[arch-releng] [RFC 2/4] [archiso] Add the verify=y option to verify the squashfs signature with gpg
Thomas Bächler
thomas at archlinux.org
Sat Feb 13 00:08:49 UTC 2016
---
archiso/initcpio/hooks/archiso | 24 ++++++++++++++++++++++++
archiso/initcpio/hooks/archiso_pxe_http | 3 +++
archiso/initcpio/install/archiso | 1 +
3 files changed, 28 insertions(+)
diff --git a/archiso/initcpio/hooks/archiso b/archiso/initcpio/hooks/archiso
index fb76327..b78f4db 100644
--- a/archiso/initcpio/hooks/archiso
+++ b/archiso/initcpio/hooks/archiso
@@ -105,6 +105,15 @@ _verify_checksum() {
return ${_status}
}
+_verify_signature() {
+ local _status
+ cd "/run/archiso/bootmnt/${archisobasedir}/${arch}"
+ gpg --homedir /gpg --status-fd 1 --verify airootfs.sfs.sig 2>/dev/null | grep -qE '^\[GNUPG:\] GOODSIG'
+ _status=$?
+ cd "${OLDPWD}"
+ return ${_status}
+}
+
run_hook() {
[[ -z "${arch}" ]] && arch="$(uname -m)"
[[ -z "${copytoram_size}" ]] && copytoram_size="75%"
@@ -159,6 +168,21 @@ archiso_mount_handler() {
fi
fi
+ if [[ "${verify}" == "y" ]]; then
+ if [[ -f "/run/archiso/bootmnt/${archisobasedir}/${arch}/airootfs.sfs.sig" ]]; then
+ msg -n ":: Signature verification requested, please wait..."
+ if _verify_signature; then
+ msg "done. Signature is OK, continue booting."
+ else
+ echo "ERROR: one or more files are corrupted"
+ launch_interactive_shell
+ fi
+ else
+ echo "ERROR: verify=y option specified but ${archisobasedir}/${arch}/airootfs.sfs.sig not found"
+ launch_interactive_shell
+ fi
+ fi
+
if [[ "${copytoram}" == "y" ]]; then
msg ":: Mounting /run/archiso/copytoram (tmpfs) filesystem, size=${copytoram_size}"
mkdir -p /run/archiso/copytoram
diff --git a/archiso/initcpio/hooks/archiso_pxe_http b/archiso/initcpio/hooks/archiso_pxe_http
index e36fa21..909ac78 100644
--- a/archiso/initcpio/hooks/archiso_pxe_http
+++ b/archiso/initcpio/hooks/archiso_pxe_http
@@ -39,6 +39,9 @@ archiso_pxe_http_mount_handler () {
if [[ "${checksum}" == "y" ]]; then
_curl_get "${archiso_http_srv}${archisobasedir}/${arch}/airootfs.md5" "/${arch}"
fi
+ if [[ "${verify}" == "y" ]]; then
+ _curl_get "${archiso_http_srv}${archisobasedir}/${arch}/airootfs.sfs.sig" "/${arch}"
+ fi
mkdir -p "/run/archiso/bootmnt"
mount -o bind /run/archiso/httpspace /run/archiso/bootmnt
diff --git a/archiso/initcpio/install/archiso b/archiso/initcpio/install/archiso
index 715120b..b955dee 100644
--- a/archiso/initcpio/install/archiso
+++ b/archiso/initcpio/install/archiso
@@ -15,6 +15,7 @@ build() {
add_binary mountpoint
add_binary truncate
add_binary gpg
+ add_binary grep
add_file /usr/lib/udev/rules.d/60-cdrom_id.rules
add_file /usr/lib/udev/rules.d/10-dm.rules
--
2.6.3
More information about the arch-releng
mailing list