diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2020-07-11 01:37:51 +0200 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2020-07-11 01:40:18 +0200 |
| commit | 8bfbc9b54f28cb5e25714e40e96f752f98f40568 (patch) | |
| tree | e056a15d599981f963f20365848d4032aa792191 /roles/installer | |
| parent | openbsd installer: extract sha256 checksum from iso before downloading it (diff) | |
openbsd installer: improve image verification
Diffstat (limited to 'roles/installer')
| -rw-r--r-- | roles/installer/openbsd/fetch/tasks/main.yml | 55 |
1 files changed, 29 insertions, 26 deletions
diff --git a/roles/installer/openbsd/fetch/tasks/main.yml b/roles/installer/openbsd/fetch/tasks/main.yml index d8f37018..97e8fb57 100644 --- a/roles/installer/openbsd/fetch/tasks/main.yml +++ b/roles/installer/openbsd/fetch/tasks/main.yml @@ -4,31 +4,13 @@ name: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}" state: directory -- name: download signed sha256 files +- name: download signed sha256 and buildinfo files + loop: + - SHA256.sig + - BUILDINFO get_url: - url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig" - dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig" - mode: 0644 - force: "{{ openbsd_installer_force_download }}" - -## Unfortunately signify can't be used to verify just the sha256 file. This means that the checksum we extract here -## might be wrong. Using this an attacker could trick us into deleting a valid ISO file and downloading a harmful -## image instead. Since the signature of the sha256 file will be checked eventually the attacker however cannot trick -## us into booting the image. -## Despite this flaw it is imho still better to extract the hash so that get_url below can check a potentially -## existing file without the need to query the server. This should speed up the installation process quite a bit -## and take care of spurious re-downloads. - -- name: extract sha256 hash for iso file - command: grep -E "^SHA256 \(install{{ openbsd_installer_version_short }}.iso\) = [0-9a-z]{64}$" "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig" - changed_when: false - register: openbsd_installer_sha256sum - -- name: download installer iso files - get_url: - url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" - dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" - checksum: "sha256:{{ openbsd_installer_sha256sum.stdout.split('=') | last | trim }}" + url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/{{ item }}" + dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/{{ item }}" force: "{{ openbsd_installer_force_download }}" mode: 0644 @@ -37,8 +19,16 @@ content: "{{ openbsd_installer_signing_keys[openbsd_installer_version] }}" dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/openbsd-{{ openbsd_installer_version_short }}-base.pub" -- name: verfiy downloaded iso files - command: "signify-openbsd -Cp ../openbsd-{{ openbsd_installer_version_short }}-base.pub -x SHA256.sig install{{ openbsd_installer_version_short }}.iso" +## Unfortunately signify can't be used to verify just the sha256 file. If we would use the sha256 hashes without +## verification an attacker could trick us into deleting a valid ISO file and downloading a harmful image instead. +## Since the signature would be checked eventually the attacker cannot trick us into booting it but re-downlaoding +## hundreds of megabytes is not fun. +## As a workaround we download the smallest file that exists on the download server and use this file (BUILDINFO) +## to verfiy the signature. +## This process should speed up the installation quite a bit and make the overall image download process more solid. + +- name: verify downloaded files + command: "signify-openbsd -Cp ../openbsd-{{ openbsd_installer_version_short }}-base.pub -x SHA256.sig BUILDINFO" args: chdir: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}" changed_when: false @@ -46,3 +36,16 @@ - debug: var: openbsd_installer_signify_result.stdout_lines + +- name: extract sha256 hash for iso file + command: grep -E "^SHA256 \(install{{ openbsd_installer_version_short }}.iso\) = [0-9a-z]{64}$" "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig" + changed_when: false + register: openbsd_installer_sha256sum + +- name: download installer iso file + get_url: + url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" + dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" + checksum: "sha256:{{ openbsd_installer_sha256sum.stdout.split('=') | last | trim }}" + force: "{{ openbsd_installer_force_download }}" + mode: 0644 |