rtk-ai/rtk

security: install.sh uses curl|sh pattern without binary integrity verification

Open

#1,158 opened on Apr 10, 2026

View on GitHub
 (1 comment) (1 reaction) (0 assignees)Rust (2,914 forks)batch import
area:ciarea:securityeffort-mediumenhancementhelp wantedpriority:medium

Repository metrics

Stars
 (48,085 stars)
PR merge metrics
 (Avg merge 11d 1h) (45 merged PRs in 30d)

Description

Problem

The recommended quick install method downloads and executes a script directly from GitHub:

```bash curl -fsSL https://raw.githubusercontent.com/rtk-ai/rtk/refs/heads/master/install.sh | sh ```

Risks

  1. Supply chain attack surface: If the GitHub repo is compromised (or a maintainer account is hijacked), every new install gets a backdoored binary. There is no integrity verification between download and execution.

  2. MITM risk: While HTTPS protects against most MITM attacks, a compromised CA or DNS hijack could serve a malicious script. The script then downloads and installs a binary without verification.

  3. No checksum verification: The installer downloads the tar.gz but does not verify a checksum or signature before extracting and installing.

`install.sh` lines 75-85:

```bash info "Downloading from: $DOWNLOAD_URL" if ! curl -fsSL "$DOWNLOAD_URL" -o "$ARCHIVE"; then error "Failed to download binary" fi

info "Extracting..." tar -xzf "$ARCHIVE" -C "$TEMP_DIR"

mkdir -p "$INSTALL_DIR" mv "${TEMP_DIR}/${BINARY_NAME}" "${INSTALL_DIR}/" ```

Proposed fixes

Short term: Add checksum verification

Publish SHA-256 checksums alongside each release and verify in the installer:

```bash

Download checksum

CHECKSUM=$(curl -fsSL "$DOWNLOAD_URL.sha256") echo "$CHECKSUM $ARCHIVE" | sha256sum --check ```

Medium term: Add GPG signature verification

Sign releases with a maintainer GPG key and verify in the installer.

Long term: Provide OS package manager installation as primary

The Homebrew installation (`brew install rtk`) already has integrity verification via Homebrew's formula system. Making this the primary recommendation would be more secure.

Comparison with industry best practices

  • Rustup: Downloads a script but verifies GPG signatures on the binaries
  • Homebrew: Verifies SHA-256 checksums in formula
  • Nix: Cryptographic content-addressed store paths
  • asdf: Verifies checksums against published hashes

Acceptance criteria

  • Installer verifies binary integrity before installation
  • Checksums or signatures are published with each release
  • Documentation recommends verified installation methods first

Contributor guide