@@ -27,6 +27,13 @@ improve your life)
2727$ pipethis --no-verify --inspect https://get.rvm.io
2828```
2929
30+ or even
31+
32+ ```
33+ $ curl -sSL https://get.rvm.io | pipethis --no-verify | bash
34+ ```
35+
36+
3037## Install
3138
3239```
@@ -59,9 +66,13 @@ OPTIONS
5966 local
6067 Use your local GnuPG public keyring
6168
69+ If you're piping a script from `stdin`, the service will be forced to
70+ `local`.
71+
6272--inspect
6373
64- If set, open the script in an editor before checking the author.
74+ If set, open the script in an editor before checking the author. Ignored if
75+ you're piping a script from `stdin`.
6576
6677--editor <editor>
6778
@@ -75,11 +86,20 @@ OPTIONS
7586
7687--signature <signature file>
7788
78- The detached signature to verify <script> against. You'll only need this if
79- you've already downloaded the detached signature, or it's hosted in a
80- non-standard location (i.e. it's not <script>.sig).
89+ The detached signature to verify <script> against. You'll only need this in
90+ a couple scenarios:
91+
92+ - You've already downloaded the detached signature and you want to use your
93+ downloaded copy, or
94+ - the signature is hosted in a non-standard location (i.e. it's not
95+ <script>.sig), or
96+ - you're piping a script with a detached signature from `stdin`.
8197```
8298
99+ If you're piping scripts into ` pipethis ` directly from ` curl ` , you'll need
100+ to have the script authors' PGP keys already stored in your local keyring.
101+ Don't worry, they'll have instructions!
102+
83103### People writing the installers
84104
85105You can add one line to your installer script to make it support ` pipethis ` ,
@@ -99,7 +119,7 @@ but there's other stuff to do as well:
99119 # // ; '' PIPETHIS_AUTHOR your_name_or_your_key_fingerprint
100120 ```
101121
102- 3. Create a detached signature for the script. With Keybase, that's:
122+ 3. Create a signature for the script. With Keybase, that's:
103123
104124 ```
105125 $ keybase pgp sign -i yourscript.sh -d -o yourscript.sh.sig
@@ -111,9 +131,20 @@ but there's other stuff to do as well:
111131 $ gpg --detach-sign -a -o yourscript.sh.sig yourscript.sh
112132 ```
113133
114- Both those commands create ASCII-armored signatures. Binary signatures work
115- too.
116- 4. Pop both the script and the signature up on your web server.
134+ Both those commands create ASCII-armored signatures. Binary signatures work
135+ too.
136+
137+ Alternatively, you can clearsign the script with an attached signature::
138+
139+ ```
140+ $ keybase pgp sign -i yourscript.unsigned.sh -c -o yourscript.sh
141+ ```
142+
143+ ```
144+ $ gpg --clearsign -a -o yourscript.sh yourscript.unsigned.sh
145+ ```
146+
147+ 4. Pop the script (and the signature, if it's detached) up on your web server.
1171485. Replace your copy-paste-able installation instructions!
118149
119150## What's all this noise
@@ -225,8 +256,6 @@ that you almost pwned yourself.
225256
226257` pipethis ` works, but it can be better!
227258
228- - If there were a non-interactive version, it could be inserted into a pipe
229- chain like ` curl -Ss http://pwn.me/please | pipethis | bash ` . That'd be cool.
230259- There are zillions of other places to get public keys for people, and I want
231260 to support more of them. I think Keybase is stellar and I love what they're
232261 trying to do, but nobody likes to be locked in to one provider.
0 commit comments