hermit
hermit copied to clipboard
Add integrity verification of hermit's bootstrapping script `install.sh`
Issue
Currently (as of commit da318c6cdf6dc4559fae3a9fbb458c53b1c9fba6), hermit
's bootstrapping script install.sh
is an unconditional curl-and-exec. Although ${HERMIT_DIST_URL}
is presumably a trusted URL via HTTPS when instantiated, it lacks explicitness, and its security depends on the instantiation.
Feature request
This is to request adding integrity verification (based on the sha256sum
value) of the custom install.sh
, and proceeding with the execution of the bootstrapping script only when the SHA-256 digest of the downloaded script matches the expected value.
Hermit release v0.25.0 has this feature included.