0

pipethis

Replace your `curl | sh` installers

Github 資源庫
主要指標

Github星跟蹤圖

pipethis

(I would have called it stop-piping-the-internet-into-your-shell, but that
seemed too long.)

GoDoc
Build Status
Coverage Status

tl;dr

Instead of

$ curl -sSL https://get.rvm.io, bash

do

$ pipethis https://get.rvm.io

or (assuming not everybody has adopted my awesome idea but you still want to
improve your life)

$ pipethis --no-verify --inspect https://get.rvm.io

or even

$ curl -sSL https://get.rvm.io, pipethis --no-verify, bash

Install

Manual (Linux, Mac OSX)

download the binary and drop it in your $PATH.

Homebrew (Mac OSX)

$ brew tap dennisdegreef/pipethis
$ brew install pipethis

Gophers

If you've already got a Go development environment set up, you can grab it like this:

$ go get github.com/ellotheth/pipethis

Use

People piping the installers

pipethis [ OPTIONS ] <script>

OPTIONS

--target <exe>

    The shell or other binary that will run the script. Defaults to the SHELL
    environment variable.

--lookup-with <keybase,local>

    The service you'll use to verify the author's identity:

    keybase (default)
        Use https://keybase.io
    local
        Use your local GnuPG public keyring

    If you're piping a script from `stdin`, the service will be forced to
    `local`.

--inspect

    If set, open the script in an editor before checking the author. Ignored if
    you're piping a script from `stdin`.

--editor <editor>

    The editor binary to use when --inspect is set. Defaults to the EDITOR
    environment variable.

--no-verify

    If set, skips author and signature verification entirely. You'll need to
    set this if <script> doesn't support pipethis yet.

--signature <signature file>

	The detached signature to verify <script> against. You'll only need this in
    a couple scenarios:

    - You've already downloaded the detached signature and you want to use your
      downloaded copy, or
    - the signature is hosted in a non-standard location (i.e. it's not
      <script>.sig), or
    - you're piping a script with a detached signature from `stdin`.

If you're piping scripts into pipethis directly from curl, you'll need
to have the script authors' PGP keys already stored in your local keyring.
Don't worry, they'll have instructions!

People writing the installers

You can add one line to your installer script to make it support pipethis,
but there's other stuff to do as well:

  1. Get an account on Keybase. I know, Real Crypto Geeks™
    hate Keybase because Browser Crypto Is Unsafe™ and They Can Store
    Your Private Key®. It's a place to start, yo, just do it.

    Alternatively, you can hand out your public key at key signing parties
    (because you're a Real Crypto Geek™, remember?), and tell people to import
    it into their local public keyrings.

  2. Add one line to your installation script to identify yourself. You can throw
    it in a comment:

    # // ; '' PIPETHIS_AUTHOR your_name_or_your_key_fingerprint

  3. Create a signature for the script. With Keybase, that's:

    $ keybase pgp sign -i yourscript.sh -d -o yourscript.sh.sig

    but you're a Real Crypto Geek™, so you'll use gnupg:

    $ gpg --detach-sign -a -o yourscript.sh.sig yourscript.sh

    Both those commands create ASCII-armored signatures. Binary signatures work
    too.

    Alternatively, you can clearsign the script with an attached signature::

    $ keybase pgp sign -i yourscript.unsigned.sh -c -o yourscript.sh

    $ gpg --clearsign -a -o yourscript.sh yourscript.unsigned.sh

  4. Pop the script (and the signature, if it's detached) up on your web server.

  5. Replace your copy-paste-able installation instructions!

What's all this noise

Who's piped the
installation script for their
favorite tool directly from
curl into their shell?
Show of hands? Come on, you know
you have.
Don't feel bad, so have I! So have we all, really. It's so easy, so fast, so
clean, so...well, bad
for
you.

  • Network errors happen. Why pay for them in the middle of an install?
  • Is your source served over SSL? No? Grats, you have no idea what you're
    downloading or where it came from. Exciting!
  • What's that? Your source is served over SSL? Great! Any disgruntled employees
    have access to that server? Any trolls? Hey cool, you still have no idea what
    you're downloading!

There are simple solutions to some of those problems:

  • Cache the script before you shove it into Bash.
  • Use something like vipe to pipe the
    script into an editor so you can review it before you run it.
  • Use hashpipe to check the file hash
    before you run it.

But simple solutions are, like, boring, and stuff.

Why I'm here

The more interesting problem (to me, anyway) is authenticity. You trust whoever
wrote the script; how can you be reasonably sure the script you download is the
one they wrote?

PGP. Clearly.

What if every installation script was embedded with the cryptographic signature
of its author, and you could verify the author and the script against the
signature when you ran it?

Enter pipethis.

How it works

Scripts that support pipethis will embed a special line that identifies the
script author:

#!/usr/bin/bash

# PIPETHIS_AUTHOR gemma

echo woooooo look how verified everything is!

If you drop --inspect on the command line, pipethis with throw the script
into your favorite editor before it does anything else, and you can check the
author (and the rest of the content) yourself.

If you're happy with the script contents, pipethis checks
Keybase for any users that match PIPETHIS_AUTHOR. (It
uses the same search you find in the search box on their website, so you could
use a username, a Twitter handle, or even a key fingerprint.) It'll spit all
the matches back at you in a list, along with all their Keybase proofs. Once
you choose one, pipethis grabs the public key for that user. If you don't see
the person you're looking for, you can bail. No harm, no foul.

I found 2 results:

0:

     Identifier: gemma
        Twitter: ellotheth
         Github: ellotheth
    Hacker News: gemma
         Reddit: 
    Fingerprint: 417b9f99b7c04ccebd06777d0bc6bb965aa6f296
           Site: ramblinations.com
           Site: ramblinations.com


1:

     Identifier: gemmakbarlow
        Twitter: gemmakbarlow
         Github: gemmakbarlow
    Hacker News: gemmakbarlow
         Reddit: 
    Fingerprint: 1fd52e9237fef588e2d0d26100fee8d483374357

Once you've picked an author, pipethis will go grab their detached PGP
signature for the script. If --signature is not given on the command line,
pipethis will tack .sig onto the end of the script location and try that
instead.

With the signature and public key in hand, pipethis will verify that the
signature matches both the key and the script. If it does, you're good to go,
and pipethis will run the script for you (against the executable of your
choice). If not, pipethis dies, cleans itself up, and nobody ever has to know
that you almost pwned yourself.

It's not done yet

pipethis works, but it can be better!

  • There are zillions of other places to get public keys for people, and I want
    to support more of them. I think Keybase is stellar and I love what they're
    trying to do, but nobody likes to be locked in to one provider.

主要指標

概覽
名稱與所有者ellotheth/pipethis
主編程語言Go
編程語言Go (語言數: 2)
平台
許可證GNU General Public License v2.0
所有者活动
創建於2016-01-22 04:15:07
推送於2017-06-16 21:41:20
最后一次提交2017-06-16 23:37:33
發布數6
最新版本名稱v0.5.1 (發布於 2016-06-18 12:47:38)
第一版名稱v0.1 (發布於 )
用户参与
星數431
關注者數10
派生數11
提交數71
已啟用問題?
問題數9
打開的問題數3
拉請求數4
打開的拉請求數0
關閉的拉請求數2
项目设置
已啟用Wiki?
已存檔?
是復刻?
已鎖定?
是鏡像?
是私有?