hermit icon indicating copy to clipboard operation
hermit copied to clipboard

Published 20 hours ago verified publisher icon cashapp

Add integrity verification of hermit's bootstrapping script `install.sh`

Open syncom opened this issue 2 years ago • 1 comments

Issue

Currently (as of commit da318c6cdf6dc4559fae3a9fbb458c53b1c9fba6), hermit's bootstrapping script install.sh is an unconditional curl-and-exec. Although ${HERMIT_DIST_URL} is presumably a trusted URL via HTTPS when instantiated, it lacks explicitness, and its security depends on the instantiation.

Feature request

This is to request adding integrity verification (based on the sha256sum value) of the custom install.sh, and proceeding with the execution of the bootstrapping script only when the SHA-256 digest of the downloaded script matches the expected value.

syncom avatar Apr 05 '22 21:04 syncom

Hermit release v0.25.0 has this feature included.

syncom avatar Jul 02 '22 01:07 syncom