Rénich's Blog

The illusion of sovereignty: Why curl | bash destroy your investment in Cybersecurity

Fri 12 December 2025

Your company just finished Series B. You have cash to spend. You have a great product with a Go stack that compiles to a single static binary.

Your engineering team spends 25% of their time securing that stack. You invest millions in infrastructure defense: Stateful firewalls, AI-augmented scanning, Red Teams, Blue Teams, and rigorous DevSecOps pipelines. You even partner with major cloud providers to ensure your supply chain is audited.

You are serious about security. You have built a fortress.

And then, to install your product, you tell enterprise customers to run this:

curl -fsSL https://my-really-cool-company.com/install.sh | sh

This single line undermines your entire security architecture.

Why is this so dangerous?

First, consider the distribution mechanism. Teams automate releases. They push to Git, CI runs tests, and the binary is pushed to an object store or CDN. The install.sh script is just a pointer to that location.

The problem is Mutability

When a sysadmin runs that command, they are piping an unverified, unsigned script directly into a shell; often as root.

If any point in that supply chain is compromised; if your CDN is hijacked, or your build server is breached (like the Codecov or SolarWinds attacks), or a rogue maintainer inserts a backdoor (like the recent XZ Utils / liblzma incident); your customer downloads the malware instantly.

There is no audit trail. There is no cryptographic signature verifying the author. There is just a script that can change content between the time you audit it and the time you run it.

The Trust Fallacy

We operate in good faith. You assume the vendor is secure. But supply chain security isn't about trusting the vendor; it's about verifying the artifact.

If you are selling to Government, Defense, or Finance, "trust" is not a strategy. Sovereignty is the strategy. These clients need:

  1. Immutability: A guarantee that the binary hasn't changed.
  2. Provenance: Cryptographic proof of origin (GPG).
  3. Sovereignty: The ability to mirror the software in an air-gapped environment without reaching out to the public internet during installation.

The Solution: Native Packaging

In the Enterprise Linux ecosystem (RHEL, CentOS, Fedora, etc), we solved this decades ago.

  • RPMs allow for offline installation.
  • GPG Signatures ensure the binary was built by you.
  • Repositories allow clients to mirror and scan the software before it touches their production servers.

If you are asking enterprise clients to pipe shell scripts, you are asking them to surrender their sovereignty. It is time to treat your delivery mechanism with the same rigor as your source code.