From b2314243c63a85dd6fc292104a2fefe54c54e492 Mon Sep 17 00:00:00 2001
From: Clint Byrum <clint@fewbar.com>
Date: Wed, 27 Feb 2013 15:31:56 -0800
Subject: [PATCH] Verify Ubuntu Cloud Images using SHA256SUMS

Relies on https://cloud-images.ubuntu.com being served by a cert signed
by one of the CA's trusted by the build host.

Change-Id: I690b755acca54789110c2c8fa723c8b87b2485c9
---
 elements/ubuntu/root.d/10-cache-ubuntu-tarball | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/elements/ubuntu/root.d/10-cache-ubuntu-tarball b/elements/ubuntu/root.d/10-cache-ubuntu-tarball
index 686fcf71..7b3ff166 100755
--- a/elements/ubuntu/root.d/10-cache-ubuntu-tarball
+++ b/elements/ubuntu/root.d/10-cache-ubuntu-tarball
@@ -10,12 +10,17 @@ IMG_PATH=~/.cache/image-create
 CLOUD_IMAGES=${CLOUD_IMAGES:-http://cloud-images.ubuntu.com/}
 RELEASE=${RELEASE:-quantal}
 BASE_IMAGE_FILE=${BASE_IMAGE_FILE:-$RELEASE-server-cloudimg-$ARCH-root.tar.gz}
+SHA256SUMS=${SHA256SUMS:-https://cloud-images.ubuntu.com/$RELEASE/current/SHA256SUMS}
 
 mkdir -p $IMG_PATH
 # TODO: don't cache -current forever.
 if [ ! -f $IMG_PATH/$BASE_IMAGE_FILE ] ; then
    echo "Fetching Base Image"
    wget $CLOUD_IMAGES/$RELEASE/current/$BASE_IMAGE_FILE -O $IMG_PATH/$BASE_IMAGE_FILE.tmp
+   wget $SHA256SUMS -O $IMG_PATH/SHA256SUMS
+   pushd $IMG_PATH
+   awk "/$BASE_IMAGE_FILE/ { print \$0 \".tmp\" }" SHA256SUMS | sha256sum --check -
+   popd
    mv $IMG_PATH/$BASE_IMAGE_FILE.tmp $IMG_PATH/$BASE_IMAGE_FILE
 fi
 # Extract the base image