Add the verify=y option to verify the squashfs signature with gpg

1a59eb37 · Thomas Bächler · Gerardo Exequiel Pozzi · 249a52d9 · 1a59eb37 · 1a59eb37
Commit 1a59eb37 authored Feb 13, 2016 by Thomas Bächler Committed by Gerardo Exequiel Pozzi Feb 28, 2016
--- a/archiso/initcpio/hooks/archiso
+++ b/archiso/initcpio/hooks/archiso
@@ -105,6 +105,15 @@ _verify_checksum() {
    return ${_status}
 }

+_verify_signature() {
+    local _status
+    cd "/run/archiso/bootmnt/${archisobasedir}/${arch}"
+    gpg --homedir /gpg --status-fd 1 --verify airootfs.sfs.sig 2>/dev/null | grep -qE '^\[GNUPG:\] GOODSIG'
+    _status=$?
+    cd "${OLDPWD}"
+    return ${_status}
+}
+
 run_hook() {
    [[ -z "${arch}" ]] && arch="$(uname -m)"
    [[ -z "${copytoram_size}" ]] && copytoram_size="75%"
@@ -159,6 +168,21 @@ archiso_mount_handler() {
        fi
    fi

+    if [[ "${verify}" == "y" ]]; then
+        if [[ -f "/run/archiso/bootmnt/${archisobasedir}/${arch}/airootfs.sfs.sig" ]]; then
+            msg -n ":: Signature verification requested, please wait..."
+            if _verify_signature; then
+                msg "done. Signature is OK, continue booting."
+            else
+                echo "ERROR: one or more files are corrupted"
+                launch_interactive_shell
+            fi
+        else
+            echo "ERROR: verify=y option specified but ${archisobasedir}/${arch}/airootfs.sfs.sig not found"
+            launch_interactive_shell
+        fi
+    fi
+
    if [[ "${copytoram}" == "y" ]]; then
        msg ":: Mounting /run/archiso/copytoram (tmpfs) filesystem, size=${copytoram_size}"
        mkdir -p /run/archiso/copytoram

--- a/archiso/initcpio/hooks/archiso_pxe_http
+++ b/archiso/initcpio/hooks/archiso_pxe_http
@@ -39,6 +39,9 @@ archiso_pxe_http_mount_handler () {
    if [[ "${checksum}" == "y" ]]; then
        _curl_get "${archiso_http_srv}${archisobasedir}/${arch}/airootfs.md5" "/${arch}"
    fi
+    if [[ "${verify}" == "y" ]]; then
+        _curl_get "${archiso_http_srv}${archisobasedir}/${arch}/airootfs.sfs.sig" "/${arch}"
+    fi

    mkdir -p "/run/archiso/bootmnt"
    mount -o bind /run/archiso/httpspace /run/archiso/bootmnt

--- a/archiso/initcpio/install/archiso
+++ b/archiso/initcpio/install/archiso
@@ -15,6 +15,7 @@ build() {
    add_binary mountpoint
    add_binary truncate
    add_binary gpg
+    add_binary grep

    add_file /usr/lib/udev/rules.d/60-cdrom_id.rules
    add_file /usr/lib/udev/rules.d/10-dm.rules