Verify Ubuntu Cloud Images using SHA256SUMS

Relies on https://cloud-images.ubuntu.com being served by a cert signed
by one of the CA's trusted by the build host.

Change-Id: I690b755acca54789110c2c8fa723c8b87b2485c9
This commit is contained in:
Clint Byrum 2013-02-27 15:31:56 -08:00
parent 0bbea74583
commit b2314243c6

View File

@ -10,12 +10,17 @@ IMG_PATH=~/.cache/image-create
CLOUD_IMAGES=${CLOUD_IMAGES:-http://cloud-images.ubuntu.com/} CLOUD_IMAGES=${CLOUD_IMAGES:-http://cloud-images.ubuntu.com/}
RELEASE=${RELEASE:-quantal} RELEASE=${RELEASE:-quantal}
BASE_IMAGE_FILE=${BASE_IMAGE_FILE:-$RELEASE-server-cloudimg-$ARCH-root.tar.gz} BASE_IMAGE_FILE=${BASE_IMAGE_FILE:-$RELEASE-server-cloudimg-$ARCH-root.tar.gz}
SHA256SUMS=${SHA256SUMS:-https://cloud-images.ubuntu.com/$RELEASE/current/SHA256SUMS}
mkdir -p $IMG_PATH mkdir -p $IMG_PATH
# TODO: don't cache -current forever. # TODO: don't cache -current forever.
if [ ! -f $IMG_PATH/$BASE_IMAGE_FILE ] ; then if [ ! -f $IMG_PATH/$BASE_IMAGE_FILE ] ; then
echo "Fetching Base Image" echo "Fetching Base Image"
wget $CLOUD_IMAGES/$RELEASE/current/$BASE_IMAGE_FILE -O $IMG_PATH/$BASE_IMAGE_FILE.tmp wget $CLOUD_IMAGES/$RELEASE/current/$BASE_IMAGE_FILE -O $IMG_PATH/$BASE_IMAGE_FILE.tmp
wget $SHA256SUMS -O $IMG_PATH/SHA256SUMS
pushd $IMG_PATH
awk "/$BASE_IMAGE_FILE/ { print \$0 \".tmp\" }" SHA256SUMS | sha256sum --check -
popd
mv $IMG_PATH/$BASE_IMAGE_FILE.tmp $IMG_PATH/$BASE_IMAGE_FILE mv $IMG_PATH/$BASE_IMAGE_FILE.tmp $IMG_PATH/$BASE_IMAGE_FILE
fi fi
# Extract the base image # Extract the base image