From c5b091e3b395d649d11d3b7ccfd86b53ab48305e Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Sat, 20 Jul 2024 12:54:04 +0200 Subject: [PATCH] Added signature verification (untested). See AI chat: https://chatgpt.com/share/b521328b-7d7e-4b51-ae1a-9efec2f307c6 --- scripts/image/setup.sh | 42 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/scripts/image/setup.sh b/scripts/image/setup.sh index f286355..e251eae 100644 --- a/scripts/image/setup.sh +++ b/scripts/image/setup.sh @@ -172,6 +172,8 @@ case "$operation_system" in ;; esac +info "Verifying image..." +info "Verifying checksum..." if [ -z "$image_checksum" ]; then for ext in sha1 sha512 md5; do sha_download_url="$download_url.$ext" @@ -186,7 +188,6 @@ if [ -z "$image_checksum" ]; then done fi -info "Verifying image..." if [[ -v image_checksum ]] then (info "Checking md5 checksum..." && echo "$image_checksum $image_path"| md5sum -c -) || @@ -197,6 +198,45 @@ if [[ -v image_checksum ]] warning "Verification is not possible. No checksum is defined." fi +info "Verifying signature..." +signature_download_url="$download_url.sig" +info "Try to download image signature from $signature_download_url." + +if wget -q --method=HEAD "$signature_download_url"; then + signature_name="${image_name}.sig" + signature_path="${image_folder}${signature_name}" + + info "Download the signature file" + if wget -q -O "$signature_path" "$signature_download_url"; then + info "Extract the key ID from the signature file" + key_id=$(gpg --status-fd 1 --verify "$signature_path" "$image_path" 2>&1 | grep 'NO_PUBKEY' | awk '{print $NF}') + + if [ -n "$key_id" ]; then + info "Check if the key is already in the keyring" + if gpg --list-keys "$key_id" > /dev/null 2>&1; then + info "Key $key_id already in keyring." + else + info "Import the public key" + gpg --keyserver keyserver.ubuntu.com --recv-keys "$key_id" + fi + + info "Verify the signature again after importing the key" + if gpg --verify "$signature_path" "$image_path"; then + info "Signature verification succeeded." + else + warning "Signature verification failed." + fi + else + warning "No public key found in the signature file." + fi + else + warning "Failed to download the signature file." + fi +else + warning "No signature found under $signature_download_url." +fi + + make_mount_folders set_partition_paths