diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2020-07-10 21:45:43 +0200 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2020-07-10 21:45:43 +0200 |
| commit | 701383c4c177572521bf09abc9242cd1c3f8e2f1 (patch) | |
| tree | 2b9573a0ea20f090443fd485029b5e276a167711 /roles/installer | |
| parent | refacter installer/debian/base to make future file verification easier (diff) | |
debian installer file verification works now
Diffstat (limited to 'roles/installer')
| -rw-r--r-- | roles/installer/debian/base/tasks/main.yml | 42 | ||||
| -rw-r--r-- | roles/installer/debian/base/tasks/verify-debian.yml | 46 | ||||
| -rw-r--r-- | roles/installer/debian/base/tasks/verify-ubuntu.yml | 35 | ||||
| -rw-r--r-- | roles/installer/debian/usb/tasks/main.yml | 1 |
4 files changed, 109 insertions, 15 deletions
diff --git a/roles/installer/debian/base/tasks/main.yml b/roles/installer/debian/base/tasks/main.yml index 1984df2c..65110c91 100644 --- a/roles/installer/debian/base/tasks/main.yml +++ b/roles/installer/debian/base/tasks/main.yml @@ -4,20 +4,32 @@ name: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}" state: directory -- name: download installer kernel image - get_url: - url: "{{ debian_installer_base_url }}/{{ debian_installer_variant_path }}/{{ debian_installer_variant_kernal_image_name }}" - dest: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/{{ debian_installer_variant_kernal_image_name }}" - mode: 0644 - force: "{{ debian_installer_force_download }}" +- name: download and verify installer files + block: + - name: fetch and verify installer checksums + include_tasks: "verify-{{ install_distro }}.yml" -- name: download installer initrd.gz - get_url: - url: "{{ debian_installer_base_url }}/{{ debian_installer_variant_path }}/initrd.gz" - dest: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/initrd.gz" - mode: 0644 - force: "{{ debian_installer_force_download }}" + - name: download installer kernel image + get_url: + url: "{{ debian_installer_base_url }}/{{ debian_installer_variant_path }}/{{ debian_installer_variant_kernal_image_name }}" + dest: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/{{ debian_installer_variant_kernal_image_name }}" + checksum: "{{ debian_installer_kernel_checksum }}" + force: "{{ debian_installer_force_download }}" + mode: 0644 -## TODO verfiy downloaded files using: -## "{{ debian_installer_url[debian_installer_distro] }}/dists/{{ debian_installer_codename }}/InRelease -## "{{ debian_installer_url[debian_installer_distro] }}/dists/{{ debian_installer_codename }}/main/installer-{{ debian_installer_arch }}/current/{{ [debian_installer_distro, debian_installer_codename] | di_images_path }}/SHA256SUMS + - name: download installer initrd.gz + get_url: + url: "{{ debian_installer_base_url }}/{{ debian_installer_variant_path }}/initrd.gz" + dest: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/initrd.gz" + checksum: "{{ debian_installer_initrd_checksum }}" + force: "{{ debian_installer_force_download }}" + mode: 0644 + + rescue: + - name: remove all downloaded files + file: + name: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}" + state: absent + + - fail: + msg: "download/verification of installer files failed" diff --git a/roles/installer/debian/base/tasks/verify-debian.yml b/roles/installer/debian/base/tasks/verify-debian.yml new file mode 100644 index 00000000..5a890b1d --- /dev/null +++ b/roles/installer/debian/base/tasks/verify-debian.yml @@ -0,0 +1,46 @@ +--- +- name: download Release and Signature file + loop: + - Release + - Release.gpg + get_url: + url: "{{ debian_installer_base_url | dirname | dirname | dirname | dirname }}/{{ item }}" + dest: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/{{ item }}" + +- name: verfiy signature of Release file + command: >- + gpg --no-options --trust-model always --no-default-keyring --secret-keyring /dev/null + --keyring "{{ global_files_dir }}/common/keyrings/debian-{{ install_codename }}.gpg" + --verify "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/Release.gpg" + "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/Release" + changed_when: False + register: debian_installer_gpg_result + +- debug: + var: debian_installer_gpg_result.stderr_lines + +- name: extract checksum file hash from Release file + command: grep -E "^ [0-9a-z]{64} .* main/installer-{{ debian_installer_arch }}/current/{{ [debian_installer_distro, debian_installer_codename] | di_images_path }}/SHA256SUMS$" "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/Release" + changed_when: false + register: debian_installer_inrelease_sha256 + +- name: download SHA256SUMS + get_url: + url: "{{ debian_installer_base_url }}/SHA256SUMS" + dest: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + checksum: "sha256:{{ (debian_installer_inrelease_sha256.stdout | trim).split(' ') | first }}" + +- name: extract kernel image hash from SHA256SUMS + command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/{{ debian_installer_variant_kernal_image_name }}$" "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + changed_when: false + register: debian_installer_sha256sums_kernel + +- name: extract inital ramdisk hash from SHA256SUMS + command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/initrd.gz$" "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + changed_when: false + register: debian_installer_sha256sums_initrd + +- name: set checksum variables + set_fact: + debian_installer_kernel_checksum: "sha256:{{ debian_installer_sha256sums_kernel.stdout.split(' ') | first }}" + debian_installer_initrd_checksum: "sha256:{{ debian_installer_sha256sums_initrd.stdout.split(' ') | first }}" diff --git a/roles/installer/debian/base/tasks/verify-ubuntu.yml b/roles/installer/debian/base/tasks/verify-ubuntu.yml new file mode 100644 index 00000000..f2b75492 --- /dev/null +++ b/roles/installer/debian/base/tasks/verify-ubuntu.yml @@ -0,0 +1,35 @@ +--- +- name: download SHA256SUMS and signature file + loop: + - SHA256SUMS + - SHA256SUMS.gpg + get_url: + url: "{{ debian_installer_base_url }}/{{ item }}" + dest: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/{{ item }}" + +- name: verfiy signature of SHA256SUMS.gpg file + command: >- + gpg --no-options --trust-model always --no-default-keyring --secret-keyring /dev/null + --keyring "{{ global_files_dir }}/common/keyrings/ubuntu-archive.gpg" + --verify "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS.gpg" + "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + changed_when: False + register: debian_installer_gpg_result + +- debug: + var: debian_installer_gpg_result.stderr_lines + +- name: extract kernel image hash from SHA256SUMS + command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/{{ debian_installer_variant_kernal_image_name }}$" "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + changed_when: false + register: debian_installer_sha256sums_kernel + +- name: extract inital ramdisk hash from SHA256SUMS + command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/initrd.gz$" "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + changed_when: false + register: debian_installer_sha256sums_initrd + +- name: set checksum variables + set_fact: + debian_installer_kernel_checksum: "sha256:{{ debian_installer_sha256sums_kernel.stdout.split(' ') | first }}" + debian_installer_initrd_checksum: "sha256:{{ debian_installer_sha256sums_initrd.stdout.split(' ') | first }}" diff --git a/roles/installer/debian/usb/tasks/main.yml b/roles/installer/debian/usb/tasks/main.yml index 79251fdf..4ff03611 100644 --- a/roles/installer/debian/usb/tasks/main.yml +++ b/roles/installer/debian/usb/tasks/main.yml @@ -37,6 +37,7 @@ always: - name: Cleanup temporary workdir + when: tmpdir.path is defined file: path: "{{ tmpdir.path }}" state: absent |