From eb349741d121fdc6f3c9da803fc298d8dfd8193e Mon Sep 17 00:00:00 2001
From: Mykola Malkov <mmalkov@sipwise.com>
Date: Mon, 2 Mar 2020 13:19:05 +0200
Subject: [PATCH] T#54410 Get rid of hardcoded checksum of sipwise.gpg file

We want to get rid of old sipwise gpg file as it contains weak key. To
do it we need either update this hardcoded value (and do it every time
when key is updated) or use the same behavior as it's used in
installer.

Change-Id: I77882d3b9f52156ce345f46217f3d438466e018f
---
 templates/scripts/includes/deployment.sh | 29 ++++++++++++++++--------
 1 file changed, 20 insertions(+), 9 deletions(-)

diff --git a/templates/scripts/includes/deployment.sh b/templates/scripts/includes/deployment.sh
index c8d148e..56abd3d 100755
--- a/templates/scripts/includes/deployment.sh
+++ b/templates/scripts/includes/deployment.sh
@@ -193,18 +193,29 @@ install_sipwise_key() {
     echo "Sipwise keyring not found, downloading."
   fi
 
+  local tmp_key
+  tmp_key="$(mktemp)"
+
   for try in 1 2 3; do
-    wget --retry-connrefused --no-verbose -O "${SIPWISE_APT_KEY_PATH}" "${SIPWISE_URL}${SIPWISE_APT_KEY_URL_PATH}"
-    sipwise_key_checksum=$(sha256sum "${SIPWISE_APT_KEY_PATH}" | awk '{print $1}')
 
-    if [[ "${sipwise_key_checksum}" != "${SIPWISE_APT_KEY_CHECKSUM_OLD}" && \
-          "${sipwise_key_checksum}" != "${SIPWISE_APT_KEY_CHECKSUM_NEW}" ]] ; then
-      echo "Sipwise keyring downloaded has wrong checksum (expected: [${SIPWISE_APT_KEY_CHECKSUM}] - got: [${sipwise_key_checksum}]), retry $try" >&2
-    else
-      echo "Sipwise keyring downloaded with expected checksum (sha256sum: [${sipwise_key_checksum}]), debootstrap sipwise key"
-      debootstrap_sipwise_key
-      return
+    wget -q -T 10 --retry-connrefused --tries=3 --no-verbose -O "${tmp_key}" "${SIPWISE_URL}${SIPWISE_APT_KEY_URL_PATH}"
+    chmod 644 "${tmp_key}"
+    local sipwise_key_checksum
+    sipwise_key_checksum=$(sha256sum "${tmp_key}" | awk '{print $1}')
+    echo "Sipwise keyring downloaded with checksum (sha256sum: [${sipwise_key_checksum}]). Is it correct and should be imported into the system? [y/N]"
+
+    if "${INTERACTIVE}"; then
+      local a
+      read -r a
+      if [[ "${a,,}" != "y" ]] ; then
+        echo "The key wasn't accepted, retrying... ${x}/3"
+        continue
+      fi
     fi
+    echo "The key has been accepted, installing it as /etc/apt/trusted.gpg.d/sipwise.gpg"
+    debootstrap_sipwise_key
+    mv "${tmp_key}" "${SIPWISE_APT_KEY_PATH}"
+    return
   done
 
   die "Error validating sipwise keyring for apt usage, aborting installation."