Last active
February 8, 2023 22:49
-
-
Save marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585 to your computer and use it in GitHub Desktop.
Revisions
-
marcinantkiewicz renamed this gist
Feb 8, 2023 . 1 changed file with 0 additions and 0 deletions.There are no files selected for viewing
File renamed without changes. -
Feb 8, 2023 . 1 changed file with 0 additions and 0 deletions.There are no files selected for viewing
File renamed without changes. -
Feb 8, 2023 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,4 +1,4 @@ # verify packages installed via 'curl | bash' Spectral Ops [preflight](https://github.com/SpectralOps/preflight) provides an easy way to add an integrity check to the pipe installed, turning them into 'curl | checksum | bash'. -
Feb 8, 2023 . 1 changed file with 0 additions and 0 deletions.There are no files selected for viewing
File renamed without changes. -
Feb 8, 2023 . 1 changed file with 10 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -6,10 +6,10 @@ Spectral Ops [preflight](https://github.com/SpectralOps/preflight) provides an e The process takes has two steps: 1) calculate the checksum 2) pass the downloaded script through preflight when executing, preflight will pass the input to its output if the calculated and provided hashes match. The hash can come from the command line or an url and, while I stick with sha256, preflight supports md5 and sha1. If multiple verions of the input are valid, a comma separated list of hashes can be provided ### Initial step Download the example script and calculate its checksum. @@ -50,4 +50,11 @@ Actual: sha256=bb60ffa7c98106c61bdcd4ee5748844f3d21e49ba1ded0b8ce0a5d262badbeef OR: sha1=4020c1f0bc129a995b932446ef38171aebadbeef OR: md5=384e691ac3fa7bea50d5fe9cbbadbeef ``` ### Use in * [github actions](https://github.com/marketplace/actions/setup-preflight) * [dockerfiles, etc](https://github.com/SpectralOps/preflight#golf-building-docker-images-in-a-secure-way) * wherever control over content of sourced files is beneficial preflight supports [malware checks](https://github.com/SpectralOps/preflight#see_no_evil-using-optional-malware-lookup) as well. Those may be quite useful for regulatory reasons. -
Feb 8, 2023 . 1 changed file with 2 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -8,7 +8,8 @@ The process takes has two steps: 1) calculate the checksum 2) pass the downloaded script through preflight when executing. Preflight will verify the checksum and, if successful, pass the content to the shell (or whatever reads from its output). The hash can come from the command line or an url and, while I stick with sha256, preflight supports md5 and sha1. ### Initial step Download the example script and calculate its checksum. -
Feb 8, 2023 . 1 changed file with 3 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -4,14 +4,14 @@ Spectral Ops [preflight](https://github.com/SpectralOps/preflight) provides an e <img width="843" alt="preflight-error" src="https://user-images.githubusercontent.com/1467361/217609319-f2a19d87-efcd-423e-a5d2-359eea6fc07b.png"> The process takes has two steps: 1) calculate the checksum 2) pass the downloaded script through preflight when executing. Preflight will verify the checksum and, if successful, pass the content to the shell (or whatever reads from its output). The hash can come from the command line or an url and, while I stick with sha256, preflight supports md5 and sha1. ### Initial step Download the example script and calculate its checksum. ``` $ curl -sL https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/preflight_test.sh | preflight create sha256=bb60ffa7c98106c61bdcd4ee5748844f3d21e49ba1ded0b8ce0a5d26294ae209 -
Feb 8, 2023 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,6 +1,6 @@ # verify 'curl | bash' Spectral Ops [preflight](https://github.com/SpectralOps/preflight) provides an easy way to add an integrity check to the pipe installed, turning them into 'curl | checksum | bash'. <img width="843" alt="preflight-error" src="https://user-images.githubusercontent.com/1467361/217609319-f2a19d87-efcd-423e-a5d2-359eea6fc07b.png"> -
Feb 8, 2023 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,6 +1,6 @@ # verify 'curl | bash' Spectral Ops [preflight](https://github.com/SpectralOps/preflight) provides an easy way to add a checksum verification step to the 'pipe|bash' installers. <img width="843" alt="preflight-error" src="https://user-images.githubusercontent.com/1467361/217609319-f2a19d87-efcd-423e-a5d2-359eea6fc07b.png"> -
Feb 8, 2023 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,6 +1,6 @@ # verify 'curl | bash' Spectral Ops [preflight](https://github.com/SpectralOps/preflight) provides an easy way to add a checsum verification step to the 'pipe|bash' installers. <img width="843" alt="preflight-error" src="https://user-images.githubusercontent.com/1467361/217609319-f2a19d87-efcd-423e-a5d2-359eea6fc07b.png"> -
Feb 8, 2023 . 1 changed file with 1 addition and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -7,6 +7,7 @@ Spectral Ops [preflight](https://github.com/SpectralOps/preflight) provides an e The process is rather simple: 1) calculate the checksum 2) pass the downloaded script through preflight when executing. Preflight will verify the checksum and, if successful, pass the content to the shell (or whatever reads from its output). ### Initial step -
Feb 8, 2023 . 1 changed file with 5 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,10 +1,13 @@ # verify 'curl | bash' Spectral Ops [preflight](https://github.com/SpectralOps/preflight) provides an easy way to add verification to the 'pipe|bash' installers. <img width="843" alt="preflight-error" src="https://user-images.githubusercontent.com/1467361/217609319-f2a19d87-efcd-423e-a5d2-359eea6fc07b.png"> The process is rather simple: 1) calculate the checksum 2) pass the downloaded script through preflight when executing. Preflight will verify the checksum and, if successful, pass the content to the shell (or whatever reads from its output). ### Initial step Download the example script and calculate its checksum. We will stick with sha256, preflight will accept md5 and sha1 as well. -
Feb 8, 2023 . 1 changed file with 31 additions and 23 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -8,33 +8,41 @@ The process is rather simple: 1) calculate the checksum, 2) pass the downloaded ### Initial step Download the example script and calculate its checksum. We will stick with sha256, preflight will accept md5 and sha1 as well. ``` $ curl -sL https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/preflight_test.sh | preflight create sha256=bb60ffa7c98106c61bdcd4ee5748844f3d21e49ba1ded0b8ce0a5d26294ae209 ``` ### use preflight as a filter our pipe installer becomes 'curl|preflight|bash'. Preflight will error out if the calculated and provided checksums do not match. ``` $ curl -sL https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/preflight_test.sh | preflight run > sha256=bb60ffa7c98106c61bdcd4ee5748844f3d21e49ba1ded0b8ce0a5d26294ae209 ⌛️ Preflight starting ✅ Preflight verified My curl|bash script executed here! ``` Note - the checksum can come from a remote location ``` $ curl -sL https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/preflight_test.sh | preflight run https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/checksum.sha256 ⌛️ Preflight starting ✅ Preflight verified My curl|bash script executed here! ``` ### Error when the checsums do not match: ``` $ curl -sL https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/preflight_test.sh | preflight run https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/checksum.sha256 ⌛️ Preflight starting ❌ Preflight failed: Digest does not match. Expected: sha256=bb60ffa7c98106c61bdcd4ee5748844f3d21e49ba1ded0b8ce0a5d26294ae209 Actual: sha256=bb60ffa7c98106c61bdcd4ee5748844f3d21e49ba1ded0b8ce0a5d262badbeef OR: sha1=4020c1f0bc129a995b932446ef38171aebadbeef OR: md5=384e691ac3fa7bea50d5fe9cbbadbeef ``` -
Feb 8, 2023 . 1 changed file with 6 additions and 6 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,4 +1,4 @@ # verify 'curl | bash' [Spectral Ops preflight](https://github.com/SpectralOps/preflight) provides an easy way to add verification to the 'pipe|bash' installers. @@ -7,26 +7,26 @@ The process is rather simple: 1) calculate the checksum, 2) pass the downloaded script through preflight when executing, preflight will verify the checksum and, if successful, pass the content to the shell (or whatever reads from its output). ### Initial step Download the example script and calculate its checksum. We will stick with sha256, preflight will accept md5 and sha1 as well. > $ curl -sL https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/preflight_test.sh | preflight create > sha256=bb60ffa7c98106c61bdcd4ee5748844f3d21e49ba1ded0b8ce0a5d26294ae209 ### use preflight as a filter our pipe installer becomes 'curl|preflight|bash'. Preflight will error out if the calculated and provided checksums do not match. > $ curl -sL https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/preflight_test.sh | preflight run > sha256=bb60ffa7c98106c61bdcd4ee5748844f3d21e49ba1ded0b8ce0a5d26294ae209 > ⌛️ Preflight starting > ✅ Preflight verified > > My curl|bash script executed here! Note - the checksum can come from a remote location > $ curl -sL https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/preflight_test.sh | preflight run https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/checksum.sha256 > ⌛️ Preflight starting > ✅ Preflight verified > > My curl|bash script executed here! ### Error when the checsums do not match: > $ curl -sL https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/preflight_test.sh | preflight run https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/checksum.sha256 > ⌛️ Preflight starting > ❌ Preflight failed: Digest does not match. -
Feb 8, 2023 . 1 changed file with 1 addition and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,11 +2,9 @@ [Spectral Ops preflight](https://github.com/SpectralOps/preflight) provides an easy way to add verification to the 'pipe|bash' installers. <img width="843" alt="preflight-error" src="https://user-images.githubusercontent.com/1467361/217609319-f2a19d87-efcd-423e-a5d2-359eea6fc07b.png"> The process is rather simple: 1) calculate the checksum, 2) pass the downloaded script through preflight when executing, preflight will verify the checksum and, if successful, pass the content to the shell (or whatever reads from its output). ### Initial step downloaded the example script and calculate its checksum. We will stick with sha256, preflight will accept md5 and sha1 as well. -
Feb 8, 2023 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -3,7 +3,9 @@ [Spectral Ops preflight](https://github.com/SpectralOps/preflight) provides an easy way to add verification to the 'pipe|bash' installers. Since the [pipe installers](https://sysdig.com/blog/friends-dont-let-friends-curl-bash/) tend to be reliable they tend to run with minimal supervision, and most of the time that is quite fine. Control over software composition is a popular topic, be it to produce SBOM, to protect from protestware or lage security incidents like [Codecov's](https://about.codecov.io/security-update). <img width="843" alt="preflight-error" src="https://user-images.githubusercontent.com/1467361/217609319-f2a19d87-efcd-423e-a5d2-359eea6fc07b.png"> The process is rather simple: download content and calculated and display its checksum, pass downloaded script through preflight, error out if the calculated and provided checksums do not match. Simple-ish, but we do best when standing on the shoulders of giants - here this means that we will use this tiny and reliable verifier to gate automatic software execution. ### Initial step -
Feb 8, 2023 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -3,7 +3,7 @@ [Spectral Ops preflight](https://github.com/SpectralOps/preflight) provides an easy way to add verification to the 'pipe|bash' installers. Since the [pipe installers](https://sysdig.com/blog/friends-dont-let-friends-curl-bash/) tend to be reliable they tend to run with minimal supervision, and most of the time that is quite fine. Control over software composition is a popular topic, be it to produce SBOM, to protect from protestware or lage security incidents like [Codecov's](https://about.codecov.io/security-update). <img width="843" alt="preflight-error" src="https://user-images.githubusercontent.com/1467361/217609319-f2a19d87-efcd-423e-a5d2-359eea6fc07b.png"> The process is rather simple: download content and calculated and display its checksum, pass downloaded script through preflight, error out if the calculated and provided checksums do not match. Simple-ish, but we do best when standing on the shoulders of giants - here this means that we will use this tiny and reliable verifier to gate automatic software execution. ### Initial step -
Feb 8, 2023 . 1 changed file with 4 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -6,27 +6,27 @@ Since the [pipe installers](https://sysdig.com/blog/friends-dont-let-friends-cur The process is rather simple: download content and calculated and display its checksum, pass downloaded script through preflight, error out if the calculated and provided checksums do not match. Simple-ish, but we do best when standing on the shoulders of giants - here this means that we will use this tiny and reliable verifier to gate automatic software execution. ### Initial step downloaded the example script and calculate its checksum. We will stick with sha256, preflight will accept md5 and sha1 as well. > $ curl -sL https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/preflight_test.sh | preflight create > sha256=bb60ffa7c98106c61bdcd4ee5748844f3d21e49ba1ded0b8ce0a5d26294ae209 ### Now preflight will be a filter our pipe installer becomes 'curl|preflight|bash', with pipeline erroring out if the calculated and provided checksums do not match. > $ curl -sL https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/preflight_test.sh | preflight run > sha256=bb60ffa7c98106c61bdcd4ee5748844f3d21e49ba1ded0b8ce0a5d26294ae209 > ⌛️ Preflight starting > ✅ Preflight verified > > My curl|bash script executed here! ### checksum can come from a remote location > $ curl -sL https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/preflight_test.sh | preflight run https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/checksum.sha256 > ⌛️ Preflight starting > ✅ Preflight verified > > My curl|bash script executed here! ### when the checsums do not match: > $ curl -sL https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/preflight_test.sh | preflight run https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/checksum.sha256 > ⌛️ Preflight starting > ❌ Preflight failed: Digest does not match. -
Feb 8, 2023 . 1 changed file with 6 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -6,25 +6,27 @@ Since the [pipe installers](https://sysdig.com/blog/friends-dont-let-friends-cur The process is rather simple: download content and calculated and display its checksum, pass downloaded script through preflight, error out if the calculated and provided checksums do not match. Simple-ish, but we do best when standing on the shoulders of giants - here this means that we will use this tiny and reliable verifier to gate automatic software execution. ######Initial step downloaded the example script and calculate its checksum. We will stick with sha256, preflight will accept md5 and sha1 as well. > $ curl -sL https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/preflight_test.sh | preflight create > sha256=bb60ffa7c98106c61bdcd4ee5748844f3d21e49ba1ded0b8ce0a5d26294ae209 ######Now preflight will be a filter our pipe installer becomes 'curl|preflight|bash', with pipeline erroring out if the calculated and provided checksums do not match. > $ curl -sL https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/preflight_test.sh | preflight run > sha256=bb60ffa7c98106c61bdcd4ee5748844f3d21e49ba1ded0b8ce0a5d26294ae209 > ⌛️ Preflight starting > ✅ Preflight verified > > My curl|bash script executed here! ######checksum can come from a remote location > $ curl -sL https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/preflight_test.sh | preflight run https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/checksum.sha256 > ⌛️ Preflight starting > ✅ Preflight verified > > My curl|bash script executed here! ######when the checsums do not match: > $ curl -sL https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/preflight_test.sh | preflight run https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/checksum.sha256 > ⌛️ Preflight starting > ❌ Preflight failed: Digest does not match. -
Feb 8, 2023 . 1 changed file with 23 additions and 23 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -7,32 +7,32 @@ Since the [pipe installers](https://sysdig.com/blog/friends-dont-let-friends-cur The process is rather simple: download content and calculated and display its checksum, pass downloaded script through preflight, error out if the calculated and provided checksums do not match. Simple-ish, but we do best when standing on the shoulders of giants - here this means that we will use this tiny and reliable verifier to gate automatic software execution. - Initial step: downloaded the example script and calculate its checksum. We will stick with sha256, preflight will accept md5 and sha1 as well. > $ curl -sL https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/preflight_test.sh | preflight create > sha256=bb60ffa7c98106c61bdcd4ee5748844f3d21e49ba1ded0b8ce0a5d26294ae209 - Now preflight will be a filter: our pipe installer becomes 'curl|preflight|bash', with pipeline erroring out if the calculated and provided checksums do not match. > $ curl -sL https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/preflight_test.sh | preflight run > sha256=bb60ffa7c98106c61bdcd4ee5748844f3d21e49ba1ded0b8ce0a5d26294ae209 > ⌛️ Preflight starting > ✅ Preflight verified > > My curl|bash script executed here! - checksum can come from a remote location > $ curl -sL https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/preflight_test.sh | preflight run https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/checksum.sha256 > ⌛️ Preflight starting > ✅ Preflight verified > > My curl|bash script executed here! - when checsums do not match: > $ curl -sL https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/preflight_test.sh | preflight run https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/checksum.sha256 > ⌛️ Preflight starting > ❌ Preflight failed: Digest does not match. > > Expected: > sha256=bb60ffa7c98106c61bdcd4ee5748844f3d21e49ba1ded0b8ce0a5d26294ae209 > > Actual: > sha256=bb60ffa7c98106c61bdcd4ee5748844f3d21e49ba1ded0b8ce0a5d262badbeef > OR: sha1=4020c1f0bc129a995b932446ef38171aebadbeef > OR: md5=384e691ac3fa7bea50d5fe9cbbadbeef -
Feb 8, 2023 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,3 +1,5 @@ # verify 'curl|bash' [Spectral Ops preflight](https://github.com/SpectralOps/preflight) provides an easy way to add verification to the 'pipe|bash' installers. Since the [pipe installers](https://sysdig.com/blog/friends-dont-let-friends-curl-bash/) tend to be reliable they tend to run with minimal supervision, and most of the time that is quite fine. Control over software composition is a popular topic, be it to produce SBOM, to protect from protestware or lage security incidents like [Codecov's](https://about.codecov.io/security-update). -
Feb 8, 2023 . 1 changed file with 20 additions and 6 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,22 +1,36 @@ [Spectral Ops preflight](https://github.com/SpectralOps/preflight) provides an easy way to add verification to the 'pipe|bash' installers. Since the [pipe installers](https://sysdig.com/blog/friends-dont-let-friends-curl-bash/) tend to be reliable they tend to run with minimal supervision, and most of the time that is quite fine. Control over software composition is a popular topic, be it to produce SBOM, to protect from protestware or lage security incidents like [Codecov's](https://about.codecov.io/security-update). The process is rather simple: download content and calculated and display its checksum, pass downloaded script through preflight, error out if the calculated and provided checksums do not match. Simple-ish, but we do best when standing on the shoulders of giants - here this means that we will use this tiny and reliable verifier to gate automatic software execution. - Initial step: downloaded the example script and calculate its checksum. We will stick with sha256, preflight will accept md5 and sha1 as well. $ curl -sL https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/preflight_test.sh | preflight create sha256=bb60ffa7c98106c61bdcd4ee5748844f3d21e49ba1ded0b8ce0a5d26294ae209 - Now preflight will be a filter: our pipe installer becomes 'curl|preflight|bash', with pipeline erroring out if the calculated and provided checksums do not match. $ curl -sL https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/preflight_test.sh | preflight run sha256=bb60ffa7c98106c61bdcd4ee5748844f3d21e49ba1ded0b8ce0a5d26294ae209 ⌛️ Preflight starting ✅ Preflight verified My curl|bash script executed here! - checksum can come from a remote location $ curl -sL https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/preflight_test.sh | preflight run https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/checksum.sha256 ⌛️ Preflight starting ✅ Preflight verified My curl|bash script executed here! - when checsums do not match: $ curl -sL https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/preflight_test.sh | preflight run https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/checksum.sha256 ⌛️ Preflight starting ❌ Preflight failed: Digest does not match. Expected: sha256=bb60ffa7c98106c61bdcd4ee5748844f3d21e49ba1ded0b8ce0a5d26294ae209 Actual: sha256=bb60ffa7c98106c61bdcd4ee5748844f3d21e49ba1ded0b8ce0a5d262badbeef OR: sha1=4020c1f0bc129a995b932446ef38171aebadbeef OR: md5=384e691ac3fa7bea50d5fe9cbbadbeef -
Feb 8, 2023 . 3 changed files with 26 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1 @@ sha256=bb60ffa7c98106c61bdcd4ee5748844f3d21e49ba1ded0b8ce0a5d26294ae209 This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,3 @@ #! /bin/sh echo "\nMy curl|bash script executed here!\n" This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1 +1,22 @@ [Spectral Ops preflight](https://github.com/SpectralOps/preflight) provides an easy way to add verification to automated script download and execution (curl|bash). This repo provides a trivial example script and show how preflight adds verification step where the script is downloaded and passed to shell for execution. - In an initial setp, remote script is downloaded and passed to preflight to calculate its checksum. $ curl -sL https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/preflight_test.sh | preflight create sha256=bb60ffa7c98106c61bdcd4ee5748844f3d21e49ba1ded0b8ce0a5d26294ae209 - Once the checksum is known, preflight will be a filter allowing script execution to take place only when the provided and calculated checksums match. $ curl -sL https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/preflight_test.sh | preflight run sha256=bb60ffa7c98106c61bdcd4ee5748844f3d21e49ba1ded0b8ce0a5d26294ae209 ⌛️ Preflight starting ✅ Preflight verified My curl|bash script executed here! - The checksum can be provided on the command line, or as a link $ curl -sL https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/preflight_test.sh | preflight run https://gist.github.com/marcinantkiewicz/2b2263be50ff09f25c819ef7fe0b1585/raw/checksum.sha256 ⌛️ Preflight starting ✅ Preflight verified My curl|bash script executed here! -
Feb 8, 2023 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1 @@ [Spectral Ops preflight](https://github.com/SpectralOps/preflight) provides an easy way to add verification to automated script download and execution (curl|bash).