---
- name: prepare directories for installer iso files
  file:
    name: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}"
    state: directory

- name: download signed sha256 and buildinfo files
  loop:
    - SHA256.sig
    - BUILDINFO
  get_url:
    url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/{{ item }}"
    dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/{{ item }}"
    force: "{{ openbsd_installer_force_download }}"
    mode: 0644

- name: create signing key files
  copy:
    content: "{{ openbsd_installer_signing_keys[openbsd_installer_version] }}"
    dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/openbsd-{{ openbsd_installer_version_short }}-base.pub"

## Unfortunately signify can't be used to verify just the sha256 file. If we would use the sha256 hashes without
## verification an attacker could trick us into deleting a valid ISO file and downloading a harmful image instead.
## Since the signature would be checked eventually the attacker cannot trick us into booting it but re-downlaoding
## hundreds of megabytes is not fun.
## As a workaround we download the smallest file that exists on the download server and use this file (BUILDINFO)
## to verfiy the signature.
## This process should speed up the installation quite a bit and make the overall image download process more solid.

- name: verify downloaded files
  command: "signify-openbsd -Cp ../openbsd-{{ openbsd_installer_version_short }}-base.pub -x SHA256.sig BUILDINFO"
  args:
    chdir: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}"
  changed_when: false
  register: openbsd_installer_signify_result

- debug:
    var: openbsd_installer_signify_result.stdout_lines

- name: extract sha256 hash for iso file
  command: grep -E "^SHA256 \(install{{ openbsd_installer_version_short }}.iso\) = [0-9a-z]{64}$" "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig"
  changed_when: false
  register: openbsd_installer_sha256sum

- name: download installer iso file
  get_url:
    url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso"
    dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso"
    checksum: "sha256:{{ openbsd_installer_sha256sum.stdout.split('=') | last | trim }}"
    force: "{{ openbsd_installer_force_download }}"
    mode: 0644