Skip to content

Verify every install script. Checksum.sh is a simple way to download, review, and verify install scripts.

License

Notifications You must be signed in to change notification settings

gavinuhma/checksum.sh

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

32 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

checksum.sh - Verify Every Install Script

checksum.sh

GitHub top language GitHub code size in bytes GitHub license GitHub repo stars

Checksum.sh is a simple way to download, review, and verify install scripts. If the checksum is OK the script will be printed to stdout, which can be piped to sh or elsewhere. If the checksum doesn't match it produces an error and nothing is piped. View the code on GitHub.

For example, to install Rust:

checksum https://sh.rustup.rs 8327fa6ce106d2a387fdd02cb95c3607193c2edb | sh

In contrast to Rust's usual installation which doesn't verify the checksum:

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

Install

Option 1: Define the checksum function directly

Paste the following into your command line to define the checksum function.

function checksum() {
  local s
  s=$(curl -fsSL "$1")
  local h
  if command -v shasum >/dev/null ; then
    h=shasum
  else
    h=sha1sum
  fi
  if [ ! "$2" ] ; then
    printf %s\\n "$s" | "$h" | awk '{print $1}'
    return 1;
  fi
  printf %s\\n "$s" | "$h" --check --status <(printf '%s  -\n' "$2") || {
    echo "checksum failed" >&2;
    return 1;
  }
  printf %s\\n "$s"
}

Option 2: Download the script

Alternatively, you can download, review and verify the checksum.sh script:

curl -O https://checksum.sh/checksum.sh
cat checksum.sh
echo "df260dd53581e6e30c0afbe32b80db6b0bec2d07  checksum.sh" | shasum -c

If everything is OK, you can source the script which will define the checksum function.

source checksum.sh

Use

To download and verify a script pass the URL and the CHECKSUM:

checksum <URL> <CHECKSUM>

The script will be printed out by default so you can inspect it.

If you're happy with it, you can pipe the script to sh to execute it:

checksum <URL> <CHECKSUM> | sh

If you just want to calculate the checksum for a URL you can omit the CHECKSUM:

checksum <URL>

Examples

Note: If any of these install scripts have changed these commands will error because the checksum will be invalid.

Install Rust

checksum https://sh.rustup.rs 6282be0e90f8f9e041a4f714039e61bf8c03ad85 | sh

Install Cape

checksum https://raw.githubusercontent.com/capeprivacy/cli/main/install.sh 2309498bc07fbca42d421f696a605da15d99d939 | sh

Install Nitrogen

checksum https://raw.githubusercontent.com/capeprivacy/nitrogen/main/install.sh f403add95bde19aeba87f8e63e67b09af671d804 | sh

Install Nix

checksum https://nixos.org/nix/install 885201bc4da10dbd264778fbbdb4887e5304682a | sh

Install Deno

checksum https://deno.land/install.sh 57a4d67e64d2a7204541b9e131cedb289a79e834 | sh

Install Bun

checksum https://bun.sh/install 86c651cf7aac32cceb3688f0a4e026776c965b49 | bash

Install Haskell

checksum https://get-ghcup.haskell.org d1fe43ba1316fd89170c68d042dc2c6ac3979965 | sh

Install Homebrew

checksum https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh 112869ebf4129eba57cac6217d4cd1b21344f274 | bash

Install Just

checksum https://just.systems/install.sh 1f253751970e65ea59fee43e0f740e84f8eb5d43 | bash -s -- --to DEST

Contributors & Thanks

Checksum.sh is maintained by @gavinuhma.

Thank you to those who have contributued code and ideas through pull requests, issues, and comments!

About

Verify every install script. Checksum.sh is a simple way to download, review, and verify install scripts.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages