rustup icon indicating copy to clipboard operation
rustup copied to clipboard
verified publisher icon rust-lang

Sign the rustup install script

Open culyun opened this issue 2 months ago • 1 comments

Problem you are trying to solve

Over on arch the notes on Rust say something like "You've got two mutually exclusive choices for installing rust: pacman / rustup"

Arch goes on to say something like "... if you want to use Rust for development, use rustup etc."

Ok, so I want to use the rustup install script. But I also want to check what it's doing or alternatively check that it has been signed by the official rust team.

Do you guys publish signatures for the install script? If so, is there a formal (scriptable) mechanism for verifying the install script via these signatures?

Cheers

Solution you'd like

Official Rust Team:

  1. crytographically signs each released version of the rustup installation script using an appropriate mechanism
  2. publishes public signing keys via multiple public channels
  3. publishes notifications of changes to signing keys using appropriate mechanisms
  4. publishes the signature for the current installer hosted on https://sh.rustup.rs
  5. specifies the formal process of obtaining and verifying public signing keys AND using the verified keys for the purpose of corroborating the rustup installation script via its digital signature

Notes

No response

culyun avatar Oct 29 '25 21:10 culyun

I was just having a poke around in rust-install-script-sh and I noticed a short-form git-sha in the usage() heredoc "... rustup-init 1.28.2 (d1f31992a 2025-04-28) ..."

Ok, so I can see this commit in the repo AND it's immediate descendent f7935a8ad24a445629ceedb2cb706a4469e1e5b3, which simply changes the git-sha in the script.

Could you guys maybe use signed commits as part of an automated release-process? That way I could verify the script via the repo.

culyun avatar Oct 29 '25 21:10 culyun