From 840a815d620a629b093bd849b7d6e60f94f087e3 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Wed, 28 Oct 2020 17:25:15 +0100 Subject: image: T3027: do not rely on the ISO filename when calculating sha256 hash Updating a running VyOS installation by using the "add system image" command pointing to https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso will break the validation due to filename missmatch. The root cause for this is the sha256 checksum file itself. It contains the hash and the filename used when hashing. When running "sha256sum --check" during the upgrade it expects the "real" filename when calculating and verifying the hash. The real filename differs when using the vyos-rolling-latest.iso symlink on the webserver as it will tell the running VyOS installation a different filename and the validation fails. This is now fixed by not depending on the filename when verifying the hash. We simply calculate the hash of the downloaded file and compare it to the has we saved inside the checksum file and totally ignore the filename itself. --- scripts/install/install-image | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/install/install-image b/scripts/install/install-image index 58362357..57fd86eb 100755 --- a/scripts/install/install-image +++ b/scripts/install/install-image @@ -170,7 +170,7 @@ fetch_iso_by_url () # checksum validation must be performed in the download directory because # of the relative path inside the checksum file cd ${TEMP_DIR} - sha256sum --check --quiet ${NEW_ISO##*/}.sha256 + echo $(cat ${NEW_ISO##*/}.sha256 | awk '{print $1}') ${NEW_ISO##*/} | sha256sum --check --quiet if [ $? -ne 0 ]; then echo "Signature check FAILED." fail_exit 'Installation will not be performed.' -- cgit v1.2.3