What's the advantage of binary packages through GitHub releases? How do you audit them?
I'm aware of the fact that you can detect curl | bash server-side, and it's a neat trick, but I don't understand the security risk of it. The server is supplying you with arbitrary content that you're not auditing - what does it matter if it supplies you different arbitrary content?
What's the advantage of the GPG approach? Last I checked, the GPG command was capable of signing malicious binaries.
I do agree about the configuration argument. But that's not a security argument.
I think you may be conflating the application owner and the delivery system. If we're installing the application I think we're implicitly trusting the author.
If you copy/paste http instead of https then you've given execution control to every single middlebox along the way.
If the code is hosted on an evil sourceforge, then you've given them execution control.
deb packages will do signature checks, any many authors will list checksums in their releases which we can use to verify.
All these arguments apply no matter the packaging format. Install scripts can be signed and checksummed too. Only by having your package put into a repository already trusted by the user in advance do you solve these problems, it's not an issue with the packaging format being a shell script versus a deb package.
I don’t think you understand how signed packages work. They give you the ability to be sure you are installing software packaged by an entity you trust, regardless of where you get the package.
I understand. That only moves the problem to where you get the signature from, it doesn't solve it (unless you are using a central repo you already trust for example). Therefore binary packages shipped on a GitHub releases page alongside a signature file still face the same issue. An attacker simply has to replace both the package and the signature with one they control. It is nothing to do with the packaging format being a deb file instead of an install script, the issue applies in either case.
Public key servers. Upload your key to 3 different key servers (keyserver.pgp.com, keyserver.ubuntu.com, pgp.mit.edu). Have the user download it from all 3, verify they're the same, verify the package signature with the public key. People already do essentially this (but from one key server) when they add custom PPAs to a distro.
In order to hack that package, someone would have to either A) steal the signing key from the developer's airgapped laptop, or B) hack github.com and 3 independent key servers.
The point is not whether it's a solvable problem. The point is that it's not conventional to go to such extents, no matter what kind of packaging you use. This kind of process could be done with either install scripts or deb/rpm packages with nearly the same level of effort, but nobody conventionally does this kind of thing with either (maybe with the exception of stuff that's in a central repo, where you do get SOME protection by default). So it's wrong to say that install scripts are the cause of the problem. The common pattern of "curl | sh" is just as bad as the common pattern of "download a deb and install it". It's not an improvement to simply shun install scripts without solving the actual trust issue.
Nobody is shunning install scripts. You can still have an install script. Just don't pipe it into bash from curl.
This is not like some kind of "normal" software distribution pattern. Every other modern OS in the world has solved the trust issues by either verifying the software is signed, or requiring you click some button that says "I acknowledge that I am about to totally fuck up my PC with this untrusted software". The Linux distros verify package signatures, Windows verifies exe signatures, Macs do too (afaik?), Android and iOS do.
Curling to a pipe is just devs being lazy. The trust issues were solved a while ago. Not that devs being lazy is anything new. Literally the only reason anyone can use Linux at all without spending 2 weeks setting it up by hand is because somebody other than the software developers did the hard work of packaging it correctly. The curl|bash pattern is just the `./configure && make && make install` of modern devs. (But even then you could still verify the tarball signature before untarring it)
No, you don’t get it. Once you have the root of trust you can download new signed packages in perpetuity and know they came from the developer. They can be delivered over http/smpt/telnet/BitTorrent/ftp/whatever.
You can literally pull it from a compromised machine with an active attacker and it doesn’t matter. It either has integrity and it’s safe or it fails to install.
That’s a huge difference from encouraging people to exec curl statements from random websites loading JavaScript from ad networks, trackers, etc, etc. You’re not only trusting the original dev, you’re now having to trust the web host and all of the other locations the page sources JavaScript from.
This is why any systems serious about security used signed packages. There are way too many systems/parties in between that can knowingly or unknowingly comprise https downloads. Windows updates, Linux updates (for the majority of package managers), iOS updates, Android updates, etc.
The trust model of “curl | sh” is severely worse than signed packages. They are in no way equivalent.
This only solves the problem of trusting updates, not the initial installation. For new software, "curl | sh" is no different from installing a random deb package from GitHub.
It solves initial installation too if you trust particular roots.
There is a reason windows/android/Linux distros/iOS do signed software.
This problem was known about and was solved 20+ years ago with signed updates. “curl | sh” is back in vogue because people don’t understand the problem and think https means secure.
That is what I mean about it only being better in the limited scenario where you are getting the package from an already-trusted central repo. But that is surely not the case in this particular situation for example.
deb packages will not do signature checks. The signature checks for anything based on deb is rooted in the repository- the repositories package list contains the checksums for the packages and the signature of the repository maintainer. If you fetch a single package from a website and install it, no signature is present. Any check would need to happen out of band by explicitly checking a signature presented elsewhere. RPM packages, however can embed a signature.
I'm aware of the fact that you can detect curl | bash server-side, and it's a neat trick, but I don't understand the security risk of it. The server is supplying you with arbitrary content that you're not auditing - what does it matter if it supplies you different arbitrary content?
What's the advantage of the GPG approach? Last I checked, the GPG command was capable of signing malicious binaries.
I do agree about the configuration argument. But that's not a security argument.