I've seen this same argument time and time again and it's just silly. We preach that curl | sh is evil because of a potential lack of "transparency" but rarely does anyone denounce the evils of binary packages.<p>When you run third-party code on your system there is ALWAYS a risk of it doing nasty things, it doesn't matter if it's an easily readable bash script or a .deb you downloaded. The biggest argument I see about curl | sh that I can agree with is the issues that happens when your connection dies in the middle of the download. Just download the file, then run it.
There are other risks besides malicious webservers. Even an accidental network glitch can be fatal, for example if the connection is dropped after the first "/" here:<p>rm -rf /tmp/myawesomeinstaller
I don't understand why you would go through all of this effort...<p>Just dump the data into a file:<p>curl > foobar<p>Read the file using any number of normal utilities<p>vim foobar<p>cat foobar<p>nano foobar<p>less foobar<p>Then if you like what you see execute the file<p>sh foobar<p>Linux/Unix utilities are meant to be used. Don't limit yourself to only knowing how to check the contents of a curl install if you have a curlsh function.
I'd say apply the same level of scrutiny as you would other code, such as the code that your distribution allows you to install. That means:<p><pre><code> 1) Find a source you trust (nominally)
2) Get a gpg-key that you trust belong to that user
3) Get the install.sh script
4) Get the matching gpg signature (install.sh.asc)
5) Verify that 4) is a valid signature of 3) under 2)
6) Have a look at the script
7) Run the script
</code></pre>
If you can't establish 2), you'll just have to stick to 3) 6) and 7).<p>Seeing that something is on a https site, just means someone had the access to put it there. If someone got access to the private key behind 2) -- 1) is probably so compromised that there isn't anything other than 6) that might protect you -- and if the script is truly malicious (as opposed to just your average botched bash script) -- it's not guaranteed that it's obviously malicious.<p>Anyway, a gpg signature links some distributable the author has verified all the way back to wherever that file was authored -- while https only anchors trust on the web server. Web servers get compromised all the time. Prefer a proper signature as a means to anchor trust ("yes, this is probably what X <i>wanted</i> to distribute. If you trust X, this is probably OK").<p>A https signature just means: "This is something someone/anyone managed to upload to this web server".
If you don't want to bother with all this you can also just do a simple `wget <a href="http://site.com/file.sh" rel="nofollow">http://site.com/file.sh</a> -O /tmp/script`, look through it in your editor, then run it.
Another method to protect against malformed output due to the connection being cut short - "shell armour":<p><a href="http://drj11.wordpress.com/2014/03/19/piping-into-shell-may-be-harmful/" rel="nofollow">http://drj11.wordpress.com/2014/03/19/piping-into-shell-may-...</a><p><pre><code> { echo { && curl https://thing && echo } ; } | sh</code></pre>
Is this really a "hidden" danger? It's pretty obvious that you shouldn't execute a script without reading it unless it's from a trusted source over https.
I don't see much reason for ever needing to do this. Should build packages to install software, and use config management for anything needed outside the package.