I noticed that install-coreos.sh downloads ct (and coreos-install) from github, explicitly disabled certificate validation, and runs it as root. Certificate validation being disabled is questionable at best, but regardless the GPG signature (which CoreOS publishes) of the ct binary should be validated, or include the hash of the binary in the script and validate against that (easier to implement, but slightly harder to change the ct version). coreos-install.sh also downloads a shell script from github, with certificate validation enabled this time, but still does not validate it against anything.
I noticed that
install-coreos.sh
downloadsct
(andcoreos-install
) from github, explicitly disabled certificate validation, and runs it as root. Certificate validation being disabled is questionable at best, but regardless the GPG signature (which CoreOS publishes) of the ct binary should be validated, or include the hash of the binary in the script and validate against that (easier to implement, but slightly harder to change the ct version).coreos-install.sh
also downloads a shell script from github, with certificate validation enabled this time, but still does not validate it against anything.