mirror of
https://github.com/rocky-linux/rocky-tools.git
synced 2024-12-30 13:20:55 +00:00
Merge pull request #25 from electroniceel/gpg-signature-validation
Do GPG signature checking for the whole migration process
This commit is contained in:
commit
f2da5e4a8c
1 changed files with 50 additions and 4 deletions
|
@ -51,9 +51,15 @@ shopt -s nullglob
|
||||||
SUPPORTED_MAJOR="8"
|
SUPPORTED_MAJOR="8"
|
||||||
SUPPORTED_PLATFORM="platform:el$SUPPORTED_MAJOR"
|
SUPPORTED_PLATFORM="platform:el$SUPPORTED_MAJOR"
|
||||||
ARCH=$(arch)
|
ARCH=$(arch)
|
||||||
|
|
||||||
|
gpg_key_url="https://dl.rockylinux.org/pub/rocky/RPM-GPG-KEY-rockyofficial"
|
||||||
|
gpg_key_sha512="88fe66cf0a68648c2371120d56eb509835266d9efdf7c8b9ac8fc101bdf1f0e0197030d3ea65f4b5be89dc9d1ef08581adb068815c88d7b1dc40aa1c32990f6a"
|
||||||
|
|
||||||
|
# all repos must be signed with the same key given in $gpg_key_url
|
||||||
|
declare -A repo_urls
|
||||||
repo_urls=(
|
repo_urls=(
|
||||||
"rockybaseos,https://dl.rockylinux.org/pub/rocky/${SUPPORTED_MAJOR}/BaseOS/$ARCH/os/"
|
[rockybaseos]="https://dl.rockylinux.org/pub/rocky/${SUPPORTED_MAJOR}/BaseOS/$ARCH/os/"
|
||||||
"rockyappstream,https://dl.rockylinux.org/pub/rocky/${SUPPORTED_MAJOR}/AppStream/$ARCH/os/"
|
[rockyappstream]="https://dl.rockylinux.org/pub/rocky/${SUPPORTED_MAJOR}/AppStream/$ARCH/os/"
|
||||||
)
|
)
|
||||||
|
|
||||||
unset CDPATH
|
unset CDPATH
|
||||||
|
@ -120,6 +126,7 @@ bin_check() {
|
||||||
bins=(
|
bins=(
|
||||||
rpm dnf awk column tee tput mkdir
|
rpm dnf awk column tee tput mkdir
|
||||||
cat arch sort uniq rmdir rm head
|
cat arch sort uniq rmdir rm head
|
||||||
|
curl sha512sum mktemp
|
||||||
)
|
)
|
||||||
if [[ $update_efi ]]; then
|
if [[ $update_efi ]]; then
|
||||||
bins+=(findmnt grub2-mkconfig efibootmgr grep mokutil)
|
bins+=(findmnt grub2-mkconfig efibootmgr grep mokutil)
|
||||||
|
@ -429,16 +436,28 @@ generate_rpm_info() {
|
||||||
}
|
}
|
||||||
|
|
||||||
package_swaps() {
|
package_swaps() {
|
||||||
|
# prepare repo parameters
|
||||||
|
local -a dnfparameters
|
||||||
|
for repo in "${!repo_urls[@]}"; do
|
||||||
|
dnfparameters+=( "--repofrompath=${repo},${repo_urls[${repo}]}" )
|
||||||
|
dnfparameters+=( "--setopt=${repo}.gpgcheck=1" )
|
||||||
|
dnfparameters+=( "--setopt=${repo}.gpgkey=file://${gpg_key_file}" )
|
||||||
|
done
|
||||||
|
|
||||||
# Use dnf shell to swap the system packages out.
|
# Use dnf shell to swap the system packages out.
|
||||||
dnf -y shell --nogpg --disablerepo=\* --noautoremove \
|
dnf -y shell --disablerepo=\* --noautoremove \
|
||||||
--setopt=protected_packages= --setopt=keepcache=True \
|
--setopt=protected_packages= --setopt=keepcache=True \
|
||||||
"${repo_urls[@]/#/--repofrompath=}" <<EOF
|
"${dnfparameters[@]}" \
|
||||||
|
<<EOF
|
||||||
remove ${installed_pkg_map[@]} ${addl_pkg_removes[@]}
|
remove ${installed_pkg_map[@]} ${addl_pkg_removes[@]}
|
||||||
install ${!installed_pkg_map[@]}
|
install ${!installed_pkg_map[@]}
|
||||||
run
|
run
|
||||||
exit
|
exit
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
|
# rocky-repos and rocky-gpg-keys are now installed, so we don't need the key file anymore
|
||||||
|
rm -rf "$gpg_tmp_dir"
|
||||||
|
|
||||||
# We need to check to make sure that all of the original system packages
|
# We need to check to make sure that all of the original system packages
|
||||||
# have been removed and all of the new ones have been added. If a package
|
# have been removed and all of the new ones have been added. If a package
|
||||||
# was supposed to be removed and one with the same name added back then
|
# was supposed to be removed and one with the same name added back then
|
||||||
|
@ -570,6 +589,32 @@ fix_efi () (
|
||||||
exit_message "Error updating uEFI firmware."
|
exit_message "Error updating uEFI firmware."
|
||||||
)
|
)
|
||||||
|
|
||||||
|
# Download and verify the Rocky Linux package signing key
|
||||||
|
establish_gpg_trust () {
|
||||||
|
# create temp dir and verify it is really created and empty, so we are sure deleting it afterwards won't cause any harm
|
||||||
|
declare -g gpg_tmp_dir
|
||||||
|
if ! gpg_tmp_dir=$(mktemp -d) || [[ ! -d "$gpg_tmp_dir" ]]; then
|
||||||
|
exit_message "Error creating temp dir"
|
||||||
|
fi
|
||||||
|
# failglob makes pathname expansion fail if empty, dotglob adds files starting with . to pathname expansion
|
||||||
|
if ( shopt -s failglob dotglob; : "$gpg_tmp_dir"/* ) 2>/dev/null ; then
|
||||||
|
exit_message "Temp dir not empty"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# extract the filename from the url, use the temp dir just created
|
||||||
|
declare -g gpg_key_file="$gpg_tmp_dir/${gpg_key_url##*/}"
|
||||||
|
|
||||||
|
if ! curl -o "$gpg_key_file" --silent --show-error "$gpg_key_url"; then
|
||||||
|
rm -rf "$gpg_tmp_dir"
|
||||||
|
exit_message "Error downloading the Rocky Linux signing key."
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! sha512sum --quiet -c <<<"$gpg_key_sha512 $gpg_key_file"; then
|
||||||
|
rm -rf "$gpg_tmp_dir"
|
||||||
|
exit_message "Error validating the signing key."
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
## End actual work
|
## End actual work
|
||||||
|
|
||||||
noopts=0
|
noopts=0
|
||||||
|
@ -604,6 +649,7 @@ fi
|
||||||
|
|
||||||
if [[ $convert_to_rocky ]]; then
|
if [[ $convert_to_rocky ]]; then
|
||||||
collect_system_info
|
collect_system_info
|
||||||
|
establish_gpg_trust
|
||||||
package_swaps
|
package_swaps
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue