So, the internet seems to have a lot of software with the installation method
being in the infamous curl .. | sh format. People don't like this because
what curl downloads might have been messed with by someone in between
depending on the specifics. But people still use this method because it is
convenient.
Awal is here to present a solution. Included in this repo is a script,
which you can put in your $PATH by the name tap. And now whenever you
are about to run:
curl foo/bar | shSimply run the following instead:
curl foo/bar | tap | shtap will first collect all the data from curl, save it to a temp file,
open that file in your $EDITOR (or vim if not specified), and you can
review it. You can make changes to it if you want. If you write the file
and close the editor successfully (i.e., the editor returns exit code 0),
then tap sends the saved output (including your edits, if any) along the
pipe. Else it doesn't (so you can exit with :cq in vim if you don't want
to run the script after reviewing). This also shields against a timing
attack which detects curl | sh server-side.
Ofcourse, tap deletes the temporary file after this :)
There is also vipe from the excellent moreutils toolkit, written as
a perl script. It does pretty much the same thing.
There is hashpipe, written in Go, which verifies stdin based on a checksum passed to it. This is a pretty good idea too, but it requires the distributor of the script to provide an up-to-date checksum at all times, and you need to be sure that the medium through which you are obtaining the checksum has not been meddled with.
Awal Garg [email protected], @awalGarg
This repo is released under WTFPL.