blob: 97e8fb5734e6a799d5febcfb88a2c0cef153a9c5 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
---
- name: prepare directories for installer iso files
file:
name: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}"
state: directory
- name: download signed sha256 and buildinfo files
loop:
- SHA256.sig
- BUILDINFO
get_url:
url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/{{ item }}"
dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/{{ item }}"
force: "{{ openbsd_installer_force_download }}"
mode: 0644
- name: create signing key files
copy:
content: "{{ openbsd_installer_signing_keys[openbsd_installer_version] }}"
dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/openbsd-{{ openbsd_installer_version_short }}-base.pub"
## Unfortunately signify can't be used to verify just the sha256 file. If we would use the sha256 hashes without
## verification an attacker could trick us into deleting a valid ISO file and downloading a harmful image instead.
## Since the signature would be checked eventually the attacker cannot trick us into booting it but re-downlaoding
## hundreds of megabytes is not fun.
## As a workaround we download the smallest file that exists on the download server and use this file (BUILDINFO)
## to verfiy the signature.
## This process should speed up the installation quite a bit and make the overall image download process more solid.
- name: verify downloaded files
command: "signify-openbsd -Cp ../openbsd-{{ openbsd_installer_version_short }}-base.pub -x SHA256.sig BUILDINFO"
args:
chdir: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}"
changed_when: false
register: openbsd_installer_signify_result
- debug:
var: openbsd_installer_signify_result.stdout_lines
- name: extract sha256 hash for iso file
command: grep -E "^SHA256 \(install{{ openbsd_installer_version_short }}.iso\) = [0-9a-z]{64}$" "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig"
changed_when: false
register: openbsd_installer_sha256sum
- name: download installer iso file
get_url:
url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso"
dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso"
checksum: "sha256:{{ openbsd_installer_sha256sum.stdout.split('=') | last | trim }}"
force: "{{ openbsd_installer_force_download }}"
mode: 0644
|
