[arch-releng] [RFC 2/4] [archiso] Add the verify=y option to verify the squashfs signature with gpg

[Thomas Bächler]

---
 archiso/initcpio/hooks/archiso          | 24 ++++++++++++++++++++++++
 archiso/initcpio/hooks/archiso_pxe_http |  3 +++
 archiso/initcpio/install/archiso        |  1 +
 3 files changed, 28 insertions(+)

diff --git a/archiso/initcpio/hooks/archiso b/archiso/initcpio/hooks/archiso
index fb76327..b78f4db 100644
--- a/archiso/initcpio/hooks/archiso
+++ b/archiso/initcpio/hooks/archiso
@@ -105,6 +105,15 @@ _verify_checksum() {
     return ${_status}
 }
 
+_verify_signature() {
+    local _status
+    cd "/run/archiso/bootmnt/${archisobasedir}/${arch}"
+    gpg --homedir /gpg --status-fd 1 --verify airootfs.sfs.sig 2>/dev/null | grep -qE '^\[GNUPG:\] GOODSIG'
+    _status=$?
+    cd "${OLDPWD}"
+    return ${_status}
+}
+
 run_hook() {
     [[ -z "${arch}" ]] && arch="$(uname -m)"
     [[ -z "${copytoram_size}" ]] && copytoram_size="75%"
@@ -159,6 +168,21 @@ archiso_mount_handler() {
         fi
     fi
 
+    if [[ "${verify}" == "y" ]]; then
+        if [[ -f "/run/archiso/bootmnt/${archisobasedir}/${arch}/airootfs.sfs.sig" ]]; then
+            msg -n ":: Signature verification requested, please wait..."
+            if _verify_signature; then
+                msg "done. Signature is OK, continue booting."
+            else
+                echo "ERROR: one or more files are corrupted"
+                launch_interactive_shell
+            fi
+        else
+            echo "ERROR: verify=y option specified but ${archisobasedir}/${arch}/airootfs.sfs.sig not found"
+            launch_interactive_shell
+        fi
+    fi
+
     if [[ "${copytoram}" == "y" ]]; then
         msg ":: Mounting /run/archiso/copytoram (tmpfs) filesystem, size=${copytoram_size}"
         mkdir -p /run/archiso/copytoram
diff --git a/archiso/initcpio/hooks/archiso_pxe_http b/archiso/initcpio/hooks/archiso_pxe_http
index e36fa21..909ac78 100644
--- a/archiso/initcpio/hooks/archiso_pxe_http
+++ b/archiso/initcpio/hooks/archiso_pxe_http
@@ -39,6 +39,9 @@ archiso_pxe_http_mount_handler () {
     if [[ "${checksum}" == "y" ]]; then
         _curl_get "${archiso_http_srv}${archisobasedir}/${arch}/airootfs.md5" "/${arch}"
     fi
+    if [[ "${verify}" == "y" ]]; then
+        _curl_get "${archiso_http_srv}${archisobasedir}/${arch}/airootfs.sfs.sig" "/${arch}"
+    fi
 
     mkdir -p "/run/archiso/bootmnt"
     mount -o bind /run/archiso/httpspace /run/archiso/bootmnt
diff --git a/archiso/initcpio/install/archiso b/archiso/initcpio/install/archiso
index 715120b..b955dee 100644
--- a/archiso/initcpio/install/archiso
+++ b/archiso/initcpio/install/archiso
@@ -15,6 +15,7 @@ build() {
     add_binary mountpoint
     add_binary truncate
     add_binary gpg
+    add_binary grep
 
     add_file /usr/lib/udev/rules.d/60-cdrom_id.rules
     add_file /usr/lib/udev/rules.d/10-dm.rules
-- 
2.6.3