diff options
| author | Christian Poessinger <christian@poessinger.com> | 2021-08-26 20:08:56 +0200 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2021-08-26 20:08:56 +0200 |
| commit | 3a27a4fca63ed5d6310ff66ad1cf95992f2d5d39 (patch) | |
| tree | 6afb974ef68979da7ef3bb4abf5332fda625eeff | |
| parent | c29ee29e6a702bf293b9840b6594755aaa179b75 (diff) | |
| download | vyatta-cfg-system-3a27a4fca63ed5d6310ff66ad1cf95992f2d5d39.tar.gz vyatta-cfg-system-3a27a4fca63ed5d6310ff66ad1cf95992f2d5d39.zip | |
install-image: T2108: verify image by using minisign over GPG
We will first download and try to verify the image using the generated minisign
signature. If this fails, we try to retrieve the GPG signature file.
| -rwxr-xr-x | scripts/install/install-image | 27 |
1 files changed, 25 insertions, 2 deletions
diff --git a/scripts/install/install-image b/scripts/install/install-image index 57fd86eb..b402ff7f 100755 --- a/scripts/install/install-image +++ b/scripts/install/install-image @@ -182,7 +182,13 @@ fetch_iso_by_url () fi echo "Checking for digital signature file..." - ip vrf exec $VRF curl -L -H "User-Agent: VyOS/$vyos_version" $AUTH -f -o ${filename}.asc ${NEW_ISO}.asc + # XXX: T2108: We will first download and try to verify the image using the + # generated minisign signature. If this fails, we try to retrieve the GPG + # signature file. + ip vrf exec $VRF curl -L -H "User-Agent: VyOS/$vyos_version" $AUTH -f -o ${filename}.minisig ${NEW_ISO}.minisig + if [ $? -ne 0 ]; then + ip vrf exec $VRF curl -L -H "User-Agent: VyOS/$vyos_version" $AUTH -f -o ${filename}.asc ${NEW_ISO}.asc + fi if [ $? -ne 0 ]; then echo "Unable to fetch digital signature file." echo -n "Do you want to continue without signature check? (yes/no) [yes] " @@ -193,7 +199,24 @@ fetch_iso_by_url () fail_exit 'OK. Installation will not be performed.' fi # In case signature file was partially downloaded... - rm -f ${filename}.asc + rm -f ${filename}.asc ${filename}.minisig + fi + + if [ -e ${filename}.minisig ]; then + echo "Found it. Checking digital signature..." + minisign -V -q -p /usr/share/vyos/keys/vyos-release.minisign.pub -m ${filename} -x ${filename}.minisig + if [ $? -ne 0 ]; then + echo "Signature check FAILED." + echo -n "Do you want to continue anyway? (yes/no) [no] " + response=$(get_response "No" "Yes No Y N") + if [ "$response" == "no" ] || [ "$response" == "n" ]; then + fail_exit 'OK. Installation will not be performed.' + fi + + echo "OK. Proceeding with installation anyway." + else + echo "Digital signature is valid." + fi fi if [ -e ${filename}.asc ]; then |