TT#54410 Get rid of hardcoded checksum of sipwise.gpg file

We want to get rid of old sipwise gpg file as it contains weak key. To do it we need either update this hardcoded value (and do it every time when key is updated) or use the same behavior as it's used in installer. Change-Id: Ie7d079807659c560355f2f2fbfecf4f6327f79a8 (cherry picked from commit 1fbbf381ce)
6 years ago · 92cc311bbc
parent 1c3d1fceca
commit 92cc311bbc
1 changed files with 20 additions and 10 deletions
--- a/templates/scripts/includes/deployment.sh
+++ b/templates/scripts/includes/deployment.sh
@ -93,7 +93,6 @@ VIRTUALBOX_DIR="/usr/share/virtualbox"
 VIRTUALBOX_ISO="VBoxGuestAdditions_5.2.18.iso"
 VIRTUALBOX_ISO_CHECKSUM="f98b6ad7093ee0b27d26dea565b197a5f33fdac93c4b67e73824ce889d6c964c" # sha256
 VIRTUALBOX_ISO_URL_PATH="/files/${VIRTUALBOX_ISO}"
-SIPWISE_APT_KEY_CHECKSUM="f4cdbe4994ae8ca6c4b24eb164e82a20579b335da4eca0907ecaace832e9a0a7" # sha256
 SIPWISE_APT_KEY_PATH="/etc/apt/trusted.gpg.d/sipwise.gpg"
 # overriden later, although since the checksum is the same we could use this URL
 # also for Pro/Carrier installations
@ -192,17 +191,28 @@ install_sipwise_key() {
    echo "Sipwise keyring not found, downloading."
  fi

-  for try in 1 2 3; do
-    wget --retry-connrefused --no-verbose -O "${SIPWISE_APT_KEY_PATH}" "${SIPWISE_URL}${SIPWISE_APT_KEY_URL_PATH}"
-    sipwise_key_checksum=$(sha256sum "${SIPWISE_APT_KEY_PATH}" | awk '{print $1}')
+  local tmp_key
+  tmp_key="$(mktemp)"

-    if [ "${sipwise_key_checksum}" != "${SIPWISE_APT_KEY_CHECKSUM}" ] ; then
-      echo "Sipwise keyring downloaded has wrong checksum (expected: [${SIPWISE_APT_KEY_CHECKSUM}] - got: [${sipwise_key_checksum}]), retry $try" >&2
-    else
-      echo "Sipwise keyring downloaded with expected checksum (sha256sum: [${SIPWISE_APT_KEY_CHECKSUM}]), debootstrap sipwise key"
-      debootstrap_sipwise_key
-      return
+  for try in 1 2 3; do
+    wget -q -T 10 --retry-connrefused --tries=3 --no-verbose -O "${tmp_key}" "${SIPWISE_URL}${SIPWISE_APT_KEY_URL_PATH}"
+    chmod 644 "${tmp_key}"
+    local sipwise_key_checksum
+    sipwise_key_checksum=$(sha256sum "${tmp_key}" | awk '{print $1}')
+    echo "Sipwise keyring downloaded with checksum (sha256sum: [${sipwise_key_checksum}]). Is it correct and should be imported into the system? [y/N]"
+
+    if "${INTERACTIVE}"; then
+      local a
+      read -r a
+      if [[ "${a,,}" != "y" ]] ; then
+        echo "The key wasn't accepted, retrying... ${try}/3"
+        continue
+      fi
    fi
+    echo "The key has been accepted, installing it as ${SIPWISE_APT_KEY_PATH}"
+    debootstrap_sipwise_key
+    mv "${tmp_key}" "${SIPWISE_APT_KEY_PATH}"
+    return
  done

  die "Error validating sipwise keyring for apt usage, aborting installation."