summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--files/common/keyrings/debian-buster.gpgbin0 -> 17541 bytes
-rw-r--r--files/common/keyrings/debian-stretch.gpgbin0 -> 14428 bytes
-rw-r--r--files/common/keyrings/ubuntu-archive.gpgbin0 -> 4909 bytes
-rw-r--r--roles/installer/debian/base/tasks/main.yml42
-rw-r--r--roles/installer/debian/base/tasks/verify-debian.yml46
-rw-r--r--roles/installer/debian/base/tasks/verify-ubuntu.yml35
-rw-r--r--roles/installer/debian/usb/tasks/main.yml1
7 files changed, 109 insertions, 15 deletions
diff --git a/files/common/keyrings/debian-buster.gpg b/files/common/keyrings/debian-buster.gpg
new file mode 100644
index 00000000..9abf7837
--- /dev/null
+++ b/files/common/keyrings/debian-buster.gpg
Binary files differ
diff --git a/files/common/keyrings/debian-stretch.gpg b/files/common/keyrings/debian-stretch.gpg
new file mode 100644
index 00000000..77016799
--- /dev/null
+++ b/files/common/keyrings/debian-stretch.gpg
Binary files differ
diff --git a/files/common/keyrings/ubuntu-archive.gpg b/files/common/keyrings/ubuntu-archive.gpg
new file mode 100644
index 00000000..9ad1e96e
--- /dev/null
+++ b/files/common/keyrings/ubuntu-archive.gpg
Binary files differ
diff --git a/roles/installer/debian/base/tasks/main.yml b/roles/installer/debian/base/tasks/main.yml
index 1984df2c..65110c91 100644
--- a/roles/installer/debian/base/tasks/main.yml
+++ b/roles/installer/debian/base/tasks/main.yml
@@ -4,20 +4,32 @@
name: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}"
state: directory
-- name: download installer kernel image
- get_url:
- url: "{{ debian_installer_base_url }}/{{ debian_installer_variant_path }}/{{ debian_installer_variant_kernal_image_name }}"
- dest: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/{{ debian_installer_variant_kernal_image_name }}"
- mode: 0644
- force: "{{ debian_installer_force_download }}"
+- name: download and verify installer files
+ block:
+ - name: fetch and verify installer checksums
+ include_tasks: "verify-{{ install_distro }}.yml"
-- name: download installer initrd.gz
- get_url:
- url: "{{ debian_installer_base_url }}/{{ debian_installer_variant_path }}/initrd.gz"
- dest: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/initrd.gz"
- mode: 0644
- force: "{{ debian_installer_force_download }}"
+ - name: download installer kernel image
+ get_url:
+ url: "{{ debian_installer_base_url }}/{{ debian_installer_variant_path }}/{{ debian_installer_variant_kernal_image_name }}"
+ dest: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/{{ debian_installer_variant_kernal_image_name }}"
+ checksum: "{{ debian_installer_kernel_checksum }}"
+ force: "{{ debian_installer_force_download }}"
+ mode: 0644
-## TODO verfiy downloaded files using:
-## "{{ debian_installer_url[debian_installer_distro] }}/dists/{{ debian_installer_codename }}/InRelease
-## "{{ debian_installer_url[debian_installer_distro] }}/dists/{{ debian_installer_codename }}/main/installer-{{ debian_installer_arch }}/current/{{ [debian_installer_distro, debian_installer_codename] | di_images_path }}/SHA256SUMS
+ - name: download installer initrd.gz
+ get_url:
+ url: "{{ debian_installer_base_url }}/{{ debian_installer_variant_path }}/initrd.gz"
+ dest: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/initrd.gz"
+ checksum: "{{ debian_installer_initrd_checksum }}"
+ force: "{{ debian_installer_force_download }}"
+ mode: 0644
+
+ rescue:
+ - name: remove all downloaded files
+ file:
+ name: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}"
+ state: absent
+
+ - fail:
+ msg: "download/verification of installer files failed"
diff --git a/roles/installer/debian/base/tasks/verify-debian.yml b/roles/installer/debian/base/tasks/verify-debian.yml
new file mode 100644
index 00000000..5a890b1d
--- /dev/null
+++ b/roles/installer/debian/base/tasks/verify-debian.yml
@@ -0,0 +1,46 @@
+---
+- name: download Release and Signature file
+ loop:
+ - Release
+ - Release.gpg
+ get_url:
+ url: "{{ debian_installer_base_url | dirname | dirname | dirname | dirname }}/{{ item }}"
+ dest: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/{{ item }}"
+
+- name: verfiy signature of Release file
+ command: >-
+ gpg --no-options --trust-model always --no-default-keyring --secret-keyring /dev/null
+ --keyring "{{ global_files_dir }}/common/keyrings/debian-{{ install_codename }}.gpg"
+ --verify "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/Release.gpg"
+ "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/Release"
+ changed_when: False
+ register: debian_installer_gpg_result
+
+- debug:
+ var: debian_installer_gpg_result.stderr_lines
+
+- name: extract checksum file hash from Release file
+ command: grep -E "^ [0-9a-z]{64} .* main/installer-{{ debian_installer_arch }}/current/{{ [debian_installer_distro, debian_installer_codename] | di_images_path }}/SHA256SUMS$" "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/Release"
+ changed_when: false
+ register: debian_installer_inrelease_sha256
+
+- name: download SHA256SUMS
+ get_url:
+ url: "{{ debian_installer_base_url }}/SHA256SUMS"
+ dest: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS"
+ checksum: "sha256:{{ (debian_installer_inrelease_sha256.stdout | trim).split(' ') | first }}"
+
+- name: extract kernel image hash from SHA256SUMS
+ command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/{{ debian_installer_variant_kernal_image_name }}$" "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS"
+ changed_when: false
+ register: debian_installer_sha256sums_kernel
+
+- name: extract inital ramdisk hash from SHA256SUMS
+ command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/initrd.gz$" "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS"
+ changed_when: false
+ register: debian_installer_sha256sums_initrd
+
+- name: set checksum variables
+ set_fact:
+ debian_installer_kernel_checksum: "sha256:{{ debian_installer_sha256sums_kernel.stdout.split(' ') | first }}"
+ debian_installer_initrd_checksum: "sha256:{{ debian_installer_sha256sums_initrd.stdout.split(' ') | first }}"
diff --git a/roles/installer/debian/base/tasks/verify-ubuntu.yml b/roles/installer/debian/base/tasks/verify-ubuntu.yml
new file mode 100644
index 00000000..f2b75492
--- /dev/null
+++ b/roles/installer/debian/base/tasks/verify-ubuntu.yml
@@ -0,0 +1,35 @@
+---
+- name: download SHA256SUMS and signature file
+ loop:
+ - SHA256SUMS
+ - SHA256SUMS.gpg
+ get_url:
+ url: "{{ debian_installer_base_url }}/{{ item }}"
+ dest: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/{{ item }}"
+
+- name: verfiy signature of SHA256SUMS.gpg file
+ command: >-
+ gpg --no-options --trust-model always --no-default-keyring --secret-keyring /dev/null
+ --keyring "{{ global_files_dir }}/common/keyrings/ubuntu-archive.gpg"
+ --verify "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS.gpg"
+ "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS"
+ changed_when: False
+ register: debian_installer_gpg_result
+
+- debug:
+ var: debian_installer_gpg_result.stderr_lines
+
+- name: extract kernel image hash from SHA256SUMS
+ command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/{{ debian_installer_variant_kernal_image_name }}$" "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS"
+ changed_when: false
+ register: debian_installer_sha256sums_kernel
+
+- name: extract inital ramdisk hash from SHA256SUMS
+ command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/initrd.gz$" "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS"
+ changed_when: false
+ register: debian_installer_sha256sums_initrd
+
+- name: set checksum variables
+ set_fact:
+ debian_installer_kernel_checksum: "sha256:{{ debian_installer_sha256sums_kernel.stdout.split(' ') | first }}"
+ debian_installer_initrd_checksum: "sha256:{{ debian_installer_sha256sums_initrd.stdout.split(' ') | first }}"
diff --git a/roles/installer/debian/usb/tasks/main.yml b/roles/installer/debian/usb/tasks/main.yml
index 79251fdf..4ff03611 100644
--- a/roles/installer/debian/usb/tasks/main.yml
+++ b/roles/installer/debian/usb/tasks/main.yml
@@ -37,6 +37,7 @@
always:
- name: Cleanup temporary workdir
+ when: tmpdir.path is defined
file:
path: "{{ tmpdir.path }}"
state: absent