Resolve "Check GPG signatures of Yunohost images"

1ab97369 · HgO · Ilja · 718b4445 · 1ab97369
Commit 1ab97369 authored Dec 07, 2019 by HgO Committed by Ilja Dec 07, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 70 additions and 33 deletions

neutrinet_cube_install.sh neutrinet_cube_install.sh +70 -33

No files found.
--- a/neutrinet_cube_install.sh
+++ b/neutrinet_cube_install.sh
@@ -33,6 +33,10 @@ INTERNETCUBE_PREFIX="internetcube"
 YUNOHOST_PREFIX="yunohost"
 CUBE_RESOURCES_LOCATION="cube_resources"

+GPG_HOME_DIR=".gnupg"
+GPG_YUNOHOST_KEY="0x360AAF3259A3E6FF"
+GPG_KEYSERVER="keyserver.ubuntu.com"
+
 CUBE_BUILD_SCRIPT_LOCATION="https://github.com/labriqueinternet/build.labriqueinter.net.git"
 CUBE_BUILD_SCRIPT_REVISION="b755e06f96e4612a1c247601ea12900f1e34e767"
 CUBE_BUILD_SCRIPT_DIR="yunocube"
@@ -58,7 +62,7 @@ WIFI_SSID_PATTERN='^[\w\d\-_\.,!\? ]{1,32}$'
 WIFI_PASSWORD_PATTERN='^[^\{\}]{8,63}$'
 REQUIRED_FIELD_PATTERN='^.+$'

-DEPENDENCIES="git curl jq sha256sum md5sum unzip sudo"
+DEPENDENCIES="git curl jq sha256sum unzip sudo gpg"

 #=================================================
 # HELPERS
@@ -239,6 +243,53 @@ function confirm() {
  return $?
 }

+function prompt_continue_install() {
+  if ! confirm "Do you really want to continue with the installation?" "n"
+  then
+    return 1
+  fi
+}
+
+function check_integrity() {
+  local checksum=$1
+  local filename=$2
+
+  info "Verifying file integrity for $filename..."
+  if ! sha256sum --quiet -c <<< "$checksum $filename"
+  then
+    warn "Couldn't verify file integrity of $filename!!!"
+    prompt_continue_install
+  else
+    info "File integrity successfully verified!"
+  fi
+}
+
+function check_gpg() {
+  local signature_file=$1
+  local filename=$2
+
+  info "Verifying GPG signature for $filename..."
+
+  if ! gpg -q --no-tty --batch --trust-model always \
+    --homedir "$GPG_HOME_DIR" \
+    --keyserver "$GPG_KEYSERVER" \
+    --recv-key "$GPG_YUNOHOST_KEY"
+  then
+    warn "Couldn't import Yunohost GPG key ($GPG_YUNOHOST_KEY) from $GPG_KEYSERVER"
+    prompt_continue_install
+  fi
+
+  if ! gpg -q --no-tty --batch --trust-model always --no-options \
+    --homedir "$GPG_HOME_DIR" \
+    --verify "$signature_file" "$filename"
+  then
+    warn "Couldn't verify GPG signature!!!"
+    prompt_continue_install
+  else
+    info "GPG signature successfully verified!"
+  fi
+}
+
 function check_sudo() {
  if ! command -v sudo > /dev/null
  then
@@ -260,16 +311,7 @@ function download_install_sd_script() {
  cd $CUBE_RESOURCES_LOCATION

  curl --show-error --fail --silent --output "$INSTALL_SD_SCRIPT_NAME" "$INSTALL_SD_SCRIPT_LOCATION/$INSTALL_SD_SCRIPT_NAME"
-
-  info "Checking integrity of $INSTALL_SD_SCRIPT_NAME..."
-  if ! sha256sum -c <<< "$INSTALL_SD_SCRIPT_SHA256SUM  $INSTALL_SD_SCRIPT_NAME"
-  then
-    warn "Cannot verify the integrity of $INSTALL_SD_SCRIPT_NAME!!!"
-    if ! confirm "Do you really want to continue with the installation?" "n"
-    then
-      exit 1
-    fi
-  fi
+  check_integrity "$INSTALL_SD_SCRIPT_SHA256SUM" "$INSTALL_SD_SCRIPT_NAME"

  chmod u+x "$INSTALL_SD_SCRIPT_NAME"
  cd ..
@@ -625,22 +667,17 @@ function get_image() {
 }

 function download_image() {
-  local version=$1
-
-  if [[ -n $version ]]
-  then
-    debug "Finding v$version Yunohost $board image..."
-  else
-    debug "Finding latest Yunohost $board image..."
+  debug "Finding latest Yunohost $board image..."

-    ynh_image_zip="$(curl --show-error --fail --silent $YNH_IMG_LOCATION \
-      | grep "${YUNOHOST_PREFIX}-${DEBIAN_CODENAME}-[\d\.]+-$board-stable.img.zip" -Po \
-      | sort -V \
-      | tail -n 1)"
-    version=$(cut -d '-' -f 3 <<< $ynh_image_zip)
+  ynh_image_zip="$(curl --show-error --fail --silent $YNH_IMG_LOCATION \
+    | grep "${YUNOHOST_PREFIX}-${DEBIAN_CODENAME}-[\d\.]+-$board-stable.img.zip" -Po \
+    | sort -V \
+    | tail -n 1)"
+  ynh_image_sum="$ynh_image_zip.sha256sum"
+  ynh_image_sig="$ynh_image_zip.sig"

-    info "Latest Yunohost $board image is v$version!"
-  fi
+  version=$(cut -d '-' -f 3 <<< $ynh_image_zip)
+  info "Latest Yunohost $board image is v$version!"

  ynh_image="${YUNOHOST_PREFIX}-${DEBIAN_CODENAME}-${version}-${board}-stable.img"
  image="${ynh_image/${YUNOHOST_PREFIX}/${INTERNETCUBE_PREFIX}}"
@@ -655,17 +692,17 @@ function download_image() {
        curl --show-error --fail --progress-bar --output "$ynh_image_zip" "$YNH_IMG_LOCATION/$ynh_image_zip"
      fi

-      debug "Checking image integrity..."
-      ynh_image_sha256sum=$(curl --show-error --fail --silent $YNH_IMG_LOCATION/$ynh_image_zip.sha256sum || true)
-      if [[ -z $ynh_image_sha256sum ]] || ! sha256sum -c <<< "$ynh_image_sha256sum"
+      if [[ ! -f $ynh_image_sig ]]
      then
-        warn "Couldn't verify integrity of $ynh_image!!!"
-        if ! confirm "Do you really want to continue with the installation?" "n"
-        then
-          return 1
-        fi
+        info "Downloading $ynh_image_sig..."
+        curl --show-error --fail --silent --output "$ynh_image_sig" "$YNH_IMG_LOCATION/$ynh_image_sig"
      fi

+      ynh_image_sum=$(curl --show-error --fail --silent "$YNH_IMG_LOCATION/$ynh_image_sum" | cut -d ' ' -f 1)
+
+      check_integrity "$ynh_image_sum" "$ynh_image_zip"
+      check_gpg "$ynh_image_sig" "$ynh_image_zip"
+
      debug "Unzipping $ynh_image_zip..."
      unzip -p "$ynh_image_zip" > "$ynh_image"
      rm "$ynh_image_zip"