K3s: [feature request] provide installer script hashsum

How would you propose to verify the checksum? If you’re curl-bashing the script and are worried about someone doing a man-in-the-middle attack on get.k3s.io, the attacker could just provide a checksum that matches their modified file as well.

If you are concerned about the integrity of the shell script, you are best off ensuring that you have a secure (TLS) connection between your host and get.k3s.io. Alternately, you could shallow clone the git repo over SSH and run the script from there.

That said, this is now available if you can think of a secure way to consume it: https://get.k3s.io/sha256

How would you propose to verify the checksum? If you’re curl-bashing the script and are worried about someone doing a man-in-the-middle attack on get.k3s.io, the attacker could just provide a checksum that matches their modified file as well.

If you are concerned about the integrity of the shell script, you are best off ensuring that you have a secure (TLS) connection between your host and get.k3s.io. Alternately, you could shallow clone the git repo over SSH and run the script from there.

I think the intention is to validate the correct download of the script before running it, although I'll let @noelmcloughlin speak to the specifics.

IMHO, if the user is concerned with the integrity of the shell script, they shouldn't be installing via this method (saltstack script install), either use the binary DL or manually validate the script. Would it make sense to add this as a note in the documentation, perhaps?

It is a historic convention at saltstack-formulas to checksum downloads (maybe because our home networks are not five-nines) so I guess it for download integrity. Thanks for providing the link @brandond and for testing @BadgerOps