diff options
author | Christian Pointner <equinox@spreadspace.org> | 2020-07-11 01:42:07 +0200 |
---|---|---|
committer | Christian Pointner <equinox@spreadspace.org> | 2020-07-11 01:42:07 +0200 |
commit | c188d4ac1713506c3028b4501730713cfda0ed36 (patch) | |
tree | e056a15d599981f963f20365848d4032aa792191 /roles/installer/openbsd/fetch/tasks/main.yml | |
parent | preseed/partman: nicer error text for not-enough-space (diff) | |
parent | openbsd installer: improve image verification (diff) |
Merge branch 'topic/debian-installer-verification'
Diffstat (limited to 'roles/installer/openbsd/fetch/tasks/main.yml')
-rw-r--r-- | roles/installer/openbsd/fetch/tasks/main.yml | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/roles/installer/openbsd/fetch/tasks/main.yml b/roles/installer/openbsd/fetch/tasks/main.yml new file mode 100644 index 00000000..97e8fb57 --- /dev/null +++ b/roles/installer/openbsd/fetch/tasks/main.yml @@ -0,0 +1,51 @@ +--- +- name: prepare directories for installer iso files + file: + name: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}" + state: directory + +- name: download signed sha256 and buildinfo files + loop: + - SHA256.sig + - BUILDINFO + get_url: + url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/{{ item }}" + dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/{{ item }}" + force: "{{ openbsd_installer_force_download }}" + mode: 0644 + +- name: create signing key files + copy: + content: "{{ openbsd_installer_signing_keys[openbsd_installer_version] }}" + dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/openbsd-{{ openbsd_installer_version_short }}-base.pub" + +## Unfortunately signify can't be used to verify just the sha256 file. If we would use the sha256 hashes without +## verification an attacker could trick us into deleting a valid ISO file and downloading a harmful image instead. +## Since the signature would be checked eventually the attacker cannot trick us into booting it but re-downlaoding +## hundreds of megabytes is not fun. +## As a workaround we download the smallest file that exists on the download server and use this file (BUILDINFO) +## to verfiy the signature. +## This process should speed up the installation quite a bit and make the overall image download process more solid. + +- name: verify downloaded files + command: "signify-openbsd -Cp ../openbsd-{{ openbsd_installer_version_short }}-base.pub -x SHA256.sig BUILDINFO" + args: + chdir: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}" + changed_when: false + register: openbsd_installer_signify_result + +- debug: + var: openbsd_installer_signify_result.stdout_lines + +- name: extract sha256 hash for iso file + command: grep -E "^SHA256 \(install{{ openbsd_installer_version_short }}.iso\) = [0-9a-z]{64}$" "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig" + changed_when: false + register: openbsd_installer_sha256sum + +- name: download installer iso file + get_url: + url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" + dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" + checksum: "sha256:{{ openbsd_installer_sha256sum.stdout.split('=') | last | trim }}" + force: "{{ openbsd_installer_force_download }}" + mode: 0644 |