From 382b09e671190bfe52b86957e7f452089a420fb4 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@open-infrastructure.net>
Date: Sat, 22 Jul 2017 20:09:18 +0200
Subject: Adding GPG signature verification for curl container create script.

Signed-off-by: Daniel Baumann <daniel.baumann@open-infrastructure.net>
---
 share/scripts/curl | 49 +++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 39 insertions(+), 10 deletions(-)

diff --git a/share/scripts/curl b/share/scripts/curl
index 59c230f..9b92800 100755
--- a/share/scripts/curl
+++ b/share/scripts/curl
@@ -21,6 +21,7 @@ set -e
 SCRIPT="${0}"
 
 HOOKS="/etc/container-tools/hooks"
+KEYS="/etc/container-tools/keys"
 MACHINES="/var/lib/machines"
 CACHE="/var/cache/container-tools/system"
 
@@ -176,7 +177,6 @@ done
 
 # FIXME: Show available image directories on server
 # FIXME: Fetch debconf-choices.txt to show debconf select
-# FIXME: gpg verification against debian-keyring or local keyring
 # FIXME: default server via configuration file
 
 mkdir -p "${CACHE}"
@@ -188,11 +188,20 @@ then
 	CURL_OPTIONS="${CURL_OPTIONS} --http2"
 fi
 
-for FILE in	"${SYSTEM}" "${SYSTEM}.sha512" \
-		"${SETUP}" "${SETUP}.sha512"
+for FILE in	"${SYSTEM}" "${SYSTEM}.gpg" "${SYSTEM}.sha512" \
+		"${SETUP}" "${SETUP}.gpg" "${SETUP}.sha512"
 do
 	if curl --fail --head --output /dev/null --silent "${SERVER}/${FILE}"
 	then
+		case "${FILE}" in
+			*.sha512)
+				if [ -e "${CACHE}/$(basename ${FILE} .sha512).gpg" ]
+				then
+					continue
+				fi
+				;;
+		esac
+
 		if [ -e "${CACHE}/${FILE}" ]
 		then
 			CURL_TIME_COND="--time-cond ${CACHE}/${FILE}"
@@ -206,16 +215,36 @@ do
 	fi
 done
 
+cd "${CACHE}"
+
 for FILE in "${SYSTEM}" "${SETUP}"
 do
-	cd "${CACHE}"
-
 	if [ ! -e "${FILE}" ]
 	then
 		continue
 	fi
 
-	if [ -e "${FILE}.sha512" ]
+	if [ -e "${FILE}.gpg" ]
+	then
+		echo -n "Verifying ${FILE}:"
+
+		set +e
+		gpg --homedir "${KEYS}" --verify "${FILE}.gpg" "${FILE}" > /dev/null 2>&1
+		GNUPG="${?}"
+		set -e
+
+		case "${GNUPG}" in
+			0)
+				echo " gpg ok."
+				continue
+				;;
+
+			*)
+				echo " gpg failed."
+				exit 1
+				;;
+		esac
+	elif [ -e "${FILE}.sha512" ]
 	then
 		echo -n "Verifying ${FILE}:"
 
@@ -226,19 +255,19 @@ do
 
 		case "${SHA512SUM}" in
 			0)
-				echo " ok."
+				echo " sha512 ok."
 				;;
 
 			*)
-				echo " failed."
+				echo " sha512 failed."
 				exit 1
 				;;
 		esac
 	fi
-
-	cd "${OLDPWD}"
 done
 
+cd "${OLDPWD}"
+
 case "${SYSTEM}" in
 	*.gz)
 		TAR_OPTIONS="--gzip"
-- 
cgit v1.2.3