Improve security practices in installation scripts #23
Description
Problem
Several security practices could be improved to make the dotfiles installation more secure.
Specific Issues
1. Remote Script Execution Without Verification
Multiple scripts download and execute remote code without verification:
homebrew/preinstall.sh:14- Downloads and runs Homebrew installerzsh/install.sh:2- Downloads and runs Oh My ZSH installer
Risk: If GitHub is compromised or DNS is hijacked, malicious code could be executed.
2. SSH Key Without Passphrase
ssh/install.sh:6 generates SSH key with empty passphrase (-N ""):
ssh-keygen -t ed25519 -C "$USER_EMAIL" -f "$SSH_KEY" -N ""Risk: If the key file is compromised, attacker has immediate access without needing to crack a passphrase.
3. GPG Key Setup is Fully Manual
No validation or security checks for GPG key import process in manual setup instructions.
4. No Checksum Verification
Downloaded scripts and packages aren't verified against known-good checksums.
5. Sensitive File Permissions
No verification that sensitive files (.env, SSH keys, GPG keys) have appropriate permissions.
Recommended Improvements
1. Add Script Verification (Medium Priority)
# Option A: Use official package managers where possible
brew install --cask something # Rather than curl | sh
# Option B: Verify checksums
EXPECTED_SHA="..."
ACTUAL_SHA=$(shasum -a 256 downloaded_script.sh | cut -d' ' -f1)
if [ "$EXPECTED_SHA" != "$ACTUAL_SHA" ]; then
fail "Checksum verification failed"
fi2. Make SSH Passphrase Optional but Recommended (High Priority)
echo "Generate SSH key with passphrase? (Recommended for security)"
echo "Press Enter to use passphrase, or type 'n' for no passphrase"
read -r use_passphrase
if [ "$use_passphrase" = "n" ]; then
ssh-keygen -t ed25519 -C "$USER_EMAIL" -f "$SSH_KEY" -N ""
else
ssh-keygen -t ed25519 -C "$USER_EMAIL" -f "$SSH_KEY"
fi3. Add Sensitive File Permission Checks (Medium Priority)
# After creating sensitive files
chmod 600 ~/.ssh/id_ed25519
chmod 644 ~/.ssh/id_ed25519.pub
chmod 600 ~/.env
# Verify
if [ "$(stat -f '%A' ~/.ssh/id_ed25519)" != "600" ]; then
fail "SSH key has incorrect permissions"
fi4. GPG Key Validation (Low Priority)
Add helper script to validate GPG key import:
- Verify key is imported
- Check key expiration
- Confirm signing works
5. Security Audit Checklist (Low Priority)
Document security considerations in README:
- Review Brewfile before running
- Inspect install scripts
- Use passphrases for keys
- Regular key rotation
- Review macOS permissions granted
Implementation Priority
High:
- SSH passphrase prompt (immediate security win)
Medium:
- Permission checks on sensitive files
- Checksum verification for critical downloads
Low:
- GPG validation helpers
- Security documentation
Success Criteria
- SSH keys use passphrases by default
- Sensitive files have correct permissions
- Users are aware of security implications
- Optional verification for downloaded scripts
Priority
LOW-MEDIUM - Important for security-conscious users but not immediately critical