{"id":13581357,"url":"https://github.com/ellotheth/pipethis","last_synced_at":"2025-04-06T07:31:59.912Z","repository":{"id":41478903,"uuid":"50157134","full_name":"ellotheth/pipethis","owner":"ellotheth","description":"Replace your `curl | sh` installers","archived":false,"fork":false,"pushed_at":"2017-06-16T21:41:20.000Z","size":84,"stargazers_count":431,"open_issues_count":3,"forks_count":11,"subscribers_count":10,"default_branch":"master","last_synced_at":"2025-03-29T03:24:06.422Z","etag":null,"topics":["gnupg","keybase","pgp","shell","signature"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ellotheth.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-01-22T04:15:07.000Z","updated_at":"2024-09-29T06:13:37.000Z","dependencies_parsed_at":"2022-09-14T19:41:04.474Z","dependency_job_id":null,"html_url":"https://github.com/ellotheth/pipethis","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ellotheth%2Fpipethis","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ellotheth%2Fpipethis/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ellotheth%2Fpipethis/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ellotheth%2Fpipethis/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ellotheth","download_url":"https://codeload.github.com/ellotheth/pipethis/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247450191,"owners_count":20940872,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["gnupg","keybase","pgp","shell","signature"],"created_at":"2024-08-01T15:02:00.758Z","updated_at":"2025-04-06T07:31:59.608Z","avatar_url":"https://github.com/ellotheth.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"# pipethis\n\n(I would have called it `stop-piping-the-internet-into-your-shell`, but that\nseemed too long.)\n\n[![GoDoc](https://godoc.org/github.com/ellotheth/pipethis?status.svg)](https://godoc.org/github.com/ellotheth/pipethis)\n[![Build Status](https://travis-ci.org/ellotheth/pipethis.svg?branch=master)](https://travis-ci.org/ellotheth/pipethis)\n[![Coverage Status](https://coveralls.io/repos/github/ellotheth/pipethis/badge.svg?branch=master)](https://coveralls.io/github/ellotheth/pipethis?branch=master)\n\n## `tl;dr`\n\nInstead of\n\n```\n$ curl -sSL https://get.rvm.io | bash\n```\n\ndo\n\n```\n$ pipethis https://get.rvm.io\n```\n\nor (assuming not everybody has adopted my awesome idea but you still want to\nimprove your life)\n\n```\n$ pipethis --no-verify --inspect https://get.rvm.io\n```\n\nor even\n\n```\n$ curl -sSL https://get.rvm.io | pipethis --no-verify | bash\n```\n\n\n## Install\n\n### Manual (Linux, Mac OSX)\n\n[download the binary](https://github.com/ellotheth/pipethis/releases) and drop it in your `$PATH`.\n\n### Homebrew (Mac OSX)\n\n```\n$ brew tap dennisdegreef/pipethis\n$ brew install pipethis\n```\n\n### Gophers\n\nIf you've already got a Go development environment set up, you can grab it like this:\n\n```\n$ go get github.com/ellotheth/pipethis\n```\n\n## Use\n\n### People piping the installers\n\n```\npipethis [ OPTIONS ] \u003cscript\u003e\n\nOPTIONS\n\n--target \u003cexe\u003e\n\n    The shell or other binary that will run the script. Defaults to the SHELL\n    environment variable.\n\n--lookup-with \u003ckeybase,local\u003e\n\n    The service you'll use to verify the author's identity:\n\n    keybase (default)\n        Use https://keybase.io\n    local\n        Use your local GnuPG public keyring\n\n    If you're piping a script from `stdin`, the service will be forced to\n    `local`.\n\n--inspect\n\n    If set, open the script in an editor before checking the author. Ignored if\n    you're piping a script from `stdin`.\n\n--editor \u003ceditor\u003e\n\n    The editor binary to use when --inspect is set. Defaults to the EDITOR\n    environment variable.\n\n--no-verify\n\n    If set, skips author and signature verification entirely. You'll need to\n    set this if \u003cscript\u003e doesn't support pipethis yet.\n\n--signature \u003csignature file\u003e\n\n\tThe detached signature to verify \u003cscript\u003e against. You'll only need this in\n    a couple scenarios:\n\n    - You've already downloaded the detached signature and you want to use your\n      downloaded copy, or\n    - the signature is hosted in a non-standard location (i.e. it's not\n      \u003cscript\u003e.sig), or\n    - you're piping a script with a detached signature from `stdin`.\n```\n\nIf you're piping scripts into `pipethis` directly from `curl`, you'll need\nto have the script authors' PGP keys already stored in your local keyring.\nDon't worry, they'll have instructions!\n\n### People writing the installers\n\nYou can add one line to your installer script to make it support `pipethis`,\nbut there's other stuff to do as well:\n\n1. Get an account on [Keybase](https://keybase.io). I know, Real Crypto Geeks™\n   hate Keybase because Browser Crypto Is Unsafe™ and They Can Store\n   Your Private Key®. It's a place to start, yo, just do it.\n\n   Alternatively, you can hand out your public key at key signing parties\n   (because you're a Real Crypto Geek™, remember?), and tell people to import\n   it into their local public keyrings.\n2. Add one line to your installation script to identify yourself. You can throw\n   it in a comment:\n\n    ```\n    # // ; '' PIPETHIS_AUTHOR your_name_or_your_key_fingerprint\n    ```\n\n3. Create a signature for the script. With Keybase, that's:\n\n    ```\n    $ keybase pgp sign -i yourscript.sh -d -o yourscript.sh.sig\n    ```\n\n   but you're a Real Crypto Geek™, so you'll use `gnupg`:\n\n    ```\n    $ gpg --detach-sign -a -o yourscript.sh.sig yourscript.sh\n    ```\n\n   Both those commands create ASCII-armored signatures. Binary signatures work\n   too.\n\n   Alternatively, you can clearsign the script with an attached signature::\n\n    ```\n    $ keybase pgp sign -i yourscript.unsigned.sh -c -o yourscript.sh\n    ```\n\n    ```\n    $ gpg --clearsign -a -o yourscript.sh yourscript.unsigned.sh\n    ```\n\n4. Pop the script (and the signature, if it's detached) up on your web server.\n5. Replace your copy-paste-able installation instructions!\n\n## What's all this noise\n\nWho's [piped](https://rvm.io/rvm/install) the\n[installation script](https://github.com/npm/npm#fancy-install-unix) for their\n[favorite tool](https://github.com/creationix/nvm#install-script) directly from\n`curl` [into their shell](https://getcomposer.org/doc/00-intro.md#installation-linux-unix-osx)?\nShow of hands? Come on, [you know](http://ipxe.org/)\n[you have](https://docs.puppetlabs.com/pe/latest/install_agents.html#scenario-1-the-osarchitecture-of-the-puppet-master-and-the-agent-node-are-the-same).\nDon't feel bad, so have I! So have we all, really. It's so easy, so fast, so\nclean, so...well, **[bad](http://curlpipesh.tumblr.com/)\n[for](https://jordaneldredge.com/blog/one-way-curl-pipe-sh-install-scripts-can-be-dangerous/)\n[you](https://www.seancassidy.me/dont-pipe-to-your-shell.html)**.\n\n- Network errors happen. Why pay for them in the middle of an install?\n- Is your source served over SSL? No? Grats, you have no idea what you're\n  downloading or where it came from. Exciting!\n- What's that? Your source is served over SSL? Great! Any disgruntled employees\n  have access to that server? Any trolls? Hey cool, you still have no idea what\n  you're downloading!\n\nThere are simple solutions to some of those problems:\n\n- Cache the script before you shove it into Bash.\n- Use something like [vipe](https://joeyh.name/code/moreutils/) to pipe the\n  script into an editor so you can review it before you run it.\n- Use [hashpipe](https://github.com/jbenet/hashpipe) to check the file hash\n  before you run it.\n\nBut simple solutions are, like, boring, and stuff.\n\n## Why I'm here\n\nThe more interesting problem (to me, anyway) is authenticity. You trust whoever\nwrote the script; how can you be reasonably sure the script you download is the\none they wrote?\n\n### PGP. Clearly.\n\nWhat if every installation script was embedded with the cryptographic signature\nof its author, and you could verify the author and the script against the\nsignature when you ran it?\n\nEnter `pipethis`.\n\n## How it works\n\nScripts that support `pipethis` will embed a special line that identifies the\nscript author:\n\n```{.sh}\n#!/usr/bin/bash\n\n# PIPETHIS_AUTHOR gemma\n\necho woooooo look how verified everything is!\n```\n\nIf you drop `--inspect` on the command line, `pipethis` with throw the script\ninto your favorite editor before it does anything else, and you can check the\nauthor (and the rest of the content) yourself.\n\nIf you're happy with the script contents, `pipethis` checks\n[Keybase](https://keybase.io) for any users that match `PIPETHIS_AUTHOR`. (It\nuses the same search you find in the search box on their website, so you could\nuse a username, a Twitter handle, or even a key fingerprint.) It'll spit all\nthe matches back at you in a list, along with all their Keybase proofs. Once\nyou choose one, `pipethis` grabs the public key for that user. If you don't see\nthe person you're looking for, you can bail. No harm, no foul.\n\n```\nI found 2 results:\n\n0:\n\n     Identifier: gemma\n        Twitter: ellotheth\n         Github: ellotheth\n    Hacker News: gemma\n         Reddit: \n    Fingerprint: 417b9f99b7c04ccebd06777d0bc6bb965aa6f296\n           Site: ramblinations.com\n           Site: ramblinations.com\n\n\n1:\n\n     Identifier: gemmakbarlow\n        Twitter: gemmakbarlow\n         Github: gemmakbarlow\n    Hacker News: gemmakbarlow\n         Reddit: \n    Fingerprint: 1fd52e9237fef588e2d0d26100fee8d483374357\n```\n\nOnce you've picked an author, `pipethis` will go grab their detached PGP\nsignature for the script. If `--signature` is not given on the command line,\n`pipethis` will tack `.sig` onto the end of the script location and try that\ninstead.\n\nWith the signature and public key in hand, `pipethis` will verify that the\nsignature matches both the key and the script. If it does, you're good to go,\nand `pipethis` will run the script for you (against the executable of your\nchoice). If not, `pipethis` dies, cleans itself up, and nobody ever has to know\nthat you almost pwned yourself.\n\n## It's not done yet\n\n`pipethis` works, but it can be better!\n\n- There are zillions of other places to get public keys for people, and I want\n  to support more of them. I think Keybase is stellar and I love what they're\n  trying to do, but nobody likes to be locked in to one provider.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fellotheth%2Fpipethis","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fellotheth%2Fpipethis","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fellotheth%2Fpipethis/lists"}