Hi Björn,
> I was looking at the installation video from Laura (not yet public) and > wondered about that: > > We just download the installation script: > > $ wget https://.../guix-install.sh > > Then we go on directly executing that script. > > Shouldn't that be save-garded by a PGP-signature too? I don’t know. > Because if it is not, the user could be tricked into a script that > downloads a "bad" Guix installation tarball. To avoid having the user tricked we use HTTPS. At least the users will know that this file comes from the official project website. A user who is tricked into downloading a script from a malicious site could just as well download a matching signature from somewhere else, so the script body itself should be signed. We can’t sign the whole file because the first line must be the shebang — unless we forgo the shebang and the “chmod +x” instruction and ask people to execute it with “sudo bash guix-install.sh”. “gpg --clear-sign” adds a block of text before and after the file, which would be a syntax error in a shell script. We are probably stuck with having a separate signature file. I don’t know if it’s worth doing when HTTPS is used to fetch the script from an authoritative source. > That's what we are always > criticising about others wget-scripts that install whatever to the user. The criticism is aimed at “curl | sudo bash” instructions that execute scripts off the Internet without prior inspection as root. -- Ricardo
