Why
The gcloud SDK installer script is fetched over HTTPS without the -f flag and executed immediately without any integrity check, meaning a server-side error page or a tampered response silently executes as shell code on the local machine.
Current state
tools/gcloud/install.bash line 9:
curl https://sdk.cloud.google.com > install.sh
Followed by execution on the next line. There is no -f flag (so HTTP error pages are saved and executed), no --proto '=https' --tlsv1.2 enforcement, and no SHA-256 or other checksum verification before the script runs. The installer is also fetched from the live sdk.cloud.google.com endpoint rather than a pinned release URL.
Ideal state
- The installer is downloaded with
curl -fsSL (fail on HTTP errors, silent, follow redirects) to a temporary file.
- Its SHA-256 checksum is verified against the value published in Google Cloud's official installation documentation before any execution.
- Only if the checksum matches is the script executed; a mismatch aborts with a non-zero exit and an explanatory message.
- The temporary file is deleted after execution via a
trap.
Out of scope
- Auditing what the gcloud installer does once executed.
- Changes to
tools/gcloud/update.bash or shell configuration files.
Starting points
tools/gcloud/install.bash line 9 — the curl > install.sh line to replace with a safe download-and-verify pattern- Google Cloud SDK installation docs — the canonical source for the expected SHA-256 hash
QA plan
- Modify the script to download to
/tmp/gcloud-install.sh and print its SHA-256 before any execution.
- Compare the printed hash against the value published by Google.
- Introduce a deliberate one-byte modification to the downloaded file and confirm the checksum check fails and the script is not executed.
- On a clean run (unmodified file, correct hash), confirm gcloud installs successfully.
Done when
tools/gcloud/install.bash downloads the installer to a temp file, verifies its SHA-256 against a published value, and executes it only on a successful match — the script is never piped or redirected directly from curl to the shell.
Why
The gcloud SDK installer script is fetched over HTTPS without the
-fflag and executed immediately without any integrity check, meaning a server-side error page or a tampered response silently executes as shell code on the local machine.Current state
tools/gcloud/install.bashline 9:curl https://sdk.cloud.google.com > install.shFollowed by execution on the next line. There is no
-fflag (so HTTP error pages are saved and executed), no--proto '=https' --tlsv1.2enforcement, and no SHA-256 or other checksum verification before the script runs. The installer is also fetched from the livesdk.cloud.google.comendpoint rather than a pinned release URL.Ideal state
curl -fsSL(fail on HTTP errors, silent, follow redirects) to a temporary file.trap.Out of scope
tools/gcloud/update.bashor shell configuration files.Starting points
tools/gcloud/install.bashline 9 — thecurl > install.shline to replace with a safe download-and-verify patternQA plan
/tmp/gcloud-install.shand print its SHA-256 before any execution.Done when
tools/gcloud/install.bashdownloads the installer to a temp file, verifies its SHA-256 against a published value, and executes it only on a successful match — the script is never piped or redirected directly fromcurlto the shell.