoid the distraction in your reasoning. Every platform will have a different set of trade-offs.
That's pretty much my point. If a person's standard of safety is blindly running code from the reckless idiots at Windows Update I'm surprised they'd balk at running an executable whose only reputation is word of mouth. I wouldn't do either.
What a great idea!