diff options
| author | Thomas Bächler <thomas@archlinux.org> | 2016-02-13 01:08:49 +0100 |
|---|---|---|
| committer | Gerardo Exequiel Pozzi <vmlinuz386@gmail.com> | 2016-02-28 17:09:08 -0300 |
| commit | 1a59eb379269d5312cb9fd0cde21d5691cae733d (patch) | |
| tree | bab0d3a23eefc019efd73e145f9cc5e74f02364f | |
| parent | 249a52d941ca3edbffa4607683220a90be357ebd (diff) | |
| download | archiso32-1a59eb379269d5312cb9fd0cde21d5691cae733d.tar.xz | |
Add the verify=y option to verify the squashfs signature with gpg
| -rw-r--r-- | archiso/initcpio/hooks/archiso | 24 | ||||
| -rw-r--r-- | archiso/initcpio/hooks/archiso_pxe_http | 3 | ||||
| -rw-r--r-- | archiso/initcpio/install/archiso | 1 |
3 files changed, 28 insertions, 0 deletions
diff --git a/archiso/initcpio/hooks/archiso b/archiso/initcpio/hooks/archiso index fb76327..b78f4db 100644 --- a/archiso/initcpio/hooks/archiso +++ b/archiso/initcpio/hooks/archiso @@ -105,6 +105,15 @@ _verify_checksum() { return ${_status} } +_verify_signature() { + local _status + cd "/run/archiso/bootmnt/${archisobasedir}/${arch}" + gpg --homedir /gpg --status-fd 1 --verify airootfs.sfs.sig 2>/dev/null | grep -qE '^\[GNUPG:\] GOODSIG' + _status=$? + cd "${OLDPWD}" + return ${_status} +} + run_hook() { [[ -z "${arch}" ]] && arch="$(uname -m)" [[ -z "${copytoram_size}" ]] && copytoram_size="75%" @@ -159,6 +168,21 @@ archiso_mount_handler() { fi fi + if [[ "${verify}" == "y" ]]; then + if [[ -f "/run/archiso/bootmnt/${archisobasedir}/${arch}/airootfs.sfs.sig" ]]; then + msg -n ":: Signature verification requested, please wait..." + if _verify_signature; then + msg "done. Signature is OK, continue booting." + else + echo "ERROR: one or more files are corrupted" + launch_interactive_shell + fi + else + echo "ERROR: verify=y option specified but ${archisobasedir}/${arch}/airootfs.sfs.sig not found" + launch_interactive_shell + fi + fi + if [[ "${copytoram}" == "y" ]]; then msg ":: Mounting /run/archiso/copytoram (tmpfs) filesystem, size=${copytoram_size}" mkdir -p /run/archiso/copytoram diff --git a/archiso/initcpio/hooks/archiso_pxe_http b/archiso/initcpio/hooks/archiso_pxe_http index e36fa21..909ac78 100644 --- a/archiso/initcpio/hooks/archiso_pxe_http +++ b/archiso/initcpio/hooks/archiso_pxe_http @@ -39,6 +39,9 @@ archiso_pxe_http_mount_handler () { if [[ "${checksum}" == "y" ]]; then _curl_get "${archiso_http_srv}${archisobasedir}/${arch}/airootfs.md5" "/${arch}" fi + if [[ "${verify}" == "y" ]]; then + _curl_get "${archiso_http_srv}${archisobasedir}/${arch}/airootfs.sfs.sig" "/${arch}" + fi mkdir -p "/run/archiso/bootmnt" mount -o bind /run/archiso/httpspace /run/archiso/bootmnt diff --git a/archiso/initcpio/install/archiso b/archiso/initcpio/install/archiso index 90bb9bc..30728ef 100644 --- a/archiso/initcpio/install/archiso +++ b/archiso/initcpio/install/archiso @@ -15,6 +15,7 @@ build() { add_binary mountpoint add_binary truncate add_binary gpg + add_binary grep add_file /usr/lib/udev/rules.d/60-cdrom_id.rules add_file /usr/lib/udev/rules.d/10-dm.rules |