Spectral Ops preflight provides an easy way to add an integrity check to the pipe installed, turning them into 'curl | checksum | bash'.
The process takes has two steps:
- calculate the checksum
- pass the downloaded script through preflight when executing, preflight will pass the input to its output if the calculated and provided hashes match.
The hash can come from the command line or an url and, while I stick with sha256, preflight supports md5 and sha1. If multiple verions of the input are valid, a comma separated list of hashes can be provided
Download the example script and calculate its checksum.
$ curl -sL https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/preflight_test.sh | preflight create
sha256=bb60ffa7c98106c61bdcd4ee5748844f3d21e49ba1ded0b8ce0a5d26294ae209
our pipe installer becomes 'curl|preflight|bash'. Preflight will error out if the calculated and provided checksums do not match.
$ curl -sL https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/preflight_test.sh | preflight run > sha256=bb60ffa7c98106c61bdcd4ee5748844f3d21e49ba1ded0b8ce0a5d26294ae209
⌛️ Preflight starting
✅ Preflight verified
My curl|bash script executed here!
Note - the checksum can come from a remote location
$ curl -sL https://gist.githubusercontent.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/preflight_test.sh | preflight run https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/checksum.sha256
⌛️ Preflight starting
✅ Preflight verified
My curl|bash script executed here!
$ curl -sL https://gist.githubusercontent.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/preflight_test.sh | preflight run https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/checksum.sha256
⌛️ Preflight starting
❌ Preflight failed: Digest does not match.
Expected:
sha256=bb60ffa7c98106c61bdcd4ee5748844f3d21e49ba1ded0b8ce0a5d26294ae209
Actual:
sha256=bb60ffa7c98106c61bdcd4ee5748844f3d21e49ba1ded0b8ce0a5d262badbeef
OR: sha1=4020c1f0bc129a995b932446ef38171aebadbeef
OR: md5=384e691ac3fa7bea50d5fe9cbbadbeef
- github actions
- dockerfiles, etc
- wherever control over content of sourced files is beneficial
preflight supports malware checks as well. Those may be quite useful for regulatory reasons.