From 4eec4384e5408a87b6ad2b77b4819b65c500a3bc Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sat, 11 Jul 2020 01:18:15 +0200 Subject: openbsd installer: extract sha256 checksum from iso before downloading it --- roles/installer/openbsd/fetch/tasks/main.yml | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) (limited to 'roles/installer/openbsd/fetch/tasks/main.yml') diff --git a/roles/installer/openbsd/fetch/tasks/main.yml b/roles/installer/openbsd/fetch/tasks/main.yml index 0ab9070c..d8f37018 100644 --- a/roles/installer/openbsd/fetch/tasks/main.yml +++ b/roles/installer/openbsd/fetch/tasks/main.yml @@ -4,13 +4,6 @@ name: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}" state: directory -- name: download installer iso files - get_url: - url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" - dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" - mode: 0644 - force: "{{ openbsd_installer_force_download }}" - - name: download signed sha256 files get_url: url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig" @@ -18,6 +11,27 @@ mode: 0644 force: "{{ openbsd_installer_force_download }}" +## Unfortunately signify can't be used to verify just the sha256 file. This means that the checksum we extract here +## might be wrong. Using this an attacker could trick us into deleting a valid ISO file and downloading a harmful +## image instead. Since the signature of the sha256 file will be checked eventually the attacker however cannot trick +## us into booting the image. +## Despite this flaw it is imho still better to extract the hash so that get_url below can check a potentially +## existing file without the need to query the server. This should speed up the installation process quite a bit +## and take care of spurious re-downloads. + +- name: extract sha256 hash for iso file + command: grep -E "^SHA256 \(install{{ openbsd_installer_version_short }}.iso\) = [0-9a-z]{64}$" "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig" + changed_when: false + register: openbsd_installer_sha256sum + +- name: download installer iso files + get_url: + url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" + dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" + checksum: "sha256:{{ openbsd_installer_sha256sum.stdout.split('=') | last | trim }}" + force: "{{ openbsd_installer_force_download }}" + mode: 0644 + - name: create signing key files copy: content: "{{ openbsd_installer_signing_keys[openbsd_installer_version] }}" -- cgit v1.2.3