Installer: Add "pipe-curl-to-shell with integrity checks" install mode

[pandruszkow]

Currently the script repo has to be checked out manually into the correct location, then the installer has to be run.

There should be a pipe-curl-to-shell type command to automatically checkout the repo in the right location, and then run the installer.

Lots of thought should be given to how to do this safely (see https://0x46.net/thoughts/2019/04/27/piping-curl-to-shell/) and numerous other articles. At minimum, we want to guarantee that the script arrived in its entirety and that the user can view it directly in the terminal to screen for malicious bootstrapper content. There's still the matter of malicious contents of the repo, but that's a job that you do when you have some spare time anyway.

The installer should check that the currently checked out repo commit is cryptographically signed with a relevant key.

We do not want to assume that a successful transfer == full integrity. The remote server isn't guaranteed to soft-fail without causing an error exit status on curl. Any proxies for the traffic may also MITM even HTTPS contents, and those can fail too. It might be a good idea to attach a SHA256 or a GPG key fetch in the curl command to combat that. Or perhaps a CRC check might suffice to keep the checksum short. The threat model for this installer doesn't include a successful MITM with malicious intent, since this script will be run on computers that are assumed to be free of compromised or malicious HTTPS CA certificates, so at least the HTTPS connection would guard against that.

The pitfall of this is that, unless a GPG signature is used, the checksum embedded in the command will change every time the installer is changed. This may be a smaller pain from release management POV if the initial installer itself rarely changes.

cksum may be used for this. It seems to be standard-ish across Linux distros (maybe even in POSIX or some base standard?) and gives script length as well to help with connection dropout issues.

Potential idea: write a blog article about this, and the thought process.

Edit: It might be sufficient to place the installer code inside a function (see the end of https://www.arp242.net/curl-to-sh.html), and rely on the assumption that bash will not execute it if the entire function + the entire function invocation command is not transferred across. This would get rid of any noise created by an embedded checksum and make releasing easier. GPG keys should still be verified though.