From 9799eb746fc9766ca3dce6477656381ff3867df0 Mon Sep 17 00:00:00 2001
From: Mykola Malkov <mmalkov@sipwise.com>
Date: Thu, 27 Feb 2020 14:02:04 +0200
Subject: [PATCH] TT#54410 Get rid of hardcoded checksum of sipwise.gpg file

We want to get rid of old sipwise gpg file as it contains weak key. To
do it we need either update this hardcoded value (and do it every time
when key is updated) or use the same behavior as it's used in
installer.

Change-Id: Id2b4055d2096372ca7b7db6d3f5a66ba644597f3
(cherry picked from commit 366f7f90cc98dab30cdac24c39cd5a6f19d10482)
---
 templates/scripts/includes/deployment.sh | 37 ++++++++++++++----------
 1 file changed, 22 insertions(+), 15 deletions(-)

diff --git a/templates/scripts/includes/deployment.sh b/templates/scripts/includes/deployment.sh
index 94e7728..421744b 100755
--- a/templates/scripts/includes/deployment.sh
+++ b/templates/scripts/includes/deployment.sh
@@ -180,29 +180,36 @@ install_sipwise_key() {
     echo "Sipwise keyring not found, downloading."
   fi
 
+  local tmp_key
+  tmp_key="$(mktemp)"
+
   for x in 1 2 3; do
 
     if "$PRO_EDITION" ; then
-      wget -O /etc/apt/trusted.gpg.d/sipwise.gpg ${SIPWISE_REPO_TRANSPORT}://${SIPWISE_REPO_HOST}/sppro/sipwise.gpg
+      wget -q -T 10 --retry-connrefused --tries=3 --no-verbose -O "${tmp_key}" ${SIPWISE_REPO_TRANSPORT}://${SIPWISE_REPO_HOST}/sppro/sipwise.gpg
     else
-      wget -O /etc/apt/trusted.gpg.d/sipwise.gpg ${SIPWISE_REPO_TRANSPORT}://${SIPWISE_REPO_HOST}/spce/sipwise.gpg
+      wget -q -T 10 --retry-connrefused --tries=3 --no-verbose -O "${tmp_key}" ${SIPWISE_REPO_TRANSPORT}://${SIPWISE_REPO_HOST}/spce/sipwise.gpg
     fi
-
-    md5sum_sipwise_key_expected=bcd09c9ad563b2d380152a97d5a0ea83
-    md5sum_sipwise_key_calculated=$(md5sum /etc/apt/trusted.gpg.d/sipwise.gpg | awk '{print $1}')
-
-    if [ "$md5sum_sipwise_key_calculated" != "$md5sum_sipwise_key_expected" ] ; then
-      echo "Sipwise keyring has wrong checksum (expected: [$md5sum_sipwise_key_expected] - got: [$md5sum_sipwise_key_calculated]), retry $x"
-    else
-      break
+    chmod 644 "${tmp_key}"
+    local sipwise_key_checksum
+    sipwise_key_checksum=$(sha256sum "${tmp_key}" | awk '{print $1}')
+    echo "Sipwise keyring downloaded with checksum (sha256sum: [${sipwise_key_checksum}]). Is it correct and should be imported into the system? [y/N]"
+
+    if "${INTERACTIVE}"; then
+      local a
+      read -r a
+      if [[ "${a,,}" != "y" ]] ; then
+        echo "The key wasn't accepted, retrying... ${x}/3"
+        continue
+      fi
     fi
+    echo "The key has been accepted, installing it as /etc/apt/trusted.gpg.d/sipwise.gpg"
+    debootstrap_sipwise_key
+    mv "${tmp_key}" "/etc/apt/trusted.gpg.d/sipwise.gpg"
+    return
   done
 
-  if [ "$md5sum_sipwise_key_calculated" != "$md5sum_sipwise_key_expected" ] ; then
-    die "Error validating sipwise keyring for apt usage, aborting installation."
-  fi
-
-  debootstrap_sipwise_key
+  die "Error validating sipwise keyring for apt usage, aborting installation."
 }
 
 install_package_git () {