Issue Station
Sign In
Tools hereToolbox

ollama - 💡(How to fix) Fix [CRITICAL] Supply Chain: install.sh downloads binaries without cryptographic integrity verification

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…

The README instructs Linux/macOS users to run:

curl -fsSL https://ollama.com/install.sh | sh

The install.sh then downloads binary tarballs (ollama-linux-${ARCH}.tar.zst) from https://ollama.com/download and extracts them without any cryptographic hash or GPG signature verification.

The download_and_extract() function in install.sh does:

status "Downloading ${filename}.tar.zst"
curl --fail --show-error --location --progress-bar \
    "${url_base}/${filename}.tar.zst${VER_PARAM}" | \
    zstd -d | $SUDO tar -xf - -C "${dest_dir}"

No checksum comparison, no GPG signature check, no integrity verification of any kind. If the download is compromised (CDN breach, DNS poisoning, MITM), the attacker's binary is installed with root privileges.

Error Message

curl --fail --show-error --location --progress-bar \

Root Cause

The README instructs Linux/macOS users to run:

curl -fsSL https://ollama.com/install.sh | sh

The install.sh then downloads binary tarballs (ollama-linux-${ARCH}.tar.zst) from https://ollama.com/download and extracts them without any cryptographic hash or GPG signature verification.

The download_and_extract() function in install.sh does:

status "Downloading ${filename}.tar.zst"
curl --fail --show-error --location --progress-bar \
    "${url_base}/${filename}.tar.zst${VER_PARAM}" | \
    zstd -d | $SUDO tar -xf - -C "${dest_dir}"

No checksum comparison, no GPG signature check, no integrity verification of any kind. If the download is compromised (CDN breach, DNS poisoning, MITM), the attacker's binary is installed with root privileges.

Code Example

curl -fsSL https://ollama.com/install.sh | sh

---

status "Downloading ${filename}.tar.zst"
curl --fail --show-error --location --progress-bar \
    "${url_base}/${filename}.tar.zst${VER_PARAM}" | \
    zstd -d | $SUDO tar -xf - -C "${dest_dir}"

---

# Attacker on local network (coffee shop, airport, office):
# 1. ARP spoof / DNS poison ollama.com to attacker's server
# 2. Serve malicious ollama-linux-amd64.tar.zst with backdoor
# 3. Victim runs: curl -fsSL https://ollama.com/install.sh | sh  
# 4. Malicious binary installed as root at /usr/local/bin/ollama

---

echo "EXPECTED_HASH  ollama-linux-amd64.tar.zst" | sha256sum -c || exit 1
RAW_BUFFERClick to expand / collapse

Severity: CRITICAL -- CVSS 9.3

Location: README.md (lines 13-15), scripts/install.sh (download_and_extract function) Category: Supply Chain / Code Without Integrity Check Confidence: Certain CWE: CWE-494 MITRE ATT&CK: T1195.002

Description

The README instructs Linux/macOS users to run:

curl -fsSL https://ollama.com/install.sh | sh

The install.sh then downloads binary tarballs (ollama-linux-${ARCH}.tar.zst) from https://ollama.com/download and extracts them without any cryptographic hash or GPG signature verification.

The download_and_extract() function in install.sh does:

status "Downloading ${filename}.tar.zst"
curl --fail --show-error --location --progress-bar \
    "${url_base}/${filename}.tar.zst${VER_PARAM}" | \
    zstd -d | $SUDO tar -xf - -C "${dest_dir}"

No checksum comparison, no GPG signature check, no integrity verification of any kind. If the download is compromised (CDN breach, DNS poisoning, MITM), the attacker's binary is installed with root privileges.

Impact

  • Attacker who compromises ollama.com CDN can serve malicious binaries to all Linux/macOS users installing or updating ollama
  • Backdoored binary runs as root (installed via sudo) -- full system compromise
  • Persists across auto-updates since each update fetches new unsigned binaries
  • Access to all locally stored models, user data, and GPU resources

Proof of Concept

# Attacker on local network (coffee shop, airport, office):
# 1. ARP spoof / DNS poison ollama.com to attacker's server
# 2. Serve malicious ollama-linux-amd64.tar.zst with backdoor
# 3. Victim runs: curl -fsSL https://ollama.com/install.sh | sh  
# 4. Malicious binary installed as root at /usr/local/bin/ollama

Remediation

  1. Add SHA256 checksums for all downloadable binaries to a signed manifest
  2. Sign checksums with a GPG key hosted separately from the CDN
  3. In install.sh, add verification before extraction: 
    echo "EXPECTED_HASH  ollama-linux-amd64.tar.zst" | sha256sum -c || exit 1
  4. Consider cosign/sigstore for container image signing
  5. Note: Windows install.ps1 already does Authenticode signature verification -- this is the model to follow for Linux/macOS

What is Done Well

  • The main() wrapper prevents partial-download script execution
  • Windows installer has Authenticode signature verification

Found as part of a broader security audit of ollama/ollama.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

ollama - 💡(How to fix) Fix [CRITICAL] Supply Chain: install.sh downloads binaries without cryptographic integrity verification