{"id":13725847,"url":"https://github.com/awalgarg/curl-tap-sh","last_synced_at":"2025-05-07T21:30:30.468Z","repository":{"id":97556665,"uuid":"73575836","full_name":"awalgarg/curl-tap-sh","owner":"awalgarg","description":"tap curl in your editor before it gets to sh it","archived":true,"fork":false,"pushed_at":"2016-12-03T14:04:28.000Z","size":2,"stargazers_count":87,"open_issues_count":0,"forks_count":3,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-05-07T02:49:24.559Z","etag":null,"topics":["curl","installation","linux"],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/awalgarg.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2016-11-12T20:11:17.000Z","updated_at":"2024-01-04T16:08:58.000Z","dependencies_parsed_at":"2024-01-15T03:59:49.717Z","dependency_job_id":"26b05eda-8b93-4e32-828e-9dd7d904a18e","html_url":"https://github.com/awalgarg/curl-tap-sh","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/awalgarg%2Fcurl-tap-sh","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/awalgarg%2Fcurl-tap-sh/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/awalgarg%2Fcurl-tap-sh/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/awalgarg%2Fcurl-tap-sh/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/awalgarg","download_url":"https://codeload.github.com/awalgarg/curl-tap-sh/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252957010,"owners_count":21831420,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["curl","installation","linux"],"created_at":"2024-08-03T01:02:37.397Z","updated_at":"2025-05-07T21:30:30.215Z","avatar_url":"https://github.com/awalgarg.png","language":"Shell","funding_links":[],"categories":["Shell"],"sub_categories":[],"readme":"# curl-tap-sh\n\nSo, the internet seems to have a lot of software with the installation method\nbeing in the infamous `curl .. | sh` format. People don't like this because\nwhat `curl` downloads might have been messed with by someone in between\ndepending on the specifics. But people still use this method because it is\nconvenient.\n\nAwal is here to present a solution. Included in this repo is a script,\nwhich you can put in your `$PATH` by the name `tap`. And now whenever you\nare about to run:\n\n```sh\ncurl foo/bar | sh\n```\n\nSimply run the following instead:\n\n```sh\ncurl foo/bar | tap | sh\n```\n\n`tap` will first collect all the data from curl, save it to a temp file,\nopen that file in your `$EDITOR` (or `vim` if not specified), and you can\nreview it. You can make changes to it if you want. If you write the file\nand close the editor successfully (i.e., the editor returns exit code 0),\nthen `tap` sends the saved output (including your edits, if any) along the\npipe. Else it doesn't (so you can exit with `:cq` in vim if you don't want\nto run the script after reviewing). This also shields against a timing\nattack which [detects `curl | sh` server-side][1].\n\nOfcourse, `tap` deletes the temporary file after this :)\n\n## Other Stuff\n\nThere is also `vipe` from the excellent [moreutils][2] toolkit, written as\na perl script. It does pretty much the same thing.\n\nThere is [hashpipe][3], written in Go, which verifies stdin based on a\nchecksum passed to it. This is a pretty good idea too, but it requires the\ndistributor of the script to provide an up-to-date checksum at all times,\nand you need to be sure that the medium through which you are obtaining the\nchecksum has not been meddled with.\n\n## Author\n\nAwal Garg \u003cawalgarg@gmail.com\u003e, [@awalGarg](https://twitter.com/awalGarg)\n\nThis repo is released under WTFPL.\n\n[1]: https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/\n[2]: https://joeyh.name/code/moreutils/\n[3]: https://github.com/jbenet/hashpipe\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fawalgarg%2Fcurl-tap-sh","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fawalgarg%2Fcurl-tap-sh","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fawalgarg%2Fcurl-tap-sh/lists"}