Last active
May 20, 2020 13:44
-
-
Save Geal/9974949 to your computer and use it in GitHub Desktop.
Curl install pattern
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| v=`curl -s https://s3.amazonaws.com/download.draios.com/stable/install-sysdig`; if [ "7777a6bb3188993fc70fd8124c03e2880f034be6 -" != "`echo -n "$v" | sha1sum`" ]; then echo "invalid hash"; else `echo "$v" | sudo bash`; fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The curl install pattern relies on trusting a command you just saw on the website of the system you want to install, then trusting your DNS server, and curl to verify the SSL connection (if there is one) to the download server, and you're still not sure of what you will execute as root.
Here is a better solution: you still trust the original website (which is bad IMHO, but whatever), but the command it gives you will automatically verify the file hash. No need for public key signature (although that could be added easily), and no problem with untrusted connections to the download server.