Can’t an attacker just replace the hash with their malicious hash?
There’s only one hash. Most curl attacks use the user-agent, timing attacks, etc., so if the returned script is malformed or malicious, the hash would not match whatever’s advertised on the website. This is only applicable when you read the script before piping it to sh. If you pipe scripts without reading, it’s a lost case and there’s no way to stop anybody.
Is there any threat model where curl-hashpipe-sh is safer than straight curl-sh (with HTTPS and basic partial-content precautions)?
It makes sense when your browser’s connection to the package website is trustworthy but the connection you’re curling from isn’t trustworthy.
Which, like, when does that happen? I put my browsers on jank WiFi more often than my servers, and if I can’t trust my server’s upstream why do I trust the install image or RAM?
I started writing something similar a while ago but never finished it: https://github.com/zimbatm/curlsh
The tricky bit is that because curl and bash are available almost everywhere, they are being used for bootstrapping. So that tool would also have to be distributed widely.
It would be nice if shell scripts could be signed as powershell scripts are.
That just validates who authored the script - not that it is secure
What do you have that validates the programs on your machine are secure?