ensure

command module
v0.0.0-...-aa1d45b Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 27, 2020 License: MIT Imports: 15 Imported by: 0

README

ensure

Check hashes with Unix pipes.

Disclaimer

This tool provides no additional security - it only prevents accidental data modification. If you need to prevent malicious data modification, you should use a public-key signature system.

Installation

go get github.com/clfs/ensure

Usage

$ ensure
Usage:
	$ ... | ensure md5 1a79a4d60de6718e8e5b326e338ae533 | ...
	Check the hash, then pass standard input to standard output.
Options:
	-list	List all supported algorithms.
	-help	Print this help message.
	-quiet	Suppress error messages.

Inspiration

I thought of this while installing Rust. As of now, the recommended rustup installation method looks like this:

curl https://sh.rustup.rs -sSf | sh

The curl flags are:

-s, --silent        Silent mode (don't output anything)
-S, --show-error    Show error. With -s, make curl show errors when they occur
-f, --fail          Fail silently (no output at all) on HTTP errors (H)

If you check man curl though, you'll see that the -f flag isn't exactly fail-safe. At minimum, the 401 (Unauthorized) and 407 (Proxy Authentication Required) HTML response codes still cause curl to print to standard ouput.

-f, --fail
       (HTTP)  Fail  silently (no output at all) on server errors. This
       is mostly done to better enable scripts etc to better deal  with
       failed  attempts.  In  normal cases when an HTTP server fails to
       deliver a document, it  returns  an  HTML  document  stating  so
       (which  often  also describes why and more). This flag will pre‐
       vent curl from outputting that and return error 22.

       This method is not fail-safe and there are occasions where  non-
       successful  response  codes  will  slip through, especially when
       authentication is involved (response codes 401 and 407).

Instead, you can strengthen the -f flag by using ensure in tandem. Here's what that might look like (with the hash truncated for clarity):

curl https://sh.rustup.rs -sSf | ensure sha256 9bbf4987[...] | sh

This isn't a great solution, to be fair - I'd definitely prefer the rustup team use signing keys for their installation script. The RVM installer is a useful example, even if it uses outdated GPG tooling.

License

MIT; check the LICENSE file.

Documentation

The Go Gopher

There is no documentation for this package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL