summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@open-infrastructure.net>2017-07-22 18:09:18 +0000
committerDaniel Baumann <daniel.baumann@open-infrastructure.net>2017-07-23 08:20:54 +0000
commit382b09e671190bfe52b86957e7f452089a420fb4 (patch)
tree11d8d97c13df493b4333a9449d342b2e140a10fe
parentAdding container key command. (diff)
downloadcompute-tools-382b09e671190bfe52b86957e7f452089a420fb4.tar.xz
compute-tools-382b09e671190bfe52b86957e7f452089a420fb4.zip
Adding GPG signature verification for curl container create script.
Signed-off-by: Daniel Baumann <daniel.baumann@open-infrastructure.net>
-rwxr-xr-xshare/scripts/curl49
1 files changed, 39 insertions, 10 deletions
diff --git a/share/scripts/curl b/share/scripts/curl
index 59c230f..9b92800 100755
--- a/share/scripts/curl
+++ b/share/scripts/curl
@@ -21,6 +21,7 @@ set -e
SCRIPT="${0}"
HOOKS="/etc/container-tools/hooks"
+KEYS="/etc/container-tools/keys"
MACHINES="/var/lib/machines"
CACHE="/var/cache/container-tools/system"
@@ -176,7 +177,6 @@ done
# FIXME: Show available image directories on server
# FIXME: Fetch debconf-choices.txt to show debconf select
-# FIXME: gpg verification against debian-keyring or local keyring
# FIXME: default server via configuration file
mkdir -p "${CACHE}"
@@ -188,11 +188,20 @@ then
CURL_OPTIONS="${CURL_OPTIONS} --http2"
fi
-for FILE in "${SYSTEM}" "${SYSTEM}.sha512" \
- "${SETUP}" "${SETUP}.sha512"
+for FILE in "${SYSTEM}" "${SYSTEM}.gpg" "${SYSTEM}.sha512" \
+ "${SETUP}" "${SETUP}.gpg" "${SETUP}.sha512"
do
if curl --fail --head --output /dev/null --silent "${SERVER}/${FILE}"
then
+ case "${FILE}" in
+ *.sha512)
+ if [ -e "${CACHE}/$(basename ${FILE} .sha512).gpg" ]
+ then
+ continue
+ fi
+ ;;
+ esac
+
if [ -e "${CACHE}/${FILE}" ]
then
CURL_TIME_COND="--time-cond ${CACHE}/${FILE}"
@@ -206,16 +215,36 @@ do
fi
done
+cd "${CACHE}"
+
for FILE in "${SYSTEM}" "${SETUP}"
do
- cd "${CACHE}"
-
if [ ! -e "${FILE}" ]
then
continue
fi
- if [ -e "${FILE}.sha512" ]
+ if [ -e "${FILE}.gpg" ]
+ then
+ echo -n "Verifying ${FILE}:"
+
+ set +e
+ gpg --homedir "${KEYS}" --verify "${FILE}.gpg" "${FILE}" > /dev/null 2>&1
+ GNUPG="${?}"
+ set -e
+
+ case "${GNUPG}" in
+ 0)
+ echo " gpg ok."
+ continue
+ ;;
+
+ *)
+ echo " gpg failed."
+ exit 1
+ ;;
+ esac
+ elif [ -e "${FILE}.sha512" ]
then
echo -n "Verifying ${FILE}:"
@@ -226,19 +255,19 @@ do
case "${SHA512SUM}" in
0)
- echo " ok."
+ echo " sha512 ok."
;;
*)
- echo " failed."
+ echo " sha512 failed."
exit 1
;;
esac
fi
-
- cd "${OLDPWD}"
done
+cd "${OLDPWD}"
+
case "${SYSTEM}" in
*.gz)
TAR_OPTIONS="--gzip"