summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-10-28 17:25:15 +0100
committerChristian Poessinger <christian@poessinger.com>2020-10-28 17:25:23 +0100
commit840a815d620a629b093bd849b7d6e60f94f087e3 (patch)
tree3c48cd67364934693cb937726e38a0cc99a85d66
parent63162ff9d1ca8c7ecef2f37b958e9436a0c9bf62 (diff)
downloadvyatta-cfg-system-840a815d620a629b093bd849b7d6e60f94f087e3.tar.gz
vyatta-cfg-system-840a815d620a629b093bd849b7d6e60f94f087e3.zip
image: T3027: do not rely on the ISO filename when calculating sha256 hash
Updating a running VyOS installation by using the "add system image" command pointing to https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso will break the validation due to filename missmatch. The root cause for this is the sha256 checksum file itself. It contains the hash and the filename used when hashing. When running "sha256sum --check" during the upgrade it expects the "real" filename when calculating and verifying the hash. The real filename differs when using the vyos-rolling-latest.iso symlink on the webserver as it will tell the running VyOS installation a different filename and the validation fails. This is now fixed by not depending on the filename when verifying the hash. We simply calculate the hash of the downloaded file and compare it to the has we saved inside the checksum file and totally ignore the filename itself.
-rwxr-xr-xscripts/install/install-image2
1 files changed, 1 insertions, 1 deletions
diff --git a/scripts/install/install-image b/scripts/install/install-image
index 58362357..57fd86eb 100755
--- a/scripts/install/install-image
+++ b/scripts/install/install-image
@@ -170,7 +170,7 @@ fetch_iso_by_url ()
# checksum validation must be performed in the download directory because
# of the relative path inside the checksum file
cd ${TEMP_DIR}
- sha256sum --check --quiet ${NEW_ISO##*/}.sha256
+ echo $(cat ${NEW_ISO##*/}.sha256 | awk '{print $1}') ${NEW_ISO##*/} | sha256sum --check --quiet
if [ $? -ne 0 ]; then
echo "Signature check FAILED."
fail_exit 'Installation will not be performed.'