Install.sh doesn't work when adding -k to curl command due to self-signed cert

[thommelutten]

What happend
Running curl -k -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin when having a self-signed certificate results in the following error

[error] received HTTP status=000 for url='https://github.com/anchore/syft/releases/latest'
[error] unable to find tag=''
[error] do not specify a version or select a valid version from https://github.com/anchore/syft/releases

What you expected to happen:
Syft would be downloaded and installed.

Anything else we need to know?:
The error is due to the self-signed certificate, and while I don't want to advocate for a --insecure flag, the error could be more transparent.

[Natediesel7]

Same error here. How to address?

[spiffcs]

👋 Thanks for filing the issue @thommelutten! -

@Natediesel7 - if you're downloading via a proxy or some other configuration you might need to modify this line in the install.sh:
https://github.com/anchore/syft/blob/main/install.sh#L207

Adding -k there should fix things up for you

There's also the option of downloading the asset directly from the release page:
https://github.com/anchore/syft/releases

We'll take a look at trying to make the error more transparent or give a workaround for those who need to bypass SSL verification.

[djbazuka01]

Was this problem ever resolved as I am facing the same issue and don't know how to resolve ?. I cloned the repository and made changes to Install.sh @spiffcs but it still gives me the same error so I am not sure how to proceed with this ?.

[tgerla]

Hi @djbazuka01, sorry for the delay replying, are you still having issues here? Can you share a full capture of the command line you're running, and the output? Thanks.

[JohnCalin]

👋 Thanks for filing the issue @thommelutten! -

@Natediesel7 - if you're downloading via a proxy or some other configuration you might need to modify this line in the install.sh: https://github.com/anchore/syft/blob/main/install.sh#L207

Adding -k there should fix things up for you

There's also the option of downloading the asset directly from the release page: https://github.com/anchore/syft/releases

We'll take a look at trying to make the error more transparent or give a workaround for those who need to bypass SSL verification.

The install script always re-downloads itself (to be sure to run the correct installer based on which version is being installed).
If you do make manual changes (for example, adding -k to your curl commands) run it with

DOWNLOAD_TAG_INSTALL_SCRIPT=false ./install.sh

to prevent re-download.

[willmurphyscode]

Is this still an issue for anyone? If so, can you help me understand why you would want to pass -k to an install script? The install script works with GitHub specifically, and so should never trust a self-signed cert.

[thommelutten]

@willmurphyscode It is no longer relevant for me, so it can be closed from my perspective.