Is there a repository of CNUT distribution checksums that one can use to verify that the downloaded file is legitimate and hasn’t been corrupted (intentionally or otherwise)? I’m really wary of running any software as root. This is especially true when there seems to be no verifiable signature or checksum.
This isn’t exactly the answer that you are looking for, but I can tell you that an implementation detail of the download site means that the URL of the file contains its SHA1 checksum. So for example, the 4.13.3 CNUT linux installer at https://support.cambiumnetworks.com/file/9d3b800334bea91847bb19243a84223c12d975c2 has SHA1 sum 9d3b800334bea91847bb19243a84223c12d975c2.
Yeah, that doesn’t exactly alleviate the trust issue. It can prove that it wasn’t corrupted in the download process. It just doesn’t, necessarily, say anything about it being exactly what the developers compiled, packaged, and uploaded. Of course, SolarWinds taught us that even the developer hash cannot always be trusted.