New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cht.sh installation: Add checksum validation #339
Comments
If the shasum would be available in a file in the repo, also the self-update method of the script could be validating the downloaded source code, which it currently does not. I think it would be worth considering that. Lines 728 to 744 in 571377f
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Installing shell scripts from the internet might be dangerous. The current install instructions ask users to download a shell script and set the executable bit without any file verification (signature check, hashsum verification, etc.).
At least a checksum verification should be implemented to make it more difficult for an attacker to temper with the script.
Please note that in case this is implemented, the hash must be updated if the
cht.sh
script is changed.I'll add a PR for this that includes the checksum of the current script.
/edit: As mentioned in the link above, the shasum and the source file should live on different servers. So the question is: where is the website currently hosted? Looking up the IP of sheet.sh, it seems the IP is owned by you, @chubin. If GitHub Pages is not used for hosting the website, storing the shasums in a file in the repository would add an additional layer of security since an attacker would need to get access to both, your GitHub account and the server that runs somewhere else.
The text was updated successfully, but these errors were encountered: