3 files changed, 64 insertions, 0 deletions

diff --git a/roles/installer/openbsd/fetch/defaults/main.yml b/roles/installer/openbsd/fetch/defaults/main.yml
new file mode 100644
index 00000000..eeeaf2d0
--- /dev/null
+++ b/roles/installer/openbsd/fetch/defaults/main.yml
@@ -0,0 +1,6 @@
+---
+# openbsd_installer_version: 6.7
+openbsd_installer_arch: amd64
+
+openbsd_installer_force_download: no
+openbsd_installer_url: "https://cdn.openbsd.org/pub/OpenBSD"
diff --git a/roles/installer/openbsd/fetch/tasks/main.yml b/roles/installer/openbsd/fetch/tasks/main.yml
new file mode 100644
index 00000000..97e8fb57
--- /dev/null
+++ b/roles/installer/openbsd/fetch/tasks/main.yml
@@ -0,0 +1,51 @@
+---
+- name: prepare directories for installer iso files
+  file:
+    name: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}"
+    state: directory
+
+- name: download signed sha256 and buildinfo files
+  loop:
+    - SHA256.sig
+    - BUILDINFO
+  get_url:
+    url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/{{ item }}"
+    dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/{{ item }}"
+    force: "{{ openbsd_installer_force_download }}"
+    mode: 0644
+
+- name: create signing key files
+  copy:
+    content: "{{ openbsd_installer_signing_keys[openbsd_installer_version] }}"
+    dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/openbsd-{{ openbsd_installer_version_short }}-base.pub"
+
+## Unfortunately signify can't be used to verify just the sha256 file. If we would use the sha256 hashes without
+## verification an attacker could trick us into deleting a valid ISO file and downloading a harmful image instead.
+## Since the signature would be checked eventually the attacker cannot trick us into booting it but re-downlaoding
+## hundreds of megabytes is not fun.
+## As a workaround we download the smallest file that exists on the download server and use this file (BUILDINFO)
+## to verfiy the signature.
+## This process should speed up the installation quite a bit and make the overall image download process more solid.
+
+- name: verify downloaded files
+  command: "signify-openbsd -Cp ../openbsd-{{ openbsd_installer_version_short }}-base.pub -x SHA256.sig BUILDINFO"
+  args:
+    chdir: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}"
+  changed_when: false
+  register: openbsd_installer_signify_result
+
+- debug:
+    var: openbsd_installer_signify_result.stdout_lines
+
+- name: extract sha256 hash for iso file
+  command: grep -E "^SHA256 \(install{{ openbsd_installer_version_short }}.iso\) = [0-9a-z]{64}$" "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig"
+  changed_when: false
+  register: openbsd_installer_sha256sum
+
+- name: download installer iso file
+  get_url:
+    url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso"
+    dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso"
+    checksum: "sha256:{{ openbsd_installer_sha256sum.stdout.split('=') | last | trim }}"
+    force: "{{ openbsd_installer_force_download }}"
+    mode: 0644
diff --git a/roles/installer/openbsd/fetch/vars/main.yml b/roles/installer/openbsd/fetch/vars/main.yml
new file mode 100644
index 00000000..dad9f064
--- /dev/null
+++ b/roles/installer/openbsd/fetch/vars/main.yml
@@ -0,0 +1,7 @@
+---
+openbsd_installer_version_short: "{{ openbsd_installer_version | replace('.', '') }}"
+
+openbsd_installer_signing_keys:
+  "6.7": |
+    untrusted comment: openbsd 6.7 base public key
+    RWRmkIA877Io3oCILSZoJGhAswifJbFK4r18ICoia+3c0PfwANueolNj