search

anchore / syft

CLI tool and library for generating a Software Bill of Materials from container images and filesystems
Apache License 2.0
6.21k stars 574 forks source link

Install.sh doesn't work when adding `-k` to curl command due to self-signed cert #1739

Open thommelutten opened 1 year ago

thommelutten commented 1 year ago

What happend Running curl -k -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin when having a self-signed certificate results in the following error

[error] received HTTP status=000 for url='https://github.com/anchore/syft/releases/latest'
[error] unable to find tag=''
[error] do not specify a version or select a valid version from https://github.com/anchore/syft/releases

What you expected to happen: Syft would be downloaded and installed.

Anything else we need to know?: The error is due to the self-signed certificate, and while I don't want to advocate for a --insecure flag, the error could be more transparent.

Natediesel7 commented 1 year ago

Same error here. How to address?

spiffcs commented 1 year ago

👋 Thanks for filing the issue @thommelutten! -

@Natediesel7 - if you're downloading via a proxy or some other configuration you might need to modify this line in the install.sh: https://github.com/anchore/syft/blob/main/install.sh#L207

Adding -k there should fix things up for you

There's also the option of downloading the asset directly from the release page: https://github.com/anchore/syft/releases

We'll take a look at trying to make the error more transparent or give a workaround for those who need to bypass SSL verification.

djbazuka01 commented 7 months ago

Was this problem ever resolved as I am facing the same issue and don't know how to resolve ?. I cloned the repository and made changes to Install.sh @spiffcs but it still gives me the same error so I am not sure how to proceed with this ?.

tgerla commented 6 months ago

Hi @djbazuka01, sorry for the delay replying, are you still having issues here? Can you share a full capture of the command line you're running, and the output? Thanks.

JohnCalin commented 6 months ago

👋 Thanks for filing the issue @thommelutten! -

@Natediesel7 - if you're downloading via a proxy or some other configuration you might need to modify this line in the install.sh: https://github.com/anchore/syft/blob/main/install.sh#L207

Adding -k there should fix things up for you

There's also the option of downloading the asset directly from the release page: https://github.com/anchore/syft/releases

We'll take a look at trying to make the error more transparent or give a workaround for those who need to bypass SSL verification.

The install script always re-downloads itself (to be sure to run the correct installer based on which version is being installed). If you do make manual changes (for example, adding -k to your curl commands) run it with

DOWNLOAD_TAG_INSTALL_SCRIPT=false ./install.sh

to prevent re-download.