sipwise
/
deployment-iso
mirror of https://github.com/sipwise/deployment-iso.git
1
0
Fork 0
Code Issues Releases Wiki Activity

T#54410 Get rid of hardcoded checksum of sipwise.gpg file

Browse Source 
We want to get rid of old sipwise gpg file as it contains weak key. To
do it we need either update this hardcoded value (and do it every time
when key is updated) or use the same behavior as it's used in
installer.

Change-Id: I77882d3b9f52156ce345f46217f3d438466e018f
mr6.5.8
Mykola Malkov 6 years ago
parent beb53ffad2
commit eb349741d1
1 changed files with 20 additions and 9 deletions
Show Stats Download Patch File Download Diff File

29
templates/scripts/includes/deployment.sh
Unescape View File

@ -193,18 +193,29 @@ install_sipwise_key() {
echo "Sipwise keyring not found, downloading."
fi
local tmp_key
tmp_key="$(mktemp)"
for try in 1 2 3; do
wget --retry-connrefused --no-verbose -O "${SIPWISE_APT_KEY_PATH}" "${SIPWISE_URL}${SIPWISE_APT_KEY_URL_PATH}"
sipwise_key_checksum=$(sha256sum "${SIPWISE_APT_KEY_PATH}" | awk '{print $1}')
if [[ "${sipwise_key_checksum}" != "${SIPWISE_APT_KEY_CHECKSUM_OLD}" && \
"${sipwise_key_checksum}" != "${SIPWISE_APT_KEY_CHECKSUM_NEW}" ]] ; then
echo "Sipwise keyring downloaded has wrong checksum (expected: [${SIPWISE_APT_KEY_CHECKSUM}] - got: [${sipwise_key_checksum}]), retry $try" >&2
else
echo "Sipwise keyring downloaded with expected checksum (sha256sum: [${sipwise_key_checksum}]), debootstrap sipwise key"
debootstrap_sipwise_key
return
wget -q -T 10 --retry-connrefused --tries=3 --no-verbose -O "${tmp_key}" "${SIPWISE_URL}${SIPWISE_APT_KEY_URL_PATH}"
chmod 644 "${tmp_key}"
local sipwise_key_checksum
sipwise_key_checksum=$(sha256sum "${tmp_key}" | awk '{print $1}')
echo "Sipwise keyring downloaded with checksum (sha256sum: [${sipwise_key_checksum}]). Is it correct and should be imported into the system? [y/N]"
if "${INTERACTIVE}"; then
local a
read -r a
if [[ "${a,,}" != "y" ]] ; then
echo "The key wasn't accepted, retrying... ${x}/3"
continue
fi
fi
echo "The key has been accepted, installing it as /etc/apt/trusted.gpg.d/sipwise.gpg"
debootstrap_sipwise_key
mv "${tmp_key}" "${SIPWISE_APT_KEY_PATH}"
return
done
die "Error validating sipwise keyring for apt usage, aborting installation."

Write Preview
Loading…
Cancel
Save