From 8bfbc9b54f28cb5e25714e40e96f752f98f40568 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sat, 11 Jul 2020 01:37:51 +0200
Subject: openbsd installer: improve image verification

---
 roles/installer/openbsd/fetch/tasks/main.yml | 55 +++++++++++++++-------------
 1 file changed, 29 insertions(+), 26 deletions(-)

(limited to 'roles/installer/openbsd/fetch/tasks')

diff --git a/roles/installer/openbsd/fetch/tasks/main.yml b/roles/installer/openbsd/fetch/tasks/main.yml
index d8f37018..97e8fb57 100644
--- a/roles/installer/openbsd/fetch/tasks/main.yml
+++ b/roles/installer/openbsd/fetch/tasks/main.yml
@@ -4,31 +4,13 @@
     name: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}"
     state: directory
 
-- name: download signed sha256 files
+- name: download signed sha256 and buildinfo files
+  loop:
+    - SHA256.sig
+    - BUILDINFO
   get_url:
-    url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig"
-    dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig"
-    mode: 0644
-    force: "{{ openbsd_installer_force_download }}"
-
-## Unfortunately signify can't be used to verify just the sha256 file. This means that the checksum we extract here
-## might be wrong. Using this an attacker could trick us into deleting a valid ISO file and downloading a harmful
-## image instead. Since the signature of the sha256 file will be checked eventually the attacker however cannot trick
-## us into booting the image.
-## Despite this flaw it is imho still better to extract the hash so that get_url below can check a potentially
-## existing file without the need to query the server. This should speed up the installation process quite a bit
-## and take care of spurious re-downloads.
-
-- name: extract sha256 hash for iso file
-  command: grep -E "^SHA256 \(install{{ openbsd_installer_version_short }}.iso\) = [0-9a-z]{64}$" "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig"
-  changed_when: false
-  register: openbsd_installer_sha256sum
-
-- name: download installer iso files
-  get_url:
-    url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso"
-    dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso"
-    checksum: "sha256:{{ openbsd_installer_sha256sum.stdout.split('=') | last | trim }}"
+    url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/{{ item }}"
+    dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/{{ item }}"
     force: "{{ openbsd_installer_force_download }}"
     mode: 0644
 
@@ -37,8 +19,16 @@
     content: "{{ openbsd_installer_signing_keys[openbsd_installer_version] }}"
     dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/openbsd-{{ openbsd_installer_version_short }}-base.pub"
 
-- name: verfiy downloaded iso files
-  command: "signify-openbsd -Cp ../openbsd-{{ openbsd_installer_version_short }}-base.pub -x SHA256.sig install{{ openbsd_installer_version_short }}.iso"
+## Unfortunately signify can't be used to verify just the sha256 file. If we would use the sha256 hashes without
+## verification an attacker could trick us into deleting a valid ISO file and downloading a harmful image instead.
+## Since the signature would be checked eventually the attacker cannot trick us into booting it but re-downlaoding
+## hundreds of megabytes is not fun.
+## As a workaround we download the smallest file that exists on the download server and use this file (BUILDINFO)
+## to verfiy the signature.
+## This process should speed up the installation quite a bit and make the overall image download process more solid.
+
+- name: verify downloaded files
+  command: "signify-openbsd -Cp ../openbsd-{{ openbsd_installer_version_short }}-base.pub -x SHA256.sig BUILDINFO"
   args:
     chdir: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}"
   changed_when: false
@@ -46,3 +36,16 @@
 
 - debug:
     var: openbsd_installer_signify_result.stdout_lines
+
+- name: extract sha256 hash for iso file
+  command: grep -E "^SHA256 \(install{{ openbsd_installer_version_short }}.iso\) = [0-9a-z]{64}$" "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig"
+  changed_when: false
+  register: openbsd_installer_sha256sum
+
+- name: download installer iso file
+  get_url:
+    url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso"
+    dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso"
+    checksum: "sha256:{{ openbsd_installer_sha256sum.stdout.split('=') | last | trim }}"
+    force: "{{ openbsd_installer_force_download }}"
+    mode: 0644
-- 
cgit v1.2.3