Skip to content

Instantly share code, notes, and snippets.

@marcinantkiewicz

marcinantkiewicz/_ verify_curl_bash.md

Last active February 8, 2023 22:49
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585 to your computer and use it in GitHub Desktop.
Save marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585 to your computer and use it in GitHub Desktop.
Download ZIP
This repo provides a trivial example script, and shows how SpectreOps preflight adds a checksum verification step to the curl| bash.. pipe installer.
Raw
_ verify_curl_bash.md

verify packages installed via 'curl | bash'

Spectral Ops preflight provides an easy way to add an integrity check to the pipe installed, turning them into 'curl | checksum | bash'.

preflight-error

The process takes has two steps:

  1. calculate the checksum
  2. pass the downloaded script through preflight when executing, preflight will pass the input to its output if the calculated and provided hashes match.

The hash can come from the command line or an url and, while I stick with sha256, preflight supports md5 and sha1. If multiple verions of the input are valid, a comma separated list of hashes can be provided

Initial step

Download the example script and calculate its checksum.

$ curl -sL https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/preflight_test.sh | preflight create
sha256=bb60ffa7c98106c61bdcd4ee5748844f3d21e49ba1ded0b8ce0a5d26294ae209

use preflight as a filter

our pipe installer becomes 'curl|preflight|bash'. Preflight will error out if the calculated and provided checksums do not match.

$ curl -sL https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/preflight_test.sh | preflight run > sha256=bb60ffa7c98106c61bdcd4ee5748844f3d21e49ba1ded0b8ce0a5d26294ae209
⌛️ Preflight starting
✅ Preflight verified

My curl|bash script executed here!

Note - the checksum can come from a remote location

$ curl -sL https://gist.githubusercontent.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/preflight_test.sh | preflight run https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/checksum.sha256
⌛️ Preflight starting
✅ Preflight verified
 
My curl|bash script executed here!

Error when the checsums do not match:

$ curl -sL https://gist.githubusercontent.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/preflight_test.sh | preflight run https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/checksum.sha256
⌛️ Preflight starting
❌ Preflight failed: Digest does not match.
 
Expected:
sha256=bb60ffa7c98106c61bdcd4ee5748844f3d21e49ba1ded0b8ce0a5d26294ae209 
 
Actual:
sha256=bb60ffa7c98106c61bdcd4ee5748844f3d21e49ba1ded0b8ce0a5d262badbeef
OR: sha1=4020c1f0bc129a995b932446ef38171aebadbeef
OR: md5=384e691ac3fa7bea50d5fe9cbbadbeef

Use in

preflight supports malware checks as well. Those may be quite useful for regulatory reasons.

Raw
checksum.sha256
sha256=bb60ffa7c98106c61bdcd4ee5748844f3d21e49ba1ded0b8ce0a5d26294ae209
Raw
preflight_test.sh
#! /bin/sh
echo "\nMy curl|bash script executed here!\n"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment