Replace your `curl | sh` installers
(I would have called it stop-piping-the-internet-into-your-shell
, but that
seemed too long.)
tl;dr
Instead of
$ curl -sSL https://get.rvm.io | bash
do
$ pipethis https://get.rvm.io
or (assuming not everybody has adopted my awesome idea but you still want to improve your life)
$ pipethis --no-verify --inspect https://get.rvm.io
or even
$ curl -sSL https://get.rvm.io | pipethis --no-verify | bash
download the binary and drop it in your $PATH
.
$ brew tap dennisdegreef/pipethis
$ brew install pipethis
If you've already got a Go development environment set up, you can grab it like this:
$ go get github.com/ellotheth/pipethis
pipethis [ OPTIONS ] <script>
OPTIONS
--target <exe>
The shell or other binary that will run the script. Defaults to the SHELL
environment variable.
--lookup-with <keybase,local>
The service you'll use to verify the author's identity:
keybase (default)
Use https://keybase.io
local
Use your local GnuPG public keyring
If you're piping a script from `stdin`, the service will be forced to
`local`.
--inspect
If set, open the script in an editor before checking the author. Ignored if
you're piping a script from `stdin`.
--editor <editor>
The editor binary to use when --inspect is set. Defaults to the EDITOR
environment variable.
--no-verify
If set, skips author and signature verification entirely. You'll need to
set this if <script> doesn't support pipethis yet.
--signature <signature file>
The detached signature to verify <script> against. You'll only need this in
a couple scenarios:
- You've already downloaded the detached signature and you want to use your
downloaded copy, or
- the signature is hosted in a non-standard location (i.e. it's not
<script>.sig), or
- you're piping a script with a detached signature from `stdin`.
If you're piping scripts into pipethis
directly from curl
, you'll need
to have the script authors' PGP keys already stored in your local keyring.
Don't worry, they'll have instructions!
You can add one line to your installer script to make it support pipethis
,
but there's other stuff to do as well:
Get an account on Keybase. I know, Real Crypto Geeks™ hate Keybase because Browser Crypto Is Unsafe™ and They Can Store Your Private Key®. It's a place to start, yo, just do it.
Alternatively, you can hand out your public key at key signing parties (because you're a Real Crypto Geek™, remember?), and tell people to import it into their local public keyrings.
Add one line to your installation script to identify yourself. You can throw it in a comment:
# // ; '' PIPETHIS_AUTHOR your_name_or_your_key_fingerprint
Create a signature for the script. With Keybase, that's:
$ keybase pgp sign -i yourscript.sh -d -o yourscript.sh.sig
but you're a Real Crypto Geek™, so you'll use gnupg
:
$ gpg --detach-sign -a -o yourscript.sh.sig yourscript.sh
Both those commands create ASCII-armored signatures. Binary signatures work too.
Alternatively, you can clearsign the script with an attached signature::
$ keybase pgp sign -i yourscript.unsigned.sh -c -o yourscript.sh
$ gpg --clearsign -a -o yourscript.sh yourscript.unsigned.sh
Pop the script (and the signature, if it's detached) up on your web server.
Replace your copy-paste-able installation instructions!
Who's piped the
installation script for their
favorite tool directly from
curl
into their shell?
Show of hands? Come on, you know
you have.
Don't feel bad, so have I! So have we all, really. It's so easy, so fast, so
clean, so...well, bad
for
you.
There are simple solutions to some of those problems:
But simple solutions are, like, boring, and stuff.
The more interesting problem (to me, anyway) is authenticity. You trust whoever wrote the script; how can you be reasonably sure the script you download is the one they wrote?
What if every installation script was embedded with the cryptographic signature of its author, and you could verify the author and the script against the signature when you ran it?
Enter pipethis
.
Scripts that support pipethis
will embed a special line that identifies the
script author:
#!/usr/bin/bash
# PIPETHIS_AUTHOR gemma
echo woooooo look how verified everything is!
If you drop --inspect
on the command line, pipethis
with throw the script
into your favorite editor before it does anything else, and you can check the
author (and the rest of the content) yourself.
If you're happy with the script contents, pipethis
checks
Keybase for any users that match PIPETHIS_AUTHOR
. (It
uses the same search you find in the search box on their website, so you could
use a username, a Twitter handle, or even a key fingerprint.) It'll spit all
the matches back at you in a list, along with all their Keybase proofs. Once
you choose one, pipethis
grabs the public key for that user. If you don't see
the person you're looking for, you can bail. No harm, no foul.
I found 2 results:
0:
Identifier: gemma
Twitter: ellotheth
Github: ellotheth
Hacker News: gemma
Reddit:
Fingerprint: 417b9f99b7c04ccebd06777d0bc6bb965aa6f296
Site: ramblinations.com
Site: ramblinations.com
1:
Identifier: gemmakbarlow
Twitter: gemmakbarlow
Github: gemmakbarlow
Hacker News: gemmakbarlow
Reddit:
Fingerprint: 1fd52e9237fef588e2d0d26100fee8d483374357
Once you've picked an author, pipethis
will go grab their detached PGP
signature for the script. If --signature
is not given on the command line,
pipethis
will tack .sig
onto the end of the script location and try that
instead.
With the signature and public key in hand, pipethis
will verify that the
signature matches both the key and the script. If it does, you're good to go,
and pipethis
will run the script for you (against the executable of your
choice). If not, pipethis
dies, cleans itself up, and nobody ever has to know
that you almost pwned yourself.
pipethis
works, but it can be better!