From 503b08db4c3ab7709f0f974528b6087cd9d9eee2 Mon Sep 17 00:00:00 2001
From: Matt-1-2-3 <hardtothinkofaname@gmail.com>
Date: Tue, 18 Oct 2022 19:10:09 -0400
Subject: [PATCH] install_arch: verify bootstrap image signature

Fixes #458.
---
 roles/install_arch/tasks/main.yml | 27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

diff --git a/roles/install_arch/tasks/main.yml b/roles/install_arch/tasks/main.yml
index 628a96d2e..4a0373ac0 100644
--- a/roles/install_arch/tasks/main.yml
+++ b/roles/install_arch/tasks/main.yml
@@ -7,9 +7,19 @@
   fail: msg="Not running in rescue system!"
   when: "'Hetzner Rescue' not in motd_contents.stdout and 'Rescue environment based on Alpine Linux' not in motd_contents.stdout"
 
-- name: Make sure all required packages are installed in the rescue system for installation
-  apk: name=sgdisk,btrfs-progs,tar update_cache=yes
+- name: Prepare Equinix Metal rescue system
   when: ansible_facts['os_family'] == "Alpine"
+  block:
+    - name: Make sure all required packages are installed in the rescue system
+      apk: name=sgdisk,btrfs-progs,tar,gnupg update_cache=yes
+
+    - name: Create the GnuPG home directory for the root user
+      file: path=/root/.gnupg state=directory owner=root group=root mode=0700
+
+    # Need to set no-use-tor otherwise dirmngr hangs at startup checking if
+    # 127.0.0.1:9050 works and remains in SYN-SENT state for about a minute
+    - name: Set the no-use-tor option in dirmngr.conf
+      lineinfile: name=/root/.gnupg/dirmngr.conf create=yes line=no-use-tor owner=root group=root mode=0644
 
 - name: Create GRUB embed partitions
   command: sgdisk -g --clear -n 1:0:+1M {{ item }} -c 1:boot -t 1:ef02
@@ -42,9 +52,20 @@
 
 - name: Download bootstrap image
   get_url:
-    url: https://geo.mirror.pkgbuild.com/iso/{{ bootstrap_version }}/archlinux-bootstrap-x86_64.tar.gz
+    url: "{{ item }}"
     dest: /tmp/
     mode: 0644
+  loop:
+    - https://geo.mirror.pkgbuild.com/iso/{{ bootstrap_version }}/archlinux-bootstrap-x86_64.tar.gz
+    - https://geo.mirror.pkgbuild.com/iso/{{ bootstrap_version }}/archlinux-bootstrap-x86_64.tar.gz.sig
+
+- name: Get pierre's key
+  command: gpg --locate-keys pierre@archlinux.de
+  changed_when: false
+
+- name: Verify bootstrap image signature
+  command: gpg --verify /tmp/archlinux-bootstrap-x86_64.tar.gz.sig
+  changed_when: false
 
 - name: Extract boostrap image  # noqa risky-file-permissions
   unarchive:
-- 
GitLab