diff options
author | Christian Pointner <equinox@spreadspace.org> | 2020-07-05 13:50:22 +0200 |
---|---|---|
committer | Christian Pointner <equinox@spreadspace.org> | 2020-07-05 13:50:22 +0200 |
commit | c19be43a930a9c260f54c913278f9f4b5999c7d8 (patch) | |
tree | 86c11f5bfade3eacb3531524ae461ee40aeb1679 /roles/installer/openbsd/base | |
parent | ch-equinox-ws: install kpartx (diff) |
add verification for openbsd installer iso files
Diffstat (limited to 'roles/installer/openbsd/base')
-rw-r--r-- | roles/installer/openbsd/base/defaults/main.yml | 5 | ||||
-rw-r--r-- | roles/installer/openbsd/base/tasks/main.yml | 44 |
2 files changed, 41 insertions, 8 deletions
diff --git a/roles/installer/openbsd/base/defaults/main.yml b/roles/installer/openbsd/base/defaults/main.yml index c852e00a..10e9c840 100644 --- a/roles/installer/openbsd/base/defaults/main.yml +++ b/roles/installer/openbsd/base/defaults/main.yml @@ -4,5 +4,10 @@ openbsd_versions: - amd64 - i386 +openbsd_signing_keys: + 6.7: | + untrusted comment: openbsd 6.7 base public key + RWRmkIA877Io3oCILSZoJGhAswifJbFK4r18ICoia+3c0PfwANueolNj + openbsd_installer_force_download: no openbsd_installer_url: "https://cdn.openbsd.org/pub/OpenBSD" diff --git a/roles/installer/openbsd/base/tasks/main.yml b/roles/installer/openbsd/base/tasks/main.yml index 0d5053d5..2d6e905e 100644 --- a/roles/installer/openbsd/base/tasks/main.yml +++ b/roles/installer/openbsd/base/tasks/main.yml @@ -1,4 +1,12 @@ -- name: prepare directories for installer isos +--- +- name: install genisoimage and openbsd signify + apt: + name: + - genisoimage + - signify-openbsd + state: present + +- name: prepare directories for installer iso files loop: "{{ openbsd_versions | subelements('arch') }}" loop_control: label: "openbsd-{{ item.0.version }} {{ item.1 }}" @@ -6,19 +14,39 @@ name: "{{ installer_path }}/openbsd-{{ item.0.version }}/{{ item.1 }}" state: directory -- name: download installer isos +- name: download installer iso files loop: "{{ openbsd_versions | subelements('arch') }}" loop_control: label: "openbsd-{{ item.0.version }} {{ item.1 }}" get_url: url: "{{ openbsd_installer_url }}/{{ item.0.version }}/{{ item.1 }}/install{{ item.0.version | replace('.', '') }}.iso" - dest: "{{ installer_path }}/openbsd-{{ item.0.version }}/{{ item.1 }}/install.iso" + dest: "{{ installer_path }}/openbsd-{{ item.0.version }}/{{ item.1 }}/install{{ item.0.version | replace('.', '') }}.iso" + mode: 0644 + force: "{{ openbsd_installer_force_download }}" + +- name: download signed sha256 files + loop: "{{ openbsd_versions | subelements('arch') }}" + loop_control: + label: "openbsd-{{ item.0.version }} {{ item.1 }}" + get_url: + url: "{{ openbsd_installer_url }}/{{ item.0.version }}/{{ item.1 }}/SHA256.sig" + dest: "{{ installer_path }}/openbsd-{{ item.0.version }}/{{ item.1 }}/SHA256.sig" mode: 0644 force: "{{ openbsd_installer_force_download }}" -# TODO: verify the image using openbsd-signify +- name: create signing key files + loop: "{{ openbsd_versions }}" + loop_control: + label: "openbsd-{{ item.version }}" + copy: + content: "{{ openbsd_signing_keys[item.version] }}" + dest: "{{ installer_path }}/openbsd-{{ item.version }}/openbsd-{{ item.version | replace('.', '') }}-base.pub" -- name: install genisoimage - apt: - name: genisoimage - state: present +- name: verfiy downloaded iso files + loop: "{{ openbsd_versions | subelements('arch') }}" + loop_control: + label: "openbsd-{{ item.0.version }} {{ item.1 }}" + command: "signify-openbsd -Cp ../openbsd-{{ item.0.version | replace('.', '') }}-base.pub -x SHA256.sig install{{ item.0.version | replace('.', '') }}.iso" + args: + chdir: "{{ installer_path }}/openbsd-{{ item.0.version }}/{{ item.1 }}" + changed_when: false |