From 5deefa80f7710b9cd8fc600f5f4f0887652e817f Mon Sep 17 00:00:00 2001
From: Mykola Malkov <mmalkov@sipwise.com>
Date: Wed, 26 Feb 2020 12:45:04 +0200
Subject: [PATCH] TT#54410 Get rid of hardcoded checksum of sipwise.gpg file

We want to get rid of old sipwise gpg file as it contains weak key. To
do it we need either update this hardcoded value (and do it every time
when key is updated) or use the same behavior as it's used in
installer.

Change-Id: I0de951778c7f3c2c877889d3b2225588442be3de
(cherry picked from commit 35bfe45d247c69c014b63fd96a7003519f765a08)
---
 deployment.sh | 31 +++++++++++++++++++++----------
 1 file changed, 21 insertions(+), 10 deletions(-)

diff --git a/deployment.sh b/deployment.sh
index 8a84b5e..a5f8a13 100755
--- a/deployment.sh
+++ b/deployment.sh
@@ -138,18 +138,29 @@ loadNfsIpArray() {
 }
 
 install_sipwise_key() {
-  if "$PRO_EDITION" ; then
-    wget -O /etc/apt/trusted.gpg.d/sipwise.gpg http://${SIPWISE_REPO_HOST}/sppro/sipwise.gpg
-  else
-    wget -O /etc/apt/trusted.gpg.d/sipwise.gpg http://${SIPWISE_REPO_HOST}/spce/sipwise.gpg
-  fi
+  local tmp_key
+  tmp_key="$(mktemp)"
 
-  md5sum_sipwise_key_expected=bcd09c9ad563b2d380152a97d5a0ea83
-  md5sum_sipwise_key_calculated=$(md5sum /etc/apt/trusted.gpg.d/sipwise.gpg | awk '{print $1}')
+  for x in 1 2 3; do
+    if "$PRO_EDITION" ; then
+      wget -q -T 10 --retry-connrefused --tries=3 --no-verbose -O "${tmp_key}" http://${SIPWISE_REPO_HOST}/sppro/sipwise.gpg
+    else
+      wget -q -T 10 --retry-connrefused --tries=3 --no-verbose -O "${tmp_key}" http://${SIPWISE_REPO_HOST}/spce/sipwise.gpg
+    fi
+    chmod 644 "${tmp_key}"
+    local sipwise_key_checksum
+    sipwise_key_checksum=$(sha256sum "${tmp_key}" | awk '{print $1}')
+    echo "Sipwise keyring downloaded with checksum (sha256sum: [${sipwise_key_checksum}]). Is it correct and should be imported into the system? [y/N]"
+
+    if "${INTERACTIVE}"; then
+      local a
+      read -r a
+      if [[ "${a,,}" != "y" ]] ; then
+        echo "The key wasn't accepted, retrying... ${x}/3"
+        continue
+      fi
+    fi
 
-  if [ "$md5sum_sipwise_key_calculated" != "$md5sum_sipwise_key_expected" ] ; then
-    die "Error validating sipwise keyring for apt usage (expected: [$md5sum_sipwise_key_expected] - got: [$md5sum_sipwise_key_calculated])"
-  fi
 }
 
 # see MT#6253