The magic one-line ImageMagick 7 AppImage installer
To install ImageMagick 7 on any distribution that supports AppImage, copy and paste this one-line script into your favourite shell:
bash -lic "wget -O /tmp/magick https://download.imagemagick.org/ImageMagick/download/binaries/magick && chmod +x /tmp/magick && test \$(wget -qO- https://download.imagemagick.org/ImageMagick/download/binaries/digest.rdf | grep 'rdf:about=\"magick\".*' -A6 | sed -rn 's/.*<digest:sha256>(.*?)<\/digest:sha256>/\1/p') = \$(sha256sum /tmp/magick | sed -r 's/(.*)\s(.*)/\1/') && (sudo mv /tmp/magick /usr/local/bin/ && echo 'ImageMagick 7 successfully installed.') || (rm /tmp/magick && echo 'Installation failed. Security error: message digest verification failed for ImageMagick 7 AppImage binary.')"
What it does
Runs itself in bash, regardless of what interactive shell its being run on.
Downloads the ImageMagick 7 AppImage binary.
Sets the binary’s executable bit.
Downloads the ImageMagick 7 message digests RDF with the SHA-256 hash of the binary.
“Parses” the fucking RDF1 using regular expressions to extract the SHA-256 hash.
Uses the sha256sum command to calculate the SHA-256 hash of the downloaded binary.
Compares the two hashes. If they match, it installs the binary by moving it to the
/usr/local/binfolder. If they don’t match, it removes the downloaded binary. Either way, the script lets you know which action was taken.
Why it exists
Because a lot of folks don’t actually verify the hashes of apps that they download to their machines and that’s because doing so is an overly-convoluted and manual process. If we can automate it with a script, we can guarantee that everyone will be verifying their downloads.
This is not an issue when using app catalogues like the elementary OS AppCenter, but it is an important security hole for app binaries you download from the web.
If you have thoughts or suggestions on how to improve the script, please feel free to share them on this gist.
More image magic
See the post I wrote yesterday titled How to apply a chroma key using ImageMagick, which led me to create this script.
Like this? Fund us!
Small Technology Foundation is a tiny, independent not-for-profit.
The only reason I can think of for using an RDF for this purpose is to make sure that as few people as possible actually verify the signature. It means, among other things, that tools like
xmllintfail. Please, folks, instead of intellectual purity and complexity maximalism, use the simplest thing that can possibly work. People downstream of you will thank you for it.
What does that mean in practice? Consider having a single file for each hash that just contains the hash. That would be easiest to consume. If you must have a single file for all hashes, consider using JSON. If you can’t do without a certain quota of angular brackets in your life, use XML. RDF? Fucking really? smh ↩︎