rtk-ai/rtk

security: install.sh uses curl|sh pattern without binary integrity verification

Open

#1.158 aberto em 10 de abr. de 2026

Ver no GitHub
 (1 comment) (1 reaction) (0 assignees)Rust (2.914 forks)batch import
area:ciarea:securityeffort-mediumenhancementhelp wantedpriority:medium

Métricas do repositório

Stars
 (48.085 stars)
Métricas de merge de PR
 (Mesclagem média 11d 1h) (45 fundiu PRs em 30d)

Description

Problem

The recommended quick install method downloads and executes a script directly from GitHub:

```bash curl -fsSL https://raw.githubusercontent.com/rtk-ai/rtk/refs/heads/master/install.sh | sh ```

Risks

  1. Supply chain attack surface: If the GitHub repo is compromised (or a maintainer account is hijacked), every new install gets a backdoored binary. There is no integrity verification between download and execution.

  2. MITM risk: While HTTPS protects against most MITM attacks, a compromised CA or DNS hijack could serve a malicious script. The script then downloads and installs a binary without verification.

  3. No checksum verification: The installer downloads the tar.gz but does not verify a checksum or signature before extracting and installing.

`install.sh` lines 75-85:

```bash info "Downloading from: $DOWNLOAD_URL" if ! curl -fsSL "$DOWNLOAD_URL" -o "$ARCHIVE"; then error "Failed to download binary" fi

info "Extracting..." tar -xzf "$ARCHIVE" -C "$TEMP_DIR"

mkdir -p "$INSTALL_DIR" mv "${TEMP_DIR}/${BINARY_NAME}" "${INSTALL_DIR}/" ```

Proposed fixes

Short term: Add checksum verification

Publish SHA-256 checksums alongside each release and verify in the installer:

```bash

Download checksum

CHECKSUM=$(curl -fsSL "$DOWNLOAD_URL.sha256") echo "$CHECKSUM $ARCHIVE" | sha256sum --check ```

Medium term: Add GPG signature verification

Sign releases with a maintainer GPG key and verify in the installer.

Long term: Provide OS package manager installation as primary

The Homebrew installation (`brew install rtk`) already has integrity verification via Homebrew's formula system. Making this the primary recommendation would be more secure.

Comparison with industry best practices

  • Rustup: Downloads a script but verifies GPG signatures on the binaries
  • Homebrew: Verifies SHA-256 checksums in formula
  • Nix: Cryptographic content-addressed store paths
  • asdf: Verifies checksums against published hashes

Acceptance criteria

  • Installer verifies binary integrity before installation
  • Checksums or signatures are published with each release
  • Documentation recommends verified installation methods first

Guia do colaborador