summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@open-infrastructure.net>2016-11-12 05:59:08 +0000
committerDaniel Baumann <daniel.baumann@open-infrastructure.net>2016-11-12 05:59:08 +0000
commit2b8a60ca8cb9703a20f4b9c20529ef6b6a991833 (patch)
tree3e2d5d4063d6f4f7fb0a2003dec06c36d039aca5
parentAdding curl container create script (FIXME). (diff)
downloadcompute-tools-tmp-daniel2.tar.xz
compute-tools-tmp-daniel2.zip
Adding signature check for downloads.tmp-daniel2
Signed-off-by: Daniel Baumann <daniel.baumann@open-infrastructure.net>
-rw-r--r--share/man/container-create-curl.1.txt3
-rwxr-xr-xshare/scripts/curl58
2 files changed, 59 insertions, 2 deletions
diff --git a/share/man/container-create-curl.1.txt b/share/man/container-create-curl.1.txt
index 46ac45f..3d3168d 100644
--- a/share/man/container-create-curl.1.txt
+++ b/share/man/container-create-curl.1.txt
@@ -60,6 +60,9 @@ The following script options are available:
*-m, --mirror='MIRROR'*::
Specify the Debian mirror, defaults to https://files.open-infrastructure.net/images/container-tools.
+*--no-signature*::
+ Does not verify downloaded tarballs with a GnuPG signature.
+
*-p, --root-password='PASSWORD'*::
Specify the root password, defaults to a random 16 character password.
diff --git a/share/scripts/curl b/share/scripts/curl
index f8389ce..1358da0 100755
--- a/share/scripts/curl
+++ b/share/scripts/curl
@@ -24,7 +24,7 @@ MACHINES="/var/lib/machines"
Parameters ()
{
- LONG_OPTIONS="bind:,script:,name:,architecture:,distribution:,mirror:,password:"
+ LONG_OPTIONS="bind:,script:,name:,architecture:,distribution:,mirror:,no-signature,password:"
OPTIONS="b:,s:,n:,a:,d:,m:,p:"
PARAMETERS="$(getopt --longoptions ${LONG_OPTIONS} --name=${SCRIPT} --options ${OPTIONS} --shell sh -- ${@})"
@@ -75,6 +75,11 @@ Parameters ()
shift 2
;;
+ --no-signature)
+ NO_SIGNATURE="true"
+ shift 1
+ ;;
+
-p|--password)
PASSWORD="${2}"
shift 2
@@ -95,7 +100,7 @@ Parameters ()
Usage ()
{
- echo "Usage: container create -n|--name NAME -s|--script ${SCRIPT} -- [-a|--architecture ARCHITECTURE] [-d|--distribution DISTRIBUTION] [-m|--mirror MIRROR] [-p|--password PASSWORD}" >&2
+ echo "Usage: container create -n|--name NAME -s|--script ${SCRIPT} -- [-a|--architecture ARCHITECTURE] [-d|--distribution DISTRIBUTION] [-m|--mirror MIRROR] [--no-signature] [-p|--password PASSWORD}" >&2
exit 1
}
@@ -143,6 +148,55 @@ echo "Downloading debian-${DISTRIBUTION}_${ARCHITECTURE}.tar.xz"
curl --progress-bar --http2 --user-agent container-tools/${VERSION} \
${MIRROR}/current/debian-${DISTRIBUTION}_${ARCHITECTURE}.tar.xz -o "${MACHINES}/${NAME}/system.tar.xz"
+case "${NO_SIGNATURE}" in
+ true)
+ ;;
+
+ *)
+ echo "Downloading debian-${DISTRIBUTION}_${ARCHITECTURE}.tar.xz.asc"
+
+ curl --progress-bar --http2 --user-agent container-tools/${VERSION} \
+ ${MIRROR}/current/debian-${DISTRIBUTION}_${ARCHITECTURE}.tar.xz.asc -o "${MACHINES}/${NAME}/system.tar.xz.asc"
+
+ if [ -e /usr/bin/gpgv ]
+ then
+ if [ -e /usr/share/keyrings/debian-keyring.gpg ] || [ -e /usr/share/keyrings/debian-maintainers.gpg ]
+ then
+ KEY_VALID=""
+
+ for KEYRING in /usr/share/keyrings/debian-keyring.gpg /usr/share/keyrings/debian-maintainers.gpg
+ do
+ if [ -e "${KEYRING}" ]
+ then
+ echo -n "Verifying signature against $(basename ${KEYRING} .gpg | sed -e 's|-keyring||') keyring: "
+
+ cd "${MACHINES}/${NAME}"
+
+ set +e
+ /usr/bin/gpgv --quiet --keyring ${KEYRING} "system.tar.xz.asc" "system.tar.xz" > /dev/null 2>&1 && KEY_VALID="true" && break
+ set -e
+ fi
+ done
+
+ case "${KEY_VALID}" in
+ true)
+ echo " successful."
+ ;;
+
+ *)
+ echo " failed."
+ return 1
+ ;;
+ esac
+ else
+ echo "Skipping verification, debian-keyring not available."
+ fi
+ else
+ echo "Skipping verification, gpgv not available."
+ fi
+ ;;
+esac
+
echo "Unpacking debian-${DISTRIBUTION}_${ARCHITECTURE}.tar.xz"
if [ -e /usr/bin/pv ]