diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2020-07-11 01:18:15 +0200 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2020-07-11 01:18:15 +0200 |
| commit | 4eec4384e5408a87b6ad2b77b4819b65c500a3bc (patch) | |
| tree | 386d2565c7f333f471f1c7dc7146b705b0f094c6 /roles/installer | |
| parent | installer: cleanup variables (diff) | |
openbsd installer: extract sha256 checksum from iso before downloading it
Diffstat (limited to 'roles/installer')
| -rw-r--r-- | roles/installer/openbsd/fetch/tasks/main.yml | 28 |
1 files changed, 21 insertions, 7 deletions
diff --git a/roles/installer/openbsd/fetch/tasks/main.yml b/roles/installer/openbsd/fetch/tasks/main.yml index 0ab9070c..d8f37018 100644 --- a/roles/installer/openbsd/fetch/tasks/main.yml +++ b/roles/installer/openbsd/fetch/tasks/main.yml @@ -4,13 +4,6 @@ name: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}" state: directory -- name: download installer iso files - get_url: - url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" - dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" - mode: 0644 - force: "{{ openbsd_installer_force_download }}" - - name: download signed sha256 files get_url: url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig" @@ -18,6 +11,27 @@ mode: 0644 force: "{{ openbsd_installer_force_download }}" +## Unfortunately signify can't be used to verify just the sha256 file. This means that the checksum we extract here +## might be wrong. Using this an attacker could trick us into deleting a valid ISO file and downloading a harmful +## image instead. Since the signature of the sha256 file will be checked eventually the attacker however cannot trick +## us into booting the image. +## Despite this flaw it is imho still better to extract the hash so that get_url below can check a potentially +## existing file without the need to query the server. This should speed up the installation process quite a bit +## and take care of spurious re-downloads. + +- name: extract sha256 hash for iso file + command: grep -E "^SHA256 \(install{{ openbsd_installer_version_short }}.iso\) = [0-9a-z]{64}$" "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig" + changed_when: false + register: openbsd_installer_sha256sum + +- name: download installer iso files + get_url: + url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" + dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" + checksum: "sha256:{{ openbsd_installer_sha256sum.stdout.split('=') | last | trim }}" + force: "{{ openbsd_installer_force_download }}" + mode: 0644 + - name: create signing key files copy: content: "{{ openbsd_installer_signing_keys[openbsd_installer_version] }}" |