mirror of
https://github.com/rocky-linux/rocky-tools.git
synced 2024-11-26 06:56:25 +00:00
Do GPG signature checking for the whole migration process
Before this commit, the Rocky system packages like rocky-repos, rocky-release and similar, were not checked for their gpg signature, while the rest of the packages were signature checked. While the system packages were downloaded from https://dl.rockylinux.org, this still created the risk that someone could attack the CDN infrastructure behind dl.rockylinux.org and place malicous files there. With this patch the GPG key is downloaded separately and then compared against a checksum contained in the script. This adds an extra layer of security.
This commit is contained in:
parent
de8c952285
commit
3ed1aec1bd
@ -30,9 +30,15 @@ shopt -s nullglob
|
|||||||
SUPPORTED_MAJOR="8"
|
SUPPORTED_MAJOR="8"
|
||||||
SUPPORTED_PLATFORM="platform:el$SUPPORTED_MAJOR"
|
SUPPORTED_PLATFORM="platform:el$SUPPORTED_MAJOR"
|
||||||
ARCH=$(arch)
|
ARCH=$(arch)
|
||||||
|
|
||||||
|
gpg_key_url="https://dl.rockylinux.org/pub/rocky/RPM-GPG-KEY-rockyofficial"
|
||||||
|
gpg_key_sha512="88fe66cf0a68648c2371120d56eb509835266d9efdf7c8b9ac8fc101bdf1f0e0197030d3ea65f4b5be89dc9d1ef08581adb068815c88d7b1dc40aa1c32990f6a"
|
||||||
|
|
||||||
|
# all repos must be signed with the same key given in $gpg_key_url
|
||||||
|
declare -A repo_urls
|
||||||
repo_urls=(
|
repo_urls=(
|
||||||
"rockybaseos,https://dl.rockylinux.org/pub/rocky/${SUPPORTED_MAJOR}/BaseOS/$ARCH/os/"
|
[rockybaseos]="https://dl.rockylinux.org/pub/rocky/${SUPPORTED_MAJOR}/BaseOS/$ARCH/os/"
|
||||||
"rockyappstream,https://dl.rockylinux.org/pub/rocky/${SUPPORTED_MAJOR}/AppStream/$ARCH/os/"
|
[rockyappstream]="https://dl.rockylinux.org/pub/rocky/${SUPPORTED_MAJOR}/AppStream/$ARCH/os/"
|
||||||
)
|
)
|
||||||
|
|
||||||
unset CDPATH
|
unset CDPATH
|
||||||
@ -99,6 +105,7 @@ bin_check() {
|
|||||||
bins=(
|
bins=(
|
||||||
rpm dnf awk column tee tput mkdir
|
rpm dnf awk column tee tput mkdir
|
||||||
cat arch sort uniq rmdir rm head
|
cat arch sort uniq rmdir rm head
|
||||||
|
curl sha512sum mktemp
|
||||||
)
|
)
|
||||||
if [[ $update_efi ]]; then
|
if [[ $update_efi ]]; then
|
||||||
bins+=(findmnt grub2-mkconfig efibootmgr grep mokutil)
|
bins+=(findmnt grub2-mkconfig efibootmgr grep mokutil)
|
||||||
@ -408,16 +415,28 @@ generate_rpm_info() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
package_swaps() {
|
package_swaps() {
|
||||||
|
# prepare repo parameters
|
||||||
|
local -a dnfparameters
|
||||||
|
for repo in "${!repo_urls[@]}"; do
|
||||||
|
dnfparameters+=( "--repofrompath=${repo},${repo_urls[${repo}]}" )
|
||||||
|
dnfparameters+=( "--setopt=${repo}.gpgcheck=1" )
|
||||||
|
dnfparameters+=( "--setopt=${repo}.gpgkey=file://${gpg_key_file}" )
|
||||||
|
done
|
||||||
|
|
||||||
# Use dnf shell to swap the system packages out.
|
# Use dnf shell to swap the system packages out.
|
||||||
dnf -y shell --nogpg --disablerepo=\* --noautoremove \
|
dnf -y shell --disablerepo=\* --noautoremove \
|
||||||
--setopt=protected_packages= --setopt=keepcache=True \
|
--setopt=protected_packages= --setopt=keepcache=True \
|
||||||
"${repo_urls[@]/#/--repofrompath=}" <<EOF
|
"${dnfparameters[@]}" \
|
||||||
|
<<EOF
|
||||||
remove ${installed_pkg_map[@]} ${addl_pkg_removes[@]}
|
remove ${installed_pkg_map[@]} ${addl_pkg_removes[@]}
|
||||||
install ${!installed_pkg_map[@]}
|
install ${!installed_pkg_map[@]}
|
||||||
run
|
run
|
||||||
exit
|
exit
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
|
# rocky-repos and rocky-gpg-keys are now installed, so we don't need the key file anymore
|
||||||
|
rm -rf "$gpg_tmp_dir"
|
||||||
|
|
||||||
# We need to check to make sure that all of the original system packages
|
# We need to check to make sure that all of the original system packages
|
||||||
# have been removed and all of the new ones have been added. If a package
|
# have been removed and all of the new ones have been added. If a package
|
||||||
# was supposed to be removed and one with the same name added back then
|
# was supposed to be removed and one with the same name added back then
|
||||||
@ -549,6 +568,32 @@ fix_efi () (
|
|||||||
exit_message "Error updating uEFI firmware."
|
exit_message "Error updating uEFI firmware."
|
||||||
)
|
)
|
||||||
|
|
||||||
|
# Download and verify the Rocky Linux package signing key
|
||||||
|
establish_gpg_trust () {
|
||||||
|
# create temp dir and verify it is really created and empty, so we are sure deleting it afterwards won't cause any harm
|
||||||
|
declare -g gpg_tmp_dir
|
||||||
|
if ! gpg_tmp_dir=$(mktemp -d) || [[ ! -d "$gpg_tmp_dir" ]]; then
|
||||||
|
exit_message "Error creating temp dir"
|
||||||
|
fi
|
||||||
|
# failglob makes pathname expansion fail if empty, dotglob adds files starting with . to pathname expansion
|
||||||
|
if ( shopt -s failglob dotglob; : "$gpg_tmp_dir"/* ) 2>/dev/null ; then
|
||||||
|
exit_message "Temp dir not empty"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# extract the filename from the url, use the temp dir just created
|
||||||
|
declare -g gpg_key_file="$gpg_tmp_dir/${gpg_key_url##*/}"
|
||||||
|
|
||||||
|
if ! curl -o "$gpg_key_file" --silent --show-error "$gpg_key_url"; then
|
||||||
|
rm -rf "$gpg_tmp_dir"
|
||||||
|
exit_message "Error downloading the Rocky Linux signing key."
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! sha512sum --quiet -c <<<"$gpg_key_sha512 $gpg_key_file"; then
|
||||||
|
rm -rf "$gpg_tmp_dir"
|
||||||
|
exit_message "Error validating the signing key."
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
## End actual work
|
## End actual work
|
||||||
|
|
||||||
noopts=0
|
noopts=0
|
||||||
@ -583,6 +628,7 @@ fi
|
|||||||
|
|
||||||
if [[ $convert_to_rocky ]]; then
|
if [[ $convert_to_rocky ]]; then
|
||||||
collect_system_info
|
collect_system_info
|
||||||
|
establish_gpg_trust
|
||||||
package_swaps
|
package_swaps
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user