update gpg / file verification for Gentoo
Gentoo updated the layout and files for vaidating stages At least we can validate cryptographically and infer valid checksum now. https://www.gentoo.org/news/2022/02/17/changed-signatures.html Change-Id: I708b44419ae53dec2c19a2210ef427dcd2eb6002 Signed-off-by: Matthew Thode <mthode@mthode.org>
This commit is contained in:
parent
f44644f20f
commit
691eb03be8
@ -74,7 +74,7 @@ fi
|
|||||||
DIB_CLOUD_SOURCE=${DIB_CLOUD_SOURCE:-"http://distfiles.gentoo.org/releases/${ARCH_PATH}/autobuilds/latest-stage3-${ARCH_PATH}${SIGNED_SOURCE_SUFFIX}.txt"}
|
DIB_CLOUD_SOURCE=${DIB_CLOUD_SOURCE:-"http://distfiles.gentoo.org/releases/${ARCH_PATH}/autobuilds/latest-stage3-${ARCH_PATH}${SIGNED_SOURCE_SUFFIX}.txt"}
|
||||||
BASE_IMAGE_FILE=${BASE_IMAGE_FILE:-"http://distfiles.gentoo.org/releases/${ARCH_PATH}/autobuilds/$(curl "${DIB_CLOUD_SOURCE}" -s -f | tail -n 1 | cut -d\ -f 1)"}
|
BASE_IMAGE_FILE=${BASE_IMAGE_FILE:-"http://distfiles.gentoo.org/releases/${ARCH_PATH}/autobuilds/$(curl "${DIB_CLOUD_SOURCE}" -s -f | tail -n 1 | cut -d\ -f 1)"}
|
||||||
BASE_IMAGE_FILE_SUFFIX=${BASE_IMAGE_FILE_SUFFIX:-"$(basename "${BASE_IMAGE_FILE}" | cut -d. -f 2,3)"}
|
BASE_IMAGE_FILE_SUFFIX=${BASE_IMAGE_FILE_SUFFIX:-"$(basename "${BASE_IMAGE_FILE}" | cut -d. -f 2,3)"}
|
||||||
SIGNATURE_FILE="${SIGNATURE_FILE:-${BASE_IMAGE_FILE}.DIGESTS.asc}"
|
SIGNATURE_FILE="${SIGNATURE_FILE:-${BASE_IMAGE_FILE}.asc}"
|
||||||
CACHED_FILE="${DIB_IMAGE_CACHE}/${FILENAME_BASE}.${BASE_IMAGE_FILE_SUFFIX}"
|
CACHED_FILE="${DIB_IMAGE_CACHE}/${FILENAME_BASE}.${BASE_IMAGE_FILE_SUFFIX}"
|
||||||
CACHED_SIGNATURE_FILE="${DIB_IMAGE_CACHE}/${FILENAME_BASE}.asc"
|
CACHED_SIGNATURE_FILE="${DIB_IMAGE_CACHE}/${FILENAME_BASE}.asc"
|
||||||
|
|
||||||
@ -91,18 +91,11 @@ else
|
|||||||
# https://dev.gentoo.org/~dolsen/releases/keyrings/gentoo-keys-*.tar.xz
|
# https://dev.gentoo.org/~dolsen/releases/keyrings/gentoo-keys-*.tar.xz
|
||||||
# http://distfiles.gentoo.org/distfiles/gentoo-keys-*.tar.xz
|
# http://distfiles.gentoo.org/distfiles/gentoo-keys-*.tar.xz
|
||||||
# check the sig file
|
# check the sig file
|
||||||
if ! gpgv --keyring "${TMP_HOOKS_PATH}"/extra-data.d/gentoo-releng.gpg "${CACHED_SIGNATURE_FILE}"; then
|
if ! gpgv --keyring "${TMP_HOOKS_PATH}"/extra-data.d/gentoo-releng.gpg "${CACHED_SIGNATURE_FILE}" "${CACHED_FILE}"; then
|
||||||
echo 'invalid signature file'
|
echo 'invalid signature file'
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
echo 'valid key used'
|
echo 'base image file verified'
|
||||||
CACHED_SHA512SUM=$(grep -A1 -e 'SHA512' "${CACHED_SIGNATURE_FILE}" | grep -e "${BASE_IMAGE_FILE_SUFFIX}$" | cut -d\ -f 1)
|
|
||||||
ACTUAL_SHA512SUM=$(sha512sum "${CACHED_FILE}" | cut -d\ -f 1)
|
|
||||||
if [[ "${ACTUAL_SHA512SUM}" != "${CACHED_SHA512SUM}" ]]; then
|
|
||||||
echo "invalid checksum on downloaded tarball: ${CACHED_FILE}"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
echo 'valid checksum'
|
|
||||||
popd
|
popd
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user