Verify checksum in installer script

[polothy]

Summary

Was experimenting with the uv installer for CI/CD:

curl -LsSf https://astral.sh/uv/install.sh | env UV_UNMANAGED_INSTALL="$HOME/bin" sh
downloading uv 0.6.16 x86_64-unknown-linux-gnu
no checksums to verify
installing to /tmp/bin
  uv
  uvx
everything's installed!

Noticed no checksums to verify - I looked at the installer script and it looks like it has everything in there to verify the checksums, it's just missing the checksum values. The checksums are also on the GH releases page, so it looks like they just need to be injected into the install script on release or downloaded separately from the GH release. Would be a nice touch for added security.

Example

No response

[kerneljack]

Hello, I hope you don't mind but I've written some code to fix this in uv-installer.sh. It now downloads and verifies the checksums for each architecture.

However, I can't find the uv-installer.sh file in the astral-sh/uv repository, can you please let me know where it is so I can send a pull request? Thanks.

Here's some example output:

$ sh ./uv-installer.sh
downloading uv 0.7.8 x86_64-unknown-linux-gnu
downloading checksum for uv 0.7.8 x86_64-unknown-linux-gnu
verifying checksum sha256 285981409c746508c1fd125f66a1ea654e487bf1e4d9f45371a062338f788adb for /tmp/tmp.VSFY7Lnoji/input.tar.gz


$ sh ./uv-installer.sh -v
downloading uv 0.7.8 x86_64-unknown-linux-gnu
  from https://github.com/astral-sh/uv/releases/download/0.7.8/uv-x86_64-unknown-linux-gnu.tar.gz
  to /tmp/tmp.lPkBqXXXeM/input.tar.gz
downloading checksum for uv 0.7.8 x86_64-unknown-linux-gnu
  from https://github.com/astral-sh/uv/releases/download/0.7.8/uv-x86_64-unknown-linux-gnu.tar.gz.sha256
  to /tmp/tmp.lPkBqXXXeM/checksum.tar.gz.sha256
verifying checksum sha256 285981409c746508c1fd125f66a1ea654e487bf1e4d9f45371a062338f788adb for /tmp/tmp.lPkBqXXXeM/input.tar.gz

[konstin]

I don't think we gain a security advantage by downloading a hash hosted next to the file itself, HTTPS is already checking the integrity of the file during download.

Our installers are created by cargo-dist and the checksums would need to be injected by cargo-dist, but with the installer also being a remote script, the security gain right now would be marginal.

[kerneljack]

Ah so the better solution would be to inject the checksums using cargo-dist into the script, rather than downloading and verifying like I'm doing?

[konstin]

Yes, though for the aforementioned reason this isn't high priority for us.

[kerneljack]

ok, thank you. I don't have much experience with cargo-dist at the moment so will bow out of this one for now.

[davidrenewhome]

+1 to this — we should absolutely add a SHA (or signature) check for the install script (curl -LsSf https://astral.sh/uv/install.sh) so that when someone downloads it we can verify nothing was tampered with. It's just standard security practise

[aleksanb]

+1 to this — we should absolutely add a SHA (or signature) check for the install script (curl -LsSf https://astral.sh/uv/install.sh) so that when someone downloads it we can verify nothing was tampered with. It's just standard security practise

Looking forward to signed SHAs for the same reason. Having our prod infra install uv via curl | bash is quite high risk for any workload.

[zsol]

For what it's worth, this is the missing feature that needs implementing in cargo-dist: axodotdev/cargo-dist#439

[aleksanb]

Looking forward to signed SHAs for the same reason. Having our prod infra install uv via curl | bash is quite high risk for any workload.

We ended up vendoring the UV install script instead, to protect against supply chain attacks from that angle.
Gives us the same security as checking in shasums.

Edit: Not quite, because the files that the install script itself is downloading don't have checksums or even better, a signature we could check against a well known public key ceritificate published by UV. So the install script can still download malware just fine without us knowing.

[dlebedinsky]

I agree. Furthermore, it would be good if you updated the installation instructions with a command to check the checksum. Encouraging new users to run curl -LsSf https://astral.sh/uv/install.sh | sh isn't really promoting best security practices. It would be good to replace it with something along the lines of

curl -LsSf https://astral.sh/uv/install.sh -o uv-installer.sh
sha256sum uv-installer.sh
sh uv-installer.sh