Commit 61574e48 authored by Ilja's avatar Ilja

Merge branch '6-check-gpg-signature' into 'master'

Resolve "Check GPG signatures of Yunohost images"

Closes #6

See merge request Neutrinet/neutrinet_cube_install!14
parents 718b4445 1ab97369
......@@ -33,6 +33,10 @@ INTERNETCUBE_PREFIX="internetcube"
YUNOHOST_PREFIX="yunohost"
CUBE_RESOURCES_LOCATION="cube_resources"
GPG_HOME_DIR=".gnupg"
GPG_YUNOHOST_KEY="0x360AAF3259A3E6FF"
GPG_KEYSERVER="keyserver.ubuntu.com"
CUBE_BUILD_SCRIPT_LOCATION="https://github.com/labriqueinternet/build.labriqueinter.net.git"
CUBE_BUILD_SCRIPT_REVISION="b755e06f96e4612a1c247601ea12900f1e34e767"
CUBE_BUILD_SCRIPT_DIR="yunocube"
......@@ -58,7 +62,7 @@ WIFI_SSID_PATTERN='^[\w\d\-_\.,!\? ]{1,32}$'
WIFI_PASSWORD_PATTERN='^[^\{\}]{8,63}$'
REQUIRED_FIELD_PATTERN='^.+$'
DEPENDENCIES="git curl jq sha256sum md5sum unzip sudo"
DEPENDENCIES="git curl jq sha256sum unzip sudo gpg"
#=================================================
# HELPERS
......@@ -239,6 +243,53 @@ function confirm() {
return $?
}
function prompt_continue_install() {
if ! confirm "Do you really want to continue with the installation?" "n"
then
return 1
fi
}
function check_integrity() {
local checksum=$1
local filename=$2
info "Verifying file integrity for $filename..."
if ! sha256sum --quiet -c <<< "$checksum $filename"
then
warn "Couldn't verify file integrity of $filename!!!"
prompt_continue_install
else
info "File integrity successfully verified!"
fi
}
function check_gpg() {
local signature_file=$1
local filename=$2
info "Verifying GPG signature for $filename..."
if ! gpg -q --no-tty --batch --trust-model always \
--homedir "$GPG_HOME_DIR" \
--keyserver "$GPG_KEYSERVER" \
--recv-key "$GPG_YUNOHOST_KEY"
then
warn "Couldn't import Yunohost GPG key ($GPG_YUNOHOST_KEY) from $GPG_KEYSERVER"
prompt_continue_install
fi
if ! gpg -q --no-tty --batch --trust-model always --no-options \
--homedir "$GPG_HOME_DIR" \
--verify "$signature_file" "$filename"
then
warn "Couldn't verify GPG signature!!!"
prompt_continue_install
else
info "GPG signature successfully verified!"
fi
}
function check_sudo() {
if ! command -v sudo > /dev/null
then
......@@ -260,16 +311,7 @@ function download_install_sd_script() {
cd $CUBE_RESOURCES_LOCATION
curl --show-error --fail --silent --output "$INSTALL_SD_SCRIPT_NAME" "$INSTALL_SD_SCRIPT_LOCATION/$INSTALL_SD_SCRIPT_NAME"
info "Checking integrity of $INSTALL_SD_SCRIPT_NAME..."
if ! sha256sum -c <<< "$INSTALL_SD_SCRIPT_SHA256SUM $INSTALL_SD_SCRIPT_NAME"
then
warn "Cannot verify the integrity of $INSTALL_SD_SCRIPT_NAME!!!"
if ! confirm "Do you really want to continue with the installation?" "n"
then
exit 1
fi
fi
check_integrity "$INSTALL_SD_SCRIPT_SHA256SUM" "$INSTALL_SD_SCRIPT_NAME"
chmod u+x "$INSTALL_SD_SCRIPT_NAME"
cd ..
......@@ -625,22 +667,17 @@ function get_image() {
}
function download_image() {
local version=$1
if [[ -n $version ]]
then
debug "Finding v$version Yunohost $board image..."
else
debug "Finding latest Yunohost $board image..."
debug "Finding latest Yunohost $board image..."
ynh_image_zip="$(curl --show-error --fail --silent $YNH_IMG_LOCATION \
| grep "${YUNOHOST_PREFIX}-${DEBIAN_CODENAME}-[\d\.]+-$board-stable.img.zip" -Po \
| sort -V \
| tail -n 1)"
version=$(cut -d '-' -f 3 <<< $ynh_image_zip)
ynh_image_zip="$(curl --show-error --fail --silent $YNH_IMG_LOCATION \
| grep "${YUNOHOST_PREFIX}-${DEBIAN_CODENAME}-[\d\.]+-$board-stable.img.zip" -Po \
| sort -V \
| tail -n 1)"
ynh_image_sum="$ynh_image_zip.sha256sum"
ynh_image_sig="$ynh_image_zip.sig"
info "Latest Yunohost $board image is v$version!"
fi
version=$(cut -d '-' -f 3 <<< $ynh_image_zip)
info "Latest Yunohost $board image is v$version!"
ynh_image="${YUNOHOST_PREFIX}-${DEBIAN_CODENAME}-${version}-${board}-stable.img"
image="${ynh_image/${YUNOHOST_PREFIX}/${INTERNETCUBE_PREFIX}}"
......@@ -655,17 +692,17 @@ function download_image() {
curl --show-error --fail --progress-bar --output "$ynh_image_zip" "$YNH_IMG_LOCATION/$ynh_image_zip"
fi
debug "Checking image integrity..."
ynh_image_sha256sum=$(curl --show-error --fail --silent $YNH_IMG_LOCATION/$ynh_image_zip.sha256sum || true)
if [[ -z $ynh_image_sha256sum ]] || ! sha256sum -c <<< "$ynh_image_sha256sum"
if [[ ! -f $ynh_image_sig ]]
then
warn "Couldn't verify integrity of $ynh_image!!!"
if ! confirm "Do you really want to continue with the installation?" "n"
then
return 1
fi
info "Downloading $ynh_image_sig..."
curl --show-error --fail --silent --output "$ynh_image_sig" "$YNH_IMG_LOCATION/$ynh_image_sig"
fi
ynh_image_sum=$(curl --show-error --fail --silent "$YNH_IMG_LOCATION/$ynh_image_sum" | cut -d ' ' -f 1)
check_integrity "$ynh_image_sum" "$ynh_image_zip"
check_gpg "$ynh_image_sig" "$ynh_image_zip"
debug "Unzipping $ynh_image_zip..."
unzip -p "$ynh_image_zip" > "$ynh_image"
rm "$ynh_image_zip"
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment