From 2b8a60ca8cb9703a20f4b9c20529ef6b6a991833 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 12 Nov 2016 06:59:08 +0100 Subject: Adding signature check for downloads. Signed-off-by: Daniel Baumann --- share/man/container-create-curl.1.txt | 3 ++ share/scripts/curl | 58 +++++++++++++++++++++++++++++++++-- 2 files changed, 59 insertions(+), 2 deletions(-) diff --git a/share/man/container-create-curl.1.txt b/share/man/container-create-curl.1.txt index 46ac45f..3d3168d 100644 --- a/share/man/container-create-curl.1.txt +++ b/share/man/container-create-curl.1.txt @@ -60,6 +60,9 @@ The following script options are available: *-m, --mirror='MIRROR'*:: Specify the Debian mirror, defaults to https://files.open-infrastructure.net/images/container-tools. +*--no-signature*:: + Does not verify downloaded tarballs with a GnuPG signature. + *-p, --root-password='PASSWORD'*:: Specify the root password, defaults to a random 16 character password. diff --git a/share/scripts/curl b/share/scripts/curl index f8389ce..1358da0 100755 --- a/share/scripts/curl +++ b/share/scripts/curl @@ -24,7 +24,7 @@ MACHINES="/var/lib/machines" Parameters () { - LONG_OPTIONS="bind:,script:,name:,architecture:,distribution:,mirror:,password:" + LONG_OPTIONS="bind:,script:,name:,architecture:,distribution:,mirror:,no-signature,password:" OPTIONS="b:,s:,n:,a:,d:,m:,p:" PARAMETERS="$(getopt --longoptions ${LONG_OPTIONS} --name=${SCRIPT} --options ${OPTIONS} --shell sh -- ${@})" @@ -75,6 +75,11 @@ Parameters () shift 2 ;; + --no-signature) + NO_SIGNATURE="true" + shift 1 + ;; + -p|--password) PASSWORD="${2}" shift 2 @@ -95,7 +100,7 @@ Parameters () Usage () { - echo "Usage: container create -n|--name NAME -s|--script ${SCRIPT} -- [-a|--architecture ARCHITECTURE] [-d|--distribution DISTRIBUTION] [-m|--mirror MIRROR] [-p|--password PASSWORD}" >&2 + echo "Usage: container create -n|--name NAME -s|--script ${SCRIPT} -- [-a|--architecture ARCHITECTURE] [-d|--distribution DISTRIBUTION] [-m|--mirror MIRROR] [--no-signature] [-p|--password PASSWORD}" >&2 exit 1 } @@ -143,6 +148,55 @@ echo "Downloading debian-${DISTRIBUTION}_${ARCHITECTURE}.tar.xz" curl --progress-bar --http2 --user-agent container-tools/${VERSION} \ ${MIRROR}/current/debian-${DISTRIBUTION}_${ARCHITECTURE}.tar.xz -o "${MACHINES}/${NAME}/system.tar.xz" +case "${NO_SIGNATURE}" in + true) + ;; + + *) + echo "Downloading debian-${DISTRIBUTION}_${ARCHITECTURE}.tar.xz.asc" + + curl --progress-bar --http2 --user-agent container-tools/${VERSION} \ + ${MIRROR}/current/debian-${DISTRIBUTION}_${ARCHITECTURE}.tar.xz.asc -o "${MACHINES}/${NAME}/system.tar.xz.asc" + + if [ -e /usr/bin/gpgv ] + then + if [ -e /usr/share/keyrings/debian-keyring.gpg ] || [ -e /usr/share/keyrings/debian-maintainers.gpg ] + then + KEY_VALID="" + + for KEYRING in /usr/share/keyrings/debian-keyring.gpg /usr/share/keyrings/debian-maintainers.gpg + do + if [ -e "${KEYRING}" ] + then + echo -n "Verifying signature against $(basename ${KEYRING} .gpg | sed -e 's|-keyring||') keyring: " + + cd "${MACHINES}/${NAME}" + + set +e + /usr/bin/gpgv --quiet --keyring ${KEYRING} "system.tar.xz.asc" "system.tar.xz" > /dev/null 2>&1 && KEY_VALID="true" && break + set -e + fi + done + + case "${KEY_VALID}" in + true) + echo " successful." + ;; + + *) + echo " failed." + return 1 + ;; + esac + else + echo "Skipping verification, debian-keyring not available." + fi + else + echo "Skipping verification, gpgv not available." + fi + ;; +esac + echo "Unpacking debian-${DISTRIBUTION}_${ARCHITECTURE}.tar.xz" if [ -e /usr/bin/pv ] -- cgit v1.2.3