curl https://some-url/ | sh

I see this all over the place nowadays, even in communities that, I would think, should be security conscious. How is that safe? What’s stopping the downloaded script from wiping my home directory? If you use this, how can you feel comfortable?

I understand that we have the same problems with the installed application, even if it was downloaded and installed manually. But I feel the bar for making a mistake in a shell script is much lower than in whatever language the main application is written. Don’t we have something better than “sh” for this? Something with less power to do harm?

  • FizzyOrange@programming.dev
    link
    fedilink
    arrow-up
    1
    ·
    18 hours ago

    No because there’s very little point. Checking signatures only makes sense if the signatures are distributed in a more secure channel than the actual software. Basically the only time that happens is when software is distributed via untrusted mirror services.

    Most software I install via curl | bash is first-party hosted and signatures don’t add any security.

    • jagged_circle@feddit.nl
      link
      fedilink
      English
      arrow-up
      0
      arrow-down
      1
      ·
      13 hours ago

      All publishing infrastructure shouldn’t be trusted. Theres countless historical examples of this.

      Use crypto. It works.

      • FizzyOrange@programming.dev
        link
        fedilink
        arrow-up
        1
        ·
        8 hours ago

        Crypto is used. It is called TLS.

        You have to have some trust of publishing infrastructure, otherwise how do you know your signatures are correct?