Skip to content
Snippets Groups Projects
Commit 1a59eb37 authored by Thomas Bächler's avatar Thomas Bächler Committed by Gerardo Pozzi
Browse files

Add the verify=y option to verify the squashfs signature with gpg

parent 249a52d9
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
archiso/initcpio/hooks/archiso
+ 24
0
View file @ 1a59eb37
...@@ -105,6 +105,15 @@ _verify_checksum() { ...@@ -105,6 +105,15 @@ _verify_checksum() {
return ${_status} return ${_status}
} }
_verify_signature() {
local _status
cd "/run/archiso/bootmnt/${archisobasedir}/${arch}"
gpg --homedir /gpg --status-fd 1 --verify airootfs.sfs.sig 2>/dev/null | grep -qE '^\[GNUPG:\] GOODSIG'
_status=$?
cd "${OLDPWD}"
return ${_status}
}
run_hook() { run_hook() {
[[ -z "${arch}" ]] && arch="$(uname -m)" [[ -z "${arch}" ]] && arch="$(uname -m)"
[[ -z "${copytoram_size}" ]] && copytoram_size="75%" [[ -z "${copytoram_size}" ]] && copytoram_size="75%"
...@@ -159,6 +168,21 @@ archiso_mount_handler() { ...@@ -159,6 +168,21 @@ archiso_mount_handler() {
fi fi
fi fi
if [[ "${verify}" == "y" ]]; then
if [[ -f "/run/archiso/bootmnt/${archisobasedir}/${arch}/airootfs.sfs.sig" ]]; then
msg -n ":: Signature verification requested, please wait..."
if _verify_signature; then
msg "done. Signature is OK, continue booting."
else
echo "ERROR: one or more files are corrupted"
launch_interactive_shell
fi
else
echo "ERROR: verify=y option specified but ${archisobasedir}/${arch}/airootfs.sfs.sig not found"
launch_interactive_shell
fi
fi
if [[ "${copytoram}" == "y" ]]; then if [[ "${copytoram}" == "y" ]]; then
msg ":: Mounting /run/archiso/copytoram (tmpfs) filesystem, size=${copytoram_size}" msg ":: Mounting /run/archiso/copytoram (tmpfs) filesystem, size=${copytoram_size}"
mkdir -p /run/archiso/copytoram mkdir -p /run/archiso/copytoram
......
archiso/initcpio/hooks/archiso_pxe_http
+ 3
0
View file @ 1a59eb37
...@@ -39,6 +39,9 @@ archiso_pxe_http_mount_handler () { ...@@ -39,6 +39,9 @@ archiso_pxe_http_mount_handler () {
if [[ "${checksum}" == "y" ]]; then if [[ "${checksum}" == "y" ]]; then
_curl_get "${archiso_http_srv}${archisobasedir}/${arch}/airootfs.md5" "/${arch}" _curl_get "${archiso_http_srv}${archisobasedir}/${arch}/airootfs.md5" "/${arch}"
fi fi
if [[ "${verify}" == "y" ]]; then
_curl_get "${archiso_http_srv}${archisobasedir}/${arch}/airootfs.sfs.sig" "/${arch}"
fi
mkdir -p "/run/archiso/bootmnt" mkdir -p "/run/archiso/bootmnt"
mount -o bind /run/archiso/httpspace /run/archiso/bootmnt mount -o bind /run/archiso/httpspace /run/archiso/bootmnt
......
archiso/initcpio/install/archiso
+ 1
0
View file @ 1a59eb37
...@@ -15,6 +15,7 @@ build() { ...@@ -15,6 +15,7 @@ build() {
add_binary mountpoint add_binary mountpoint
add_binary truncate add_binary truncate
add_binary gpg add_binary gpg
add_binary grep
add_file /usr/lib/udev/rules.d/60-cdrom_id.rules add_file /usr/lib/udev/rules.d/60-cdrom_id.rules
add_file /usr/lib/udev/rules.d/10-dm.rules add_file /usr/lib/udev/rules.d/10-dm.rules
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment