On 12/14/24 18:50, Pádraig Brady wrote:
On 14/12/2024 23:20, Akihiro Suda wrote:
`-S, --check-stream=CHECKSUM` checks the FILE with CHECKSUM and pipes
the FILE to the stdout.

The motivation is to make `curl | sh` secure without breaking one-liner.
e.g., curl https://example.com/install.sh | sha256sum --check-stream
deadbeef | sh

Similar functionality was discussed a long time ago as listed at:
https://www.gnu.org/software/coreutils/rejected_requests.html#checksum
specifically https://bugs.gnu.org/13243

Now I do agree checking the stream is more concise with this option
than using existing tools, but I'm not sure it's warranted.
With existing tools you'd have:

   tmpf=$(mktemp) && curl -fs https://example.com/install.sh > "$tmpf" \
  && sha256sum --status --check <(echo deadbeef  -) < "$tmpf" && sh "$tmpf"; rm "$tmpf"

To me the fundamental problem is nobody is going to TYPE IN an sha256 hash manually from somebody's business card or laptop sticker at a coffee shop. (Certainly not on the first try.) Even an sha1sum or md5sum is beyond expected human tolerances.

So any attempt to replace:

  bash -c "$(wget -O- https://blah.com/blah.sh)"

With a checksummed version is at MOST gonna be crc32, and would look something like (using hashes for "echo hello" > file):

X="$(wget -O- https://a.bc/d.sh)" && [ $(crc32<<<"$X") == d6e10d51 ] && sh -c "$X"

Alas while crc32 is in toybox defconfig, it's not in debian's default install...

Meanwhile, the sha256 equivalent is (too long NOT to be mangled by wordwrap into):

X="$(wget -O- https://a.bc/d.sh)" && [ "$(sha256sum<<<"$X")" == "5dbad7dd0b9b122dcd9956884390f4aac4738caba8ff53498a7ab6718b176c30 -" ] && sh -c "$X"

And note that there's TWO spaces between the hash and the dash (because gnu) which is another detail nobody is going to TYPE IN on the first attempt, and of course gnu hasn't got toybox's -b "brief" option to just do the unix thing of emitting the hash and nothing else. (I agree "gnu is not unix", in unix the scriptable thing is the default behavior.)

*shrug* Either you trust https or you don't. (And trust the source you're pulling from, of course...)

BTW I don't fully understand the use case.

Neither do I.

I presume it's not for security
as if one could compromise the install.sh, presumably one could
compromise the checksum in the instructions. So I'm presuming it's
for extra resiliency or something?

If a human is typing the instructions, a hash longer than about 8 characters is unreasonable. (Phone numbers were 7 digits for a reason.)

If a human ISN'T typing the instructions in via keyboard, why can't you cut and paste a shell script? Even bluesky gives you 300 characters, which is almost 4 lines at 80 columns. Mastodon seems to default to 512. Web pages haven't got an obvious size limit.

Rob

Reply via email to