diff options
| author | Daniil Baturin <daniil@vyos.io> | 2021-08-27 01:44:16 +0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-08-27 01:44:16 +0700 |
| commit | 15b3f67cddf1d1d6c5fc5e1be1279ee2dcd3b00f (patch) | |
| tree | 6afb974ef68979da7ef3bb4abf5332fda625eeff | |
| parent | c29ee29e6a702bf293b9840b6594755aaa179b75 (diff) | |
| parent | 3a27a4fca63ed5d6310ff66ad1cf95992f2d5d39 (diff) | |
| download | vyatta-cfg-system-15b3f67cddf1d1d6c5fc5e1be1279ee2dcd3b00f.tar.gz vyatta-cfg-system-15b3f67cddf1d1d6c5fc5e1be1279ee2dcd3b00f.zip | |
Merge pull request #163 from c-po/t2108-minisign-equuleus
install-image: T2108: verify image by using minisign over GPG
| -rwxr-xr-x | scripts/install/install-image | 27 |
1 files changed, 25 insertions, 2 deletions
diff --git a/scripts/install/install-image b/scripts/install/install-image index 57fd86eb..b402ff7f 100755 --- a/scripts/install/install-image +++ b/scripts/install/install-image @@ -182,7 +182,13 @@ fetch_iso_by_url () fi echo "Checking for digital signature file..." - ip vrf exec $VRF curl -L -H "User-Agent: VyOS/$vyos_version" $AUTH -f -o ${filename}.asc ${NEW_ISO}.asc + # XXX: T2108: We will first download and try to verify the image using the + # generated minisign signature. If this fails, we try to retrieve the GPG + # signature file. + ip vrf exec $VRF curl -L -H "User-Agent: VyOS/$vyos_version" $AUTH -f -o ${filename}.minisig ${NEW_ISO}.minisig + if [ $? -ne 0 ]; then + ip vrf exec $VRF curl -L -H "User-Agent: VyOS/$vyos_version" $AUTH -f -o ${filename}.asc ${NEW_ISO}.asc + fi if [ $? -ne 0 ]; then echo "Unable to fetch digital signature file." echo -n "Do you want to continue without signature check? (yes/no) [yes] " @@ -193,7 +199,24 @@ fetch_iso_by_url () fail_exit 'OK. Installation will not be performed.' fi # In case signature file was partially downloaded... - rm -f ${filename}.asc + rm -f ${filename}.asc ${filename}.minisig + fi + + if [ -e ${filename}.minisig ]; then + echo "Found it. Checking digital signature..." + minisign -V -q -p /usr/share/vyos/keys/vyos-release.minisign.pub -m ${filename} -x ${filename}.minisig + if [ $? -ne 0 ]; then + echo "Signature check FAILED." + echo -n "Do you want to continue anyway? (yes/no) [no] " + response=$(get_response "No" "Yes No Y N") + if [ "$response" == "no" ] || [ "$response" == "n" ]; then + fail_exit 'OK. Installation will not be performed.' + fi + + echo "OK. Proceeding with installation anyway." + else + echo "Digital signature is valid." + fi fi if [ -e ${filename}.asc ]; then |