From c9df5dcce462af13685236bf7a1d4dd896b1406b Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Fri, 10 Jul 2020 23:42:23 +0200
Subject: major refactoring of installer roles

---
 .../installer/debian/fetch/tasks/verify-ubuntu.yml | 35 ++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 roles/installer/debian/fetch/tasks/verify-ubuntu.yml

(limited to 'roles/installer/debian/fetch/tasks/verify-ubuntu.yml')

diff --git a/roles/installer/debian/fetch/tasks/verify-ubuntu.yml b/roles/installer/debian/fetch/tasks/verify-ubuntu.yml
new file mode 100644
index 00000000..e7cff3ae
--- /dev/null
+++ b/roles/installer/debian/fetch/tasks/verify-ubuntu.yml
@@ -0,0 +1,35 @@
+---
+- name: download SHA256SUMS and signature file
+  loop:
+    - SHA256SUMS
+    - SHA256SUMS.gpg
+  get_url:
+    url: "{{ debian_installer_base_url }}/{{ item }}"
+    dest: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/{{ item }}"
+
+- name: verfiy signature of SHA256SUMS.gpg file
+  command: >-
+    gpg --no-options --trust-model always --no-default-keyring  --secret-keyring /dev/null
+        --keyring "{{ installer_keyrings_path | default(installer_base_path+'/keyrings') }}/ubuntu-archive.gpg"
+        --verify "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS.gpg"
+        "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS"
+  changed_when: False
+  register: debian_installer_gpg_result
+
+- debug:
+    var: debian_installer_gpg_result.stderr_lines
+
+- name: extract kernel image hash from SHA256SUMS
+  command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/{{ debian_installer_variant_kernal_image_name }}$" "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS"
+  changed_when: false
+  register: debian_installer_sha256sums_kernel
+
+- name: extract inital ramdisk hash from SHA256SUMS
+  command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/initrd.gz$" "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS"
+  changed_when: false
+  register: debian_installer_sha256sums_initrd
+
+- name: set checksum variables
+  set_fact:
+    debian_installer_kernel_checksum: "sha256:{{ debian_installer_sha256sums_kernel.stdout.split(' ') | first }}"
+    debian_installer_initrd_checksum: "sha256:{{ debian_installer_sha256sums_initrd.stdout.split(' ') | first }}"
-- 
cgit v1.2.3