curlbash: locally save and checksum/review before curl|bash-ing installers
Installing things by curling them to a shell probably isn't a great practice security-wise, but several things can make it a little better. This script caches the curl'd installer, can optionally verify a checksum, and give the user a chance to review what was downloaded before executing it. Consider it harm reduction for the command line.
curlbash is distributed under the ISC license.
curlbash uses SHA-256 for hashing. It will check for sha256
or
shasum
, and use whichever is in the path. It also requires curl
.
Usage: curlbash [-c] [-d] [-e SHA256] [-f | -r] [-h] [-v] URL
-c ignore cache
-d don't delete cached downloads
-e SHA256 expect this SHA256, or exit
-f fetch and exit
-h print this help and exit
-r run, without confirmation
-v increase verbosity
$ curlbash -h
Print help.
$ curlbash -f URL
Fetch URL
(if not cached), cache it locally, and exit. It will be
saved under /tmp
, with a filename based on the hash of the URL.
$ curlbash -r -e HASH URL
Download and execute URL
, but only if the SHA-256 hash for the
downloaded file matches HASH
.
$ curlbash -c URL
Re-fetch URL
(ignoring a locally cached copy), display what was
downloaded, and prompt for confirmation before executing.
Despite the name, curlbash is targeted at /bin/sh
for portability
reasons. A reasonable effort is made to test it with bash, mksh, pdksh,
dash, and other common shells that attempt to be POSIX-compliant /
compatible with the Bourne shell. (In other words, bash-isms are bugs.)