Commit 1a59eb37 authored by Thomas Bächler's avatar Thomas Bächler Committed by Gerardo Exequiel Pozzi
Browse files

Add the verify=y option to verify the squashfs signature with gpg

parent 249a52d9
......@@ -105,6 +105,15 @@ _verify_checksum() {
return ${_status}
}
_verify_signature() {
local _status
cd "/run/archiso/bootmnt/${archisobasedir}/${arch}"
gpg --homedir /gpg --status-fd 1 --verify airootfs.sfs.sig 2>/dev/null | grep -qE '^\[GNUPG:\] GOODSIG'
_status=$?
cd "${OLDPWD}"
return ${_status}
}
run_hook() {
[[ -z "${arch}" ]] && arch="$(uname -m)"
[[ -z "${copytoram_size}" ]] && copytoram_size="75%"
......@@ -159,6 +168,21 @@ archiso_mount_handler() {
fi
fi
if [[ "${verify}" == "y" ]]; then
if [[ -f "/run/archiso/bootmnt/${archisobasedir}/${arch}/airootfs.sfs.sig" ]]; then
msg -n ":: Signature verification requested, please wait..."
if _verify_signature; then
msg "done. Signature is OK, continue booting."
else
echo "ERROR: one or more files are corrupted"
launch_interactive_shell
fi
else
echo "ERROR: verify=y option specified but ${archisobasedir}/${arch}/airootfs.sfs.sig not found"
launch_interactive_shell
fi
fi
if [[ "${copytoram}" == "y" ]]; then
msg ":: Mounting /run/archiso/copytoram (tmpfs) filesystem, size=${copytoram_size}"
mkdir -p /run/archiso/copytoram
......
......@@ -39,6 +39,9 @@ archiso_pxe_http_mount_handler () {
if [[ "${checksum}" == "y" ]]; then
_curl_get "${archiso_http_srv}${archisobasedir}/${arch}/airootfs.md5" "/${arch}"
fi
if [[ "${verify}" == "y" ]]; then
_curl_get "${archiso_http_srv}${archisobasedir}/${arch}/airootfs.sfs.sig" "/${arch}"
fi
mkdir -p "/run/archiso/bootmnt"
mount -o bind /run/archiso/httpspace /run/archiso/bootmnt
......
......@@ -15,6 +15,7 @@ build() {
add_binary mountpoint
add_binary truncate
add_binary gpg
add_binary grep
add_file /usr/lib/udev/rules.d/60-cdrom_id.rules
add_file /usr/lib/udev/rules.d/10-dm.rules
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment