diff options
author | Daniel Baumann <daniel.baumann@open-infrastructure.net> | 2017-07-22 18:09:18 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@open-infrastructure.net> | 2017-07-23 08:20:54 +0000 |
commit | 382b09e671190bfe52b86957e7f452089a420fb4 (patch) | |
tree | 11d8d97c13df493b4333a9449d342b2e140a10fe /share/scripts/curl | |
parent | Adding container key command. (diff) | |
download | compute-tools-382b09e671190bfe52b86957e7f452089a420fb4.tar.xz compute-tools-382b09e671190bfe52b86957e7f452089a420fb4.zip |
Adding GPG signature verification for curl container create script.
Signed-off-by: Daniel Baumann <daniel.baumann@open-infrastructure.net>
Diffstat (limited to 'share/scripts/curl')
-rwxr-xr-x | share/scripts/curl | 49 |
1 files changed, 39 insertions, 10 deletions
diff --git a/share/scripts/curl b/share/scripts/curl index 59c230f..9b92800 100755 --- a/share/scripts/curl +++ b/share/scripts/curl @@ -21,6 +21,7 @@ set -e SCRIPT="${0}" HOOKS="/etc/container-tools/hooks" +KEYS="/etc/container-tools/keys" MACHINES="/var/lib/machines" CACHE="/var/cache/container-tools/system" @@ -176,7 +177,6 @@ done # FIXME: Show available image directories on server # FIXME: Fetch debconf-choices.txt to show debconf select -# FIXME: gpg verification against debian-keyring or local keyring # FIXME: default server via configuration file mkdir -p "${CACHE}" @@ -188,11 +188,20 @@ then CURL_OPTIONS="${CURL_OPTIONS} --http2" fi -for FILE in "${SYSTEM}" "${SYSTEM}.sha512" \ - "${SETUP}" "${SETUP}.sha512" +for FILE in "${SYSTEM}" "${SYSTEM}.gpg" "${SYSTEM}.sha512" \ + "${SETUP}" "${SETUP}.gpg" "${SETUP}.sha512" do if curl --fail --head --output /dev/null --silent "${SERVER}/${FILE}" then + case "${FILE}" in + *.sha512) + if [ -e "${CACHE}/$(basename ${FILE} .sha512).gpg" ] + then + continue + fi + ;; + esac + if [ -e "${CACHE}/${FILE}" ] then CURL_TIME_COND="--time-cond ${CACHE}/${FILE}" @@ -206,16 +215,36 @@ do fi done +cd "${CACHE}" + for FILE in "${SYSTEM}" "${SETUP}" do - cd "${CACHE}" - if [ ! -e "${FILE}" ] then continue fi - if [ -e "${FILE}.sha512" ] + if [ -e "${FILE}.gpg" ] + then + echo -n "Verifying ${FILE}:" + + set +e + gpg --homedir "${KEYS}" --verify "${FILE}.gpg" "${FILE}" > /dev/null 2>&1 + GNUPG="${?}" + set -e + + case "${GNUPG}" in + 0) + echo " gpg ok." + continue + ;; + + *) + echo " gpg failed." + exit 1 + ;; + esac + elif [ -e "${FILE}.sha512" ] then echo -n "Verifying ${FILE}:" @@ -226,19 +255,19 @@ do case "${SHA512SUM}" in 0) - echo " ok." + echo " sha512 ok." ;; *) - echo " failed." + echo " sha512 failed." exit 1 ;; esac fi - - cd "${OLDPWD}" done +cd "${OLDPWD}" + case "${SYSTEM}" in *.gz) TAR_OPTIONS="--gzip" |