SpectralOps / preflight
First of all, it's the chicken and the egg. How do you pull a legit preflight binary from us without verifying it with preflight? having that preflight is solving this exact problem?
The best way, is that you grab the source, compile it yourself, and use your own binary which you put in a place that you trust. People usually have several options of how to do that safely:
It's recommended to use preflight when you're building Docker images, and are installing via curl | sh scripts that vendors give you.
When updating an old binary or script to a new updated version, there will be at least two (2) valid digests "live" and just replacing the single digest used will fail for the older runnable which may still be running somewhere.
To support updates and rolling/auto updates of scripts and binaries we basically need to validate against <old hash> + <new hash> at all times, until everyone upgrades to the new script. Preflight validates against a list of hashes or better, give it a live URL of valid hashes and it will validate against it.
You can easily create new hashes with preflight. The default is a SHA256 hash, but you could also create a sha256, sha1, and md5 hash.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25415669/1238020424.jpg)
