Merge pull request #165 from c-po/crux

install-image: T2108: verify image by using minisign over GPG
author: Daniil Baturin <daniil@vyos.io> 2021-08-27 01:44:05 +0700
committer: GitHub <noreply@github.com> 2021-08-27 01:44:05 +0700
commit: 6fb0e5a816958f2ef294889fb33ae7a835777966 (patch)
tree: f7652e187786ed44dbf7ed6f98f9e7471acda14b
parent: acf57327e456543aeff8d2c97c26aa711085e868 (diff)
parent: 6de0d557563f11432f5536a6df8140bf5902423a (diff)
download: vyatta-cfg-system-6fb0e5a816958f2ef294889fb33ae7a835777966.tar.gz
vyatta-cfg-system-6fb0e5a816958f2ef294889fb33ae7a835777966.zip
1 files changed, 23 insertions, 3 deletions
diff --git a/scripts/install/install-image b/scripts/install/install-image
index dbdd5901..5482804e 100755
--- a/scripts/install/install-image
+++ b/scripts/install/install-image
@@ -102,7 +102,10 @@ fetch_iso_by_url ()
     echo "ISO download succeeded."
 
     echo "Checking for digital signature file..."
-    curl -L -H "User-Agent: VyOS/$vyos_version" $auth -f -o ${filename}.asc ${NEW_ISO}.asc
+    curl -L -H "User-Agent: VyOS/$vyos_version" $auth -f -o ${filename}.minisig ${NEW_ISO}.minisig
+    if [ $? -ne 0 ]; then
+        curl -L -H "User-Agent: VyOS/$vyos_version" $auth -f -o ${filename}.asc ${NEW_ISO}.asc
+    fi
     if [ $? -ne 0 ]; then
 	echo "Unable to fetch digital signature file."
 	echo -n "Do you want to continue without signature check? (yes/no) [yes] "
@@ -114,7 +117,24 @@ fetch_iso_by_url ()
 	fi
 
 	# In case signature file was partially downloaded...
-	rm -f ${filename}.asc
+	rm -f ${filename}.asc ${filename}.minisig
+    fi
+
+    if [ -e ${filename}.minisig ]; then
+        echo "Found it.  Checking digital signature..."
+        minisign -V -q -p /usr/share/vyos/keys/vyos-release.minisign.pub -m ${filename} -x ${filename}.minisig
+        if [ $? -ne 0 ]; then
+            echo "Signature check FAILED."
+            echo -n "Do you want to continue anyway? (yes/no) [no] "
+            response=$(get_response "No" "Yes No Y N")
+            if [ "$response" == "no" ] || [ "$response" == "n" ]; then
+                fail_exit 'OK.  Installation will not be performed.'
+            fi
+
+            echo "OK. Proceeding with installation anyway."
+        else
+            echo "Digital signature is valid."
+        fi
     fi
 
     if [ -e ${filename}.asc ]; then
@@ -127,7 +147,7 @@ fetch_iso_by_url ()
 	    if [ "$response" == "no" ] || [ "$response" == "n" ]; then
 		fail_exit 'OK.  Installation will not be performed.'
 	    fi
-	    
+
 	    echo "OK. Proceeding with installation anyway."
 	else
 	    echo "Digital signature is valid."
author	Daniil Baturin <daniil@vyos.io>	2021-08-27 01:44:05 +0700
committer	GitHub <noreply@github.com>	2021-08-27 01:44:05 +0700
commit	6fb0e5a816958f2ef294889fb33ae7a835777966 (patch)
tree	f7652e187786ed44dbf7ed6f98f9e7471acda14b
parent	acf57327e456543aeff8d2c97c26aa711085e868 (diff)
parent	6de0d557563f11432f5536a6df8140bf5902423a (diff)
download	vyatta-cfg-system-6fb0e5a816958f2ef294889fb33ae7a835777966.tar.gz vyatta-cfg-system-6fb0e5a816958f2ef294889fb33ae7a835777966.zip