Aral Balkan

Mastodon icon RSS feed icon

The magic one-line ImageMagick 7 AppImage installer

To install ImageMagick 7 on any distribution that supports AppImage, copy and paste this one-line script into your favourite shell:

bash -lic "wget -O /tmp/magick && chmod +x /tmp/magick && test \$(wget -qO- | grep 'rdf:about=\"magick\".*' -A6 | sed -rn 's/.*<digest:sha256>(.*?)<\/digest:sha256>/\1/p') = \$(sha256sum /tmp/magick | sed -r 's/(.*)\s(.*)/\1/') && (sudo mv /tmp/magick /usr/local/bin/ && echo 'ImageMagick 7 successfully installed.') || (rm /tmp/magick && echo 'Installation failed. Security error: message digest verification failed for ImageMagick 7 AppImage binary.')"

What it does

  1. Runs itself in bash, regardless of what interactive shell its being run on.

  2. Downloads the ImageMagick 7 AppImage binary.

  3. Sets the binary’s executable bit.

  4. Downloads the ImageMagick 7 message digests RDF with the SHA-256 hash of the binary.

  5. “Parses” the fucking RDF1 using regular expressions to extract the SHA-256 hash.

  6. Uses the sha256sum command to calculate the SHA-256 hash of the downloaded binary.

  7. Compares the two hashes. If they match, it installs the binary by moving it to the /usr/local/bin folder. If they don’t match, it removes the downloaded binary. Either way, the script lets you know which action was taken.

Why it exists

Because a lot of folks don’t actually verify the hashes of apps that they download to their machines and that’s because doing so is an overly-convoluted and manual process. If we can automate it with a script, we can guarantee that everyone will be verifying their downloads.

This is not an issue when using app catalogues like the elementary OS AppCenter, but it is an important security hole for app binaries you download from the web.

If you have thoughts or suggestions on how to improve the script, please feel free to share them on this gist.

More image magic

See the post I wrote yesterday titled How to apply a chroma key using ImageMagick, which led me to create this script.

Like this? Fund us!

Small Technology Foundation is a tiny, independent not-for-profit.

We exist in part thanks to patronage by people like you. If you share our vision and want to support our work, please become a patron or donate to us today and help us continue to exist.

  1. The only reason I can think of for using an RDF for this purpose is to make sure that as few people as possible actually verify the signature. It means, among other things, that tools like xmllint fail. Please, folks, instead of intellectual purity and complexity maximalism, use the simplest thing that can possibly work. People downstream of you will thank you for it.

    What does that mean in practice? Consider having a single file for each hash that just contains the hash. That would be easiest to consume. If you must have a single file for all hashes, consider using JSON. If you can’t do without a certain quota of angular brackets in your life, use XML. RDF? Fucking really? smh ↩︎