add verification for openbsd installer iso files

5 files changed, 53 insertions, 28 deletions

diff --git a/roles/installer/openbsd/autoinstall/tasks/main.yml b/roles/installer/openbsd/autoinstall/tasks/main.yml
index 5170ea9b..b8e88b53 100644
--- a/roles/installer/openbsd/autoinstall/tasks/main.yml
+++ b/roles/installer/openbsd/autoinstall/tasks/main.yml
@@ -2,21 +2,11 @@
 - name: create temporary directories
   loop:
     - files/etc
-    - files/sets
     - site/
   file:
     path: "{{ obsd_autoinstall_tmpdir }}/{{ item }}"
     state: directory
 
-- name: extract installer files from iso
-  iso_extract:
-    image: "{{ installer_path }}/openbsd-{{ obsd_autoinstall_version }}/{{ obsd_autoinstall_arch }}/install.iso"
-    dest: "{{ obsd_autoinstall_tmpdir }}/files"
-    files:
-      - "{{ obsd_autoinstall_version }}/{{ obsd_autoinstall_arch }}/cdbr"
-      - "{{ obsd_autoinstall_version }}/{{ obsd_autoinstall_arch }}/cdboot"
-      - "{{ obsd_autoinstall_version }}/{{ obsd_autoinstall_arch }}/bsd.rd"
-
 - name: generate bootloader and installer configuration
   loop:
     - auto_install.conf
@@ -28,18 +18,20 @@
 - name: generate random seed
   shell: "head -c512 < /dev/random > {{ obsd_autoinstall_tmpdir }}/files/etc/random.seed"
 
-- name: extract file-sets from iso
+- name: extract installer files from iso
   vars:
-    set_names:
+    installer_files:
+      - cdbr
+      - cdboot
       - bsd
       - bsd.mp
       - bsd.rd
       - "INSTALL.{{ obsd_autoinstall_arch }}"
       - "{{ obsd_autoinstall_file_sets | product([obsd_autoinstall_version_short+'.tgz']) | map('join') | list }}"
   iso_extract:
-    image: "{{ installer_path }}/openbsd-{{ obsd_autoinstall_version }}/{{ obsd_autoinstall_arch }}/install.iso"
-    dest: "{{ obsd_autoinstall_tmpdir }}/files/sets"
-    files: "{{ [obsd_autoinstall_version+'/'+obsd_autoinstall_arch+'/'] | product(set_names | flatten) | map('join') | list }}"
+    image: "{{ installer_path }}/openbsd-{{ obsd_autoinstall_version }}/{{ obsd_autoinstall_arch }}/install{{ obsd_autoinstall_version | replace('.', '') }}.iso"
+    dest: "{{ obsd_autoinstall_tmpdir }}/files"
+    files: "{{ [obsd_autoinstall_version+'/'+obsd_autoinstall_arch+'/'] | product(installer_files | flatten) | map('join') | list }}"
 
 - name: generate install.site script
   template:
@@ -50,7 +42,7 @@
 - name: generate site tarball
   archive:
     path: "{{ obsd_autoinstall_tmpdir }}/site/"
-    dest: "{{ obsd_autoinstall_tmpdir }}/files/sets/site{{ obsd_autoinstall_version_short }}.tgz"
+    dest: "{{ obsd_autoinstall_tmpdir }}/files/site{{ obsd_autoinstall_version_short }}.tgz"
 
 - name: generate host specific installer image
   command: 'genisoimage -RTLldDN -o "install.iso" -no-emul-boot -b "cdbr" -c "boot.catalog" files/'
diff --git a/roles/installer/openbsd/autoinstall/templates/auto_install.conf.j2 b/roles/installer/openbsd/autoinstall/templates/auto_install.conf.j2
index 1e0c8c0c..767242d9 100644
--- a/roles/installer/openbsd/autoinstall/templates/auto_install.conf.j2
+++ b/roles/installer/openbsd/autoinstall/templates/auto_install.conf.j2
@@ -13,7 +13,7 @@ DNS nameservers = {{ hostvars[install_hostname].network_cooked.nameservers | joi
 
 {% if obsd_autoinstall_serial_device is defined %}
 Change the default console to {{ obsd_autoinstall_serial_device }} = yes
-Which speed should {{ obsd_autoinstall_serial_device }} use = {{ obsd_autoinstall_tty_serial | default(115200) }}
+Which speed should {{ obsd_autoinstall_serial_device }} use = {{ obsd_autoinstall_serial_baudrate | default(115200) }}
 {% endif %}
 
 {# we will install only one key for now, install.site will install the rest #}
@@ -26,7 +26,7 @@ Allow root ssh login = prohibit-password
 What timezone are you in = Europe/Vienna
 
 Location of sets = cd0
-Pathname to the sets = sets/
+Pathname to the sets = /
 Set name(s) = all
-{# iso-images don't contain the SHA256.sig file but are verified when downloading the iso-file #}
+{# iso-images don't contain the SHA256.sig file but have been verified after downloading them #}
 Directory does not contain SHA256.sig. Continue without verification = yes
diff --git a/roles/installer/openbsd/autoinstall/templates/boot.conf.j2 b/roles/installer/openbsd/autoinstall/templates/boot.conf.j2
index d6cdcfeb..b8d09519 100644
--- a/roles/installer/openbsd/autoinstall/templates/boot.conf.j2
+++ b/roles/installer/openbsd/autoinstall/templates/boot.conf.j2
@@ -1,5 +1,5 @@
 {% if obsd_autoinstall_serial_device is defined %}
-stty {{ obsd_autoinstall_serial_device }} {{ obsd_autoinstall_tty_serial | default(115200) }}
+stty {{ obsd_autoinstall_serial_device }} {{ obsd_autoinstall_serial_baudrate | default(115200) }}
 set tty {{ obsd_autoinstall_serial_device }}
 {% endif %}
 set image /bsd.rd
diff --git a/roles/installer/openbsd/base/defaults/main.yml b/roles/installer/openbsd/base/defaults/main.yml
index c852e00a..10e9c840 100644
--- a/roles/installer/openbsd/base/defaults/main.yml
+++ b/roles/installer/openbsd/base/defaults/main.yml
@@ -4,5 +4,10 @@ openbsd_versions:
       - amd64
       - i386
 
+openbsd_signing_keys:
+  6.7: |
+    untrusted comment: openbsd 6.7 base public key
+    RWRmkIA877Io3oCILSZoJGhAswifJbFK4r18ICoia+3c0PfwANueolNj
+
 openbsd_installer_force_download: no
 openbsd_installer_url: "https://cdn.openbsd.org/pub/OpenBSD"
diff --git a/roles/installer/openbsd/base/tasks/main.yml b/roles/installer/openbsd/base/tasks/main.yml
index 0d5053d5..2d6e905e 100644
--- a/roles/installer/openbsd/base/tasks/main.yml
+++ b/roles/installer/openbsd/base/tasks/main.yml
@@ -1,4 +1,12 @@
-- name: prepare directories for installer isos
+---
+- name: install genisoimage and openbsd signify
+  apt:
+    name:
+    - genisoimage
+    - signify-openbsd
+    state: present
+
+- name: prepare directories for installer iso files
   loop: "{{ openbsd_versions | subelements('arch') }}"
   loop_control:
     label: "openbsd-{{ item.0.version }} {{ item.1 }}"
@@ -6,19 +14,39 @@
     name: "{{ installer_path }}/openbsd-{{ item.0.version }}/{{ item.1 }}"
     state: directory
 
-- name: download installer isos
+- name: download installer iso files
   loop: "{{ openbsd_versions | subelements('arch') }}"
   loop_control:
     label: "openbsd-{{ item.0.version }} {{ item.1 }}"
   get_url:
     url: "{{ openbsd_installer_url }}/{{ item.0.version }}/{{ item.1 }}/install{{ item.0.version | replace('.', '') }}.iso"
-    dest: "{{ installer_path }}/openbsd-{{ item.0.version }}/{{ item.1 }}/install.iso"
+    dest: "{{ installer_path }}/openbsd-{{ item.0.version }}/{{ item.1 }}/install{{ item.0.version | replace('.', '') }}.iso"
+    mode: 0644
+    force: "{{ openbsd_installer_force_download }}"
+
+- name: download signed sha256 files
+  loop: "{{ openbsd_versions | subelements('arch') }}"
+  loop_control:
+    label: "openbsd-{{ item.0.version }} {{ item.1 }}"
+  get_url:
+    url: "{{ openbsd_installer_url }}/{{ item.0.version }}/{{ item.1 }}/SHA256.sig"
+    dest: "{{ installer_path }}/openbsd-{{ item.0.version }}/{{ item.1 }}/SHA256.sig"
     mode: 0644
     force: "{{ openbsd_installer_force_download }}"
 
-# TODO: verify the image using openbsd-signify
+- name: create signing key files
+  loop: "{{ openbsd_versions }}"
+  loop_control:
+    label: "openbsd-{{ item.version }}"
+  copy:
+    content: "{{ openbsd_signing_keys[item.version] }}"
+    dest: "{{ installer_path }}/openbsd-{{ item.version }}/openbsd-{{ item.version | replace('.', '') }}-base.pub"
 
-- name: install genisoimage
-  apt:
-    name: genisoimage
-    state: present
+- name: verfiy downloaded iso files
+  loop: "{{ openbsd_versions | subelements('arch') }}"
+  loop_control:
+    label: "openbsd-{{ item.0.version }} {{ item.1 }}"
+  command: "signify-openbsd -Cp ../openbsd-{{ item.0.version | replace('.', '') }}-base.pub -x SHA256.sig install{{ item.0.version | replace('.', '') }}.iso"
+  args:
+    chdir: "{{ installer_path }}/openbsd-{{ item.0.version }}/{{ item.1 }}"
+  changed_when: false