Following: The most secure way to authorize the download and installation of an application on Mac, Windows or Linux, I wonder how one can (like I) create a new framework for secure hosting of packages. Ignoring the question of whether or not you should reinvent the wheel, I am mostly wondering for a learning exercise. In addition, I wonder how sites such as docker, homebrew, etc. could provide a more secure and robust way to download their application. Currently, the homebrew is:
/ usr / bin / ruby -e "$ (curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
Docker is a download of the website
VMWare Fusion comes directly from the website. VSCode is too. That is, none of these applications (no application I'm currently using) comes from the Mac App Store. Sublime. Atom (Atom is at least on GitHub). etc ..
If I just wanted to provide a shell script to install the program, how can I secure it correctly?
Say shell script downloads another some shell scripts, which then download either a
.iso depending on the platform however. What steps should be put in place to secure this? In other words, do not use any third-party package manager or publishing solution, do it all yourself. I would imagine that I would do it in the same way as the Linux Y project (see the answer to the question at the top).
- Create an MD5 hash of the source code.
- Publish this MD5 hash in a secure way (I do not see how you can prevent hackers who compromised your site from compromising this MD5 hash).
- Leave the user
loop the script, then
less to see the content, etc. Then, to somehow recover the MD5 hash on a remote server, I have to compare it. How does the Linux Y project do that?
- Maybe submit some final statistics so that we know that the download went smoothly, I do not know.
You wonder if you can quickly / briefly describe the steps to follow to host such a download / install script so that it is optimally secure without using any third party tools. This will help me better understand how it all works.
Basically, I wonder how these third-party package management solutions are considered secure. What exactly did I do that I could do too?
As a footnote, I would like to offer two methods of downloading. Either the curl method of the shell script, or download the package directly. But in both cases, I want to let them know that they must always inspect everything in case of violation. But I do not know what this inspection process really looks like, so I have a hard time understanding how to build a security / protection support system.