rtk-ai/rtk

security: install.sh uses curl|sh pattern without binary integrity verification

Open

#1 158 ouverte le 10 avr. 2026

Voir sur GitHub
 (1 commentaire) (1 réaction) (0 assignés)Rust (2 914 forks)batch import
area:ciarea:securityeffort-mediumenhancementhelp wantedpriority:medium

Métriques du dépôt

Stars
 (48 085 stars)
Métriques de merge PR
 (Merge moyen 11j 1h) (45 PRs mergées en 30 j)

Description

Problem

The recommended quick install method downloads and executes a script directly from GitHub:

```bash curl -fsSL https://raw.githubusercontent.com/rtk-ai/rtk/refs/heads/master/install.sh | sh ```

Risks

  1. Supply chain attack surface: If the GitHub repo is compromised (or a maintainer account is hijacked), every new install gets a backdoored binary. There is no integrity verification between download and execution.

  2. MITM risk: While HTTPS protects against most MITM attacks, a compromised CA or DNS hijack could serve a malicious script. The script then downloads and installs a binary without verification.

  3. No checksum verification: The installer downloads the tar.gz but does not verify a checksum or signature before extracting and installing.

`install.sh` lines 75-85:

```bash info "Downloading from: $DOWNLOAD_URL" if ! curl -fsSL "$DOWNLOAD_URL" -o "$ARCHIVE"; then error "Failed to download binary" fi

info "Extracting..." tar -xzf "$ARCHIVE" -C "$TEMP_DIR"

mkdir -p "$INSTALL_DIR" mv "${TEMP_DIR}/${BINARY_NAME}" "${INSTALL_DIR}/" ```

Proposed fixes

Short term: Add checksum verification

Publish SHA-256 checksums alongside each release and verify in the installer:

```bash

Download checksum

CHECKSUM=$(curl -fsSL "$DOWNLOAD_URL.sha256") echo "$CHECKSUM $ARCHIVE" | sha256sum --check ```

Medium term: Add GPG signature verification

Sign releases with a maintainer GPG key and verify in the installer.

Long term: Provide OS package manager installation as primary

The Homebrew installation (`brew install rtk`) already has integrity verification via Homebrew's formula system. Making this the primary recommendation would be more secure.

Comparison with industry best practices

  • Rustup: Downloads a script but verifies GPG signatures on the binaries
  • Homebrew: Verifies SHA-256 checksums in formula
  • Nix: Cryptographic content-addressed store paths
  • asdf: Verifies checksums against published hashes

Acceptance criteria

  • Installer verifies binary integrity before installation
  • Checksums or signatures are published with each release
  • Documentation recommends verified installation methods first

Guide contributeur