image: T3027: do not rely on the ISO filename when calculating sha256 hash

Updating a running VyOS installation by using the "add system image" command
pointing to https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso
will break the validation due to filename missmatch.

The root cause for this is the sha256 checksum file itself. It contains the hash
and the filename used when hashing. When running "sha256sum --check" during the
upgrade it expects the "real" filename when calculating and verifying the hash.
The real filename differs when using the vyos-rolling-latest.iso symlink on the
webserver as it will tell the running VyOS installation a different filename and
the validation fails.

This is now fixed by not depending on the filename when verifying the hash. We
simply calculate the hash of the downloaded file and compare it to the has we
saved inside the checksum file and totally ignore the filename itself.

1 files changed, 1 insertions, 1 deletions

diff --git a/scripts/install/install-image b/scripts/install/install-image
index 58362357..57fd86eb 100755
--- a/scripts/install/install-image
+++ b/scripts/install/install-image
@@ -170,7 +170,7 @@ fetch_iso_by_url ()
         # checksum validation must be performed in the download directory because
         # of the relative path inside the checksum file
         cd ${TEMP_DIR}
-        sha256sum --check --quiet ${NEW_ISO##*/}.sha256
+        echo $(cat ${NEW_ISO##*/}.sha256 | awk '{print $1}') ${NEW_ISO##*/} | sha256sum --check --quiet
         if [ $? -ne 0 ]; then
             echo "Signature check FAILED."
             fail_exit 'Installation will not be performed.'