Why
Piping a remotely-fetched script directly to bash means any modification of the script in transit (or at the source) executes immediately with the current user's privileges; HTTPS transport alone does not protect against a compromised CDN, cache poisoning, or a future change to the hosted file.
Current state
tools/homebrew/install.bash line 9:
curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh | arch -arm64 /bin/bash --login
The script is fetched from the HEAD ref (a moving target, not a pinned commit) and piped directly to bash without any intermediate integrity check. There is no SHA-256 or other checksum verification before execution.
Ideal state
- The installer script is downloaded to a temporary file first.
- Its SHA-256 checksum is verified against the value published by the Homebrew project at a known URL or in the Homebrew documentation before execution.
- Only if the checksum matches is the script executed.
- Alternatively, the install step is replaced by a method that Homebrew itself guarantees integrity for (e.g. a pinned commit ref, or an approach documented in Homebrew's official security guidance).
- The temporary file is deleted after execution (via
trap).
Out of scope
- Auditing or changing what the Homebrew installer does once executed.
- Changes to
tools/homebrew/update.bash.
Starting points
tools/homebrew/install.bash — line 9, the curl-pipe-bash invocation- Homebrew's installation documentation: https://docs.brew.sh/Installation
- Homebrew's published installer checksums (check their GitHub releases or docs for the canonical source)
QA plan
- Modify the script to download to
/tmp/brew-install.sh and print its SHA-256 before execution.
- Compare the printed hash against the value published by Homebrew.
- Introduce a deliberate one-byte modification to
/tmp/brew-install.sh and confirm the checksum check fails and the script does not execute.
- On a clean run (unmodified file, correct hash), confirm Homebrew installs successfully.
Done when
tools/homebrew/install.bash downloads the installer to a temp file, verifies its checksum against a published value, and only executes it if the check passes — the script is never piped directly from curl to bash.
Why
Piping a remotely-fetched script directly to bash means any modification of the script in transit (or at the source) executes immediately with the current user's privileges; HTTPS transport alone does not protect against a compromised CDN, cache poisoning, or a future change to the hosted file.
Current state
tools/homebrew/install.bashline 9:curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh | arch -arm64 /bin/bash --loginThe script is fetched from the
HEADref (a moving target, not a pinned commit) and piped directly to bash without any intermediate integrity check. There is no SHA-256 or other checksum verification before execution.Ideal state
trap).Out of scope
tools/homebrew/update.bash.Starting points
tools/homebrew/install.bash— line 9, the curl-pipe-bash invocationQA plan
/tmp/brew-install.shand print its SHA-256 before execution./tmp/brew-install.shand confirm the checksum check fails and the script does not execute.Done when
tools/homebrew/install.bashdownloads the installer to a temp file, verifies its checksum against a published value, and only executes it if the check passes — the script is never piped directly fromcurltobash.