From b5e7192e911692bcd28748674f84a56c5c125aab Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Thu, 26 Aug 2021 20:27:33 +0200 Subject: install-image: T2108: verify image by using minisign over GPG We will first download and try to verify the image using the generated minisign signature. If this fails, we try to retrieve the GPG signature file. --- scripts/install/install-image | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/scripts/install/install-image b/scripts/install/install-image index 328682fa..a8fbc5be 100755 --- a/scripts/install/install-image +++ b/scripts/install/install-image @@ -121,12 +121,15 @@ fetch_iso_by_url () echo "Done." echo "Checking for digital signature file..." - download_file "${filename}.asc" "${NEW_ISO}.asc" + download_file "${filename}.minisig" "${NEW_ISO}.minisig" + if [ $? -ne 0 ]; then + download_file "${filename}.asc" "${NEW_ISO}.asc" + fi if [ $? -ne 0 ]; then echo -n "Do you want to continue without signature check? (yes/no) [yes] " # In case signature file was partially downloaded... - rm -f ${filename}.asc + rm -f ${filename}.asc ${filename}.minisig response=$(get_response "Yes" "Yes No Y N") if [ "$response" == "no" ] || [ "$response" == "n" ]; then @@ -134,7 +137,11 @@ fetch_iso_by_url () fi else echo "Checking digital signature..." - gpg --keyring /etc/apt/trusted.gpg --verify ${filename}.asc + if [ -f ${filename}.minisig ]; then + minisign -V -q -p /usr/share/vyos/keys/vyos-release.minisign.pub -m ${filename} -x ${filename}.minisig + elif [ -f ${filename}.asc ]; then + gpg --keyring /etc/apt/trusted.gpg --verify ${filename}.asc + fi if [ $? -ne 0 ]; then echo "Signature check FAILED." echo -n "Do you want to continue anyway? (yes/no) [no] " -- cgit v1.2.3