deprecate installer script by joemiller · Pull Request #182 · autotag-dev/autotag

joemiller · 2026-05-14T14:38:05Z

The install script used by the curl -sL https://git.io/autotag-install | sh instructions was generated by godownloader years ago and does provide a way to verify against a checksum provided as input. While it does verify checksums downloaded from github releases, this is not sufficient in the current era of increasing supply chain attacks. An attacker could compromise the github repo and replace any release binary along with checksums.

Recommend users manually (or using automation) retrieve version + checksum and hardcode both in their CI pipelines.

threeiem · 2026-05-14T15:28:13Z

Should we consider something like sigstore to keep the signatures safe from compromised maintainers as well.

threeiem

I'm plus one for alerting users in light of recent supply chain attacks. My nits and suggestions don't stop this from being merged though.

The install script used by the `curl -sL https://git.io/autotag-install | sh` instructions was generated by godownloader years ago and does provide a way to verify against a checksum provided as input. While it does verify checksums downloaded from github releases, this is not sufficient in the current era of increasing supply chain attacks. An attacker could compromise the github repo and replace any release binary along with checksums. Recommend users manually (or using automation) retrieve version + checksum and hardcode both in their CI pipelines.

joemiller · 2026-05-14T16:13:33Z

Should we consider something like sigstore to keep the signatures safe from compromised maintainers as well.

good idea. There is also this, GA'd late 2025, I was not aware of it - https://docs.github.com/en/code-security/concepts/supply-chain-security/immutable-releases

winmillwill

👍 to moving on from godownloader, other benefits are gravy

threeiem · 2026-05-15T00:38:47Z

Should we consider something like sigstore to keep the signatures safe from compromised maintainers as well.

good idea. There is also this, GA'd late 2025, I was not aware of it - https://docs.github.com/en/code-security/concepts/supply-chain-security/immutable-releases

Seems like releases should have been immutable from the beginning. It is crazy to think you can release code and then rerelease different code as the same release. 😵

joemiller requested a review from a team as a code owner May 14, 2026 14:38

threeiem approved these changes May 14, 2026

View reviewed changes

Comment thread README.md Outdated

joemiller force-pushed the joem/deprecate-install-script branch from 229b84e to e8a87f3 Compare May 14, 2026 15:52

winmillwill approved these changes May 14, 2026

View reviewed changes

joemiller merged commit d0176cb into main May 14, 2026
8 checks passed

joemiller deleted the joem/deprecate-install-script branch May 14, 2026 17:04

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

deprecate installer script#182

deprecate installer script#182
joemiller merged 1 commit into
mainfrom
joem/deprecate-install-script

joemiller commented May 14, 2026

Uh oh!

threeiem commented May 14, 2026

Uh oh!

threeiem left a comment

Uh oh!

Uh oh!

joemiller commented May 14, 2026

Uh oh!

winmillwill left a comment

Uh oh!

Uh oh!

threeiem commented May 15, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

joemiller commented May 14, 2026

Uh oh!

threeiem commented May 14, 2026

Uh oh!

threeiem left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

joemiller commented May 14, 2026

Uh oh!

winmillwill left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

threeiem commented May 15, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants