faerbit/archiso
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add the verify=y option to verify the squashfs signature with gpg

Browse Source
This commit is contained in:
Thomas Bächler 2016-02-13 01:08:49 +01:00 committed by Gerardo Exequiel Pozzi
parent 249a52d941
commit 1a59eb3792
3 changed files with 28 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
archiso/initcpio/hooks/archiso
View File

@ -105,6 +105,15 @@ _verify_checksum() {
return ${_status} return ${_status}
} }
_verify_signature() {
local _status
cd "/run/archiso/bootmnt/${archisobasedir}/${arch}"
gpg --homedir /gpg --status-fd 1 --verify airootfs.sfs.sig 2>/dev/null | grep -qE '^\[GNUPG:\] GOODSIG'
_status=$?
cd "${OLDPWD}"
return ${_status}
}
run_hook() { run_hook() {
[[ -z "${arch}" ]] && arch="$(uname -m)" [[ -z "${arch}" ]] && arch="$(uname -m)"
[[ -z "${copytoram_size}" ]] && copytoram_size="75%" [[ -z "${copytoram_size}" ]] && copytoram_size="75%"
@ -159,6 +168,21 @@ archiso_mount_handler() {
fi fi
fi fi
if [[ "${verify}" == "y" ]]; then
if [[ -f "/run/archiso/bootmnt/${archisobasedir}/${arch}/airootfs.sfs.sig" ]]; then
msg -n ":: Signature verification requested, please wait..."
if _verify_signature; then
msg "done. Signature is OK, continue booting."
else
echo "ERROR: one or more files are corrupted"
launch_interactive_shell
fi
else
echo "ERROR: verify=y option specified but ${archisobasedir}/${arch}/airootfs.sfs.sig not found"
launch_interactive_shell
fi
fi
if [[ "${copytoram}" == "y" ]]; then if [[ "${copytoram}" == "y" ]]; then
msg ":: Mounting /run/archiso/copytoram (tmpfs) filesystem, size=${copytoram_size}" msg ":: Mounting /run/archiso/copytoram (tmpfs) filesystem, size=${copytoram_size}"
mkdir -p /run/archiso/copytoram mkdir -p /run/archiso/copytoram

3
archiso/initcpio/hooks/archiso_pxe_http
View File

@ -39,6 +39,9 @@ archiso_pxe_http_mount_handler () {
if [[ "${checksum}" == "y" ]]; then if [[ "${checksum}" == "y" ]]; then
_curl_get "${archiso_http_srv}${archisobasedir}/${arch}/airootfs.md5" "/${arch}" _curl_get "${archiso_http_srv}${archisobasedir}/${arch}/airootfs.md5" "/${arch}"
fi fi
if [[ "${verify}" == "y" ]]; then
_curl_get "${archiso_http_srv}${archisobasedir}/${arch}/airootfs.sfs.sig" "/${arch}"
fi
mkdir -p "/run/archiso/bootmnt" mkdir -p "/run/archiso/bootmnt"
mount -o bind /run/archiso/httpspace /run/archiso/bootmnt mount -o bind /run/archiso/httpspace /run/archiso/bootmnt

1
archiso/initcpio/install/archiso
View File

@ -15,6 +15,7 @@ build() {
add_binary mountpoint add_binary mountpoint
add_binary truncate add_binary truncate
add_binary gpg add_binary gpg
add_binary grep
add_file /usr/lib/udev/rules.d/60-cdrom_id.rules add_file /usr/lib/udev/rules.d/60-cdrom_id.rules
add_file /usr/lib/udev/rules.d/10-dm.rules add_file /usr/lib/udev/rules.d/10-dm.rules