Verify a Self-Hosted Installer... Note

Verify a Self-Hosted Installer Before Running It as Root

Executing an installer directly as root merges artifact selection, integrity checking, and execution approval into a single risky step. Separating these decisions into distinct stages enhances reviewability, reproducibility, and recoverability. A concrete source-review boundary involves checking architecture and performing basic system checks before downloading. The reviewed template, however, disables certificate verification using curl -k and downloads an unversioned file without explicit checks for pinned versions, digests, or signatures. To improve this, a manifest containing immutable metadata like version, architecture, file name, SHA-256 hash, and rollback information should be published separately. This manifest, protected by a secure release process, can be validated using TLS or digital signatures.Verification should occur as an unprivileged staging step. A companion script can check the filename, exact size, digest, version, architecture, and rollback metadata against the manifest. This verification process should never execute the downloaded file. A production flow requires downloading the artifact, verifying it against the manifest, and then, after an explicit maintenance decision, executing it with elevated privileges. Certificate errors should be addressed by fixing trust store or deployment issues, not by bypassing verification with -k.Rollback should be a well-defined executable plan, including details about the prior artifact, its manifest, compatibility, service commands, health checks, reversible migrations, and cleanup procedures. Before production deployment, rollback should be rehearsed in a canary environment, complete with simulated failures. Privileged execution should only be permitted when TLS verification is successful, an immutable version is specified, a trusted manifest matches the downloaded file, signature verification passes if applicable, canary health checks are good, and rollback procedures are verified. This structured approach transforms a blind network-to-root operation into an inspectable and automatable process.