curlbash: locally save and checksum/review before curl|bash-ing installers
curlbash
Installing things by curling them to a shell probably isn't a great practice security-wise, but several things can make it a little better. This script caches the curl'd installer, can optionally verify a checksum, and give the user a chance to review what was downloaded before executing it. Consider it harm reduction for the command line.
curlbash is distributed under the ISC license.
Dependencies
curlbash uses SHA-256 for hashing. It will check for sha256 or
shasum, and use whichever is in the path. It also requires curl.
Usage
Usage: curlbash [-c] [-d] [-e SHA256] [-f | -r] [-h] [-v] URL
-c ignore cache
-d don't delete cached downloads
-e SHA256 expect this SHA256, or exit
-f fetch and exit
-h print this help and exit
-r run, without confirmation
-v increase verbosity
Examples
$ curlbash -h
Print help.
$ curlbash -f URL
Fetch URL (if not cached), cache it locally, and exit. It will be
saved under /tmp, with a filename based on the hash of the URL.
$ curlbash -r -e HASH URL
Download and execute URL, but only if the SHA-256 hash for the
downloaded file matches HASH.
$ curlbash -c URL
Re-fetch URL (ignoring a locally cached copy), display what was
downloaded, and prompt for confirmation before executing.
Portability
Despite the name, curlbash is targeted at /bin/sh for portability
reasons. A reasonable effort is made to test it with bash, mksh, pdksh,
dash, and other common shells that attempt to be POSIX-compliant /
compatible with the Bourne shell. (In other words, bash-isms are bugs.)