The installation instructions now recommend using:
curl -fsSL https://install.julialang.org | sh
There is a section in the docs that talks about download verifications which can be used like
curl https://julialang.org/assets/juliareleases.asc
gpg --import juliareleases.asc
curl https://julialang-s3.julialang.org/bin/linux/x64/1.10/julia-1.10.1-linux-x86_64.tar.gz
curl https://julialang-s3.julialang.org/bin/linux/x64/1.10/julia-1.10.1-linux-x86_64.tar.gz.asc
gpg --verify julia-1.10.1-linux-x86_64.tar.gz.asc julia-1.10.1-linux-x86_64.tar.gz
gpg: Signature made Wed 14 Feb 2024 18:54:40 GMT
gpg: using RSA key 3673DF529D9049477F76B37566E3C7DC03D6E495
gpg: Good signature from "Julia (Binary signing key) <buildbot@julialang.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3673 DF52 9D90 4947 7F76 B375 66E3 C7DC 03D6 E495
However, I’m not sure how to verify the install.sh script that does the installation of juliaup?
Should there be a .asc file that can be used to verify https://install.julialang.org?
It seems unsafe to download a script from the internet and run it immediately without checking it somehow.
I’m trying to automate the process, so for now, I have downloaded the install script and read through it before calculating its checksum sha512sum, which I can use later for my automation.
I guess it would be nice to have a GPG signature for the shell script.
But is it any worse to trust the shell script downloaded over https, compared to trusting the GPG key downloaded in the same way? In both cases you can download it once in a trusted environment, then use it in different places. (I’m not sure how frequently the shell script gets updated… Maybe it’s a problem if you need to always have the latest version.)
It is possible to get julialang’s public key from other sources e.g. a keyserver
I can then
gpg --show-keys armored-keys.asc
pub rsa4096 2015-09-10 [SC]
3673DF529D9049477F76B37566E3C7DC03D6E495
uid Julia (Binary signing key) <buildbot@julialang.org>
sub rsa4096 2015-09-10 [E]
Note that the fingerprints match. I believe in the good 'ole days people would have key-swap parties but I am usually happy if I can verify a key from a second source (not the same website, which may have been compromised).
The practical solution, that you’ve suggested, is to rely on the install.sh script infrequently changing and so not to download it anew each time I want to “up” a new system, or perhaps manually verify once and use a checksum so that the installation errors if the install script is updated and then I know something has changed.
I just thought I’d missed something because julialang seem to have been so careful providing gpg keys and checksums, and then suggest running a script with NO checks at all; something didn’t compute.
If it’s of interest, this is what I’m currently using
---
- name: Check if .julia directory exists before installation
ansible.builtin.stat:
path: "{{ ansible_user_dir }}/.julia"
register: julia_dir_before_installation
changed_when: false
- name: Download juliaup installation script
ansible.builtin.get_url:
url: "{{ julia_up_url }}"
dest: /tmp/juliaup.install.sh
mode: "0755"
checksum: sha512:fe174e112a8a7405802e2c6ad0bedaaf1576a3fe1863fc8e1d60acb36fc0020a6ea06abbe361c09958242afc866f929891520c5a6787fe97d9d15e84c656ea32
when: not julia_dir_before_installation.stat.exists
- name: Run juliaup installation script
ansible.builtin.command: /tmp/juliaup.install.sh -y
register: result
when: not julia_dir_before_installation.stat.exists
changed_when: "'already installed' not in result.stdout"