V8.13.400.2025.11.08

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-11-08 18:32:13 +01:00
parent fb0183925a
commit abf9e8662c
49 changed files with 224 additions and 136 deletions
--- a/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums
+++ b/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums
@@ -28,14 +28,24 @@
 #   0 : Successful verification
 #######################################
 Verify_checksums() {
+  printf "\e[95m[INFO] CDLB modified: [/usr/lib/live/boot/0030-verify-checksums] ... \n\e[0m"
+
+  ### Declare variables --------------------------------------------------------------------------------------------------------
  _MOUNTPOINT="${1}"

+  _PARAMETER=""
+
  _TTY="/dev/tty8"

  LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}"

  LIVE_VERIFY_CHECKSUMS_SIGNATURES="false"

+  _KEYFILE=""
+
+  _MP=""
+
+  ### Parse commandline arguments ----------------------------------------------------------------------------------------------
  for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do

    case "${_PARAMETER}" in
@@ -60,6 +70,20 @@ Verify_checksums() {

  done

+  ### Check GPG pubkey file correct path ---------------------------------------------------------------------------------------
+  for _MP in /lib/live/mount/medium /run/live/medium /cdrom /; do
+
+    if [ -e "${_MP}/0030-verify-checksums.gpg" ]; then
+
+      _KEYFILE="${_MP}/0030-verify-checksums.gpg"
+
+      break
+
+    fi
+
+  done
+
+  ### Check if the function should be skipped ----------------------------------------------------------------------------------
  case "${LIVE_VERIFY_CHECKSUMS}" in

    true)
@@ -78,48 +102,58 @@ Verify_checksums() {
  ### CDLB verification of script integrity itself -----------------------------------------------------------------------------
  if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then

-    log_begin_msg "Verifying integrity of '0030-verify-checksums' ..."
+    log_begin_msg "Verifying integrity of: [0030-verify-checksums] "
    printf "\n"
+    printf "\e[95m[INFO] Verifying integrity of: [0030-verify-checksums] ... \n\e[0m"

-    CDLB_SCRIPT="0030-verify-checksums"
+    _CAND=""
+    CDLB_SCRIPT_SELF=""  CDLB_CMD="" CDLB_COMPUTED="" CDLB_EXPECTED="" CDLB_HASHFILE="" CDLB_SIG_FILE=""
+
+    for _CAND in /scripts/live-bottom/0030-verify-checksums /usr/lib/live/boot/0030-verify-checksums; do
+
+      [ -e "${_CAND}" ] && { CDLB_SCRIPT_SELF="${_CAND}"; break; }
+
+    done
+    [ -n "${CDLB_SCRIPT_SELF}" ] || { echo "cannot locate 0030-verify-checksums"; exit 1; }
+
+    CDLB_CMD="/usr/bin/sha512sum"
    CDLB_SHA="sha512"
-    CDLB_CMD="" CDLB_COMPUTED="" CDLB_EXPECTED="" CDLB_HASHFILE="" CDLB_SIG_FILE=""

-    CDLB_HASHFILE="${CDLB_SCRIPT}.${CDLB_SHA}"
+    CDLB_SCRIPT_FILE="${CDLB_SCRIPT_SELF##*/}"
+    CDLB_SCRIPT_PATH="${CDLB_SCRIPT_SELF%/*}"
+    CDLB_SCRIPT_FULL="${CDLB_SCRIPT_PATH%/}/${CDLB_SCRIPT_FILE}"
+    CDLB_HASHFILE="${CDLB_SCRIPT_FILE}.${CDLB_SHA}sum.txt"
    CDLB_SIG_FILE="${CDLB_HASHFILE}.sig"
-    CDLB_CMD="/bin/sha512sum"

-    printf "Verifying signature of: [%s]\n" "${CDLB_HASHFILE}"
+    printf "\e[95m[INFO] Verifying signature of: [%s] ... \n\e[0m" "${CDLB_SIG_FILE}"

-    if ! /bin/gpgv --keyring 0030-verify-checksums_public.gpg "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then
+    if ! /usr/bin/gpgv --no-default-keyring --keyring "${_KEYFILE}" --status-fd 1 "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then

-      printf "[PANIC] Signature verification failed for: [0030-verify-checksums.sha512]\n"
+      printf "\e[91m[FATAL] Verifying signature of: [%s] failed. \n\e[0m" "${CDLB_SIG_FILE}"
      sleep 16
-      # TODO panic  "[PANIC] Signature verification failed for: [0030-verify-checksums.sha512]"
+      # TODO panic "[FATAL] Verifying signature of: [0030-verify-checksums.sha512sum.txt.sig] failed. "

    else

-      printf "Signature verification successful for: [0030-verify-checksums.sha512]\n"
+      printf "\e[92m[INFO] Verifying signature of: [%s] successful. \n\e[0m" "${CDLB_SIG_FILE}"

    fi

-    printf "Recomputing hash for: [sha512]\n"
+    printf "\e[95m[INFO] Recomputing hash for: [%s] ... \n\e[0m" "${CDLB_SHA}"

-    CDLB_COMPUTED=$("${CDLB_CMD}" "${CDLB_SCRIPT}" | { read -r first _ || exit 1; printf '%s\n' "${first}"; })
+    CDLB_COMPUTED=$("${CDLB_CMD}" "${CDLB_SCRIPT_FULL}" | { read -r first _ || exit 1; printf '%s\n' "${first}"; })
    IFS=' ' read -r CDLB_EXPECTED _ < "${CDLB_HASHFILE}"

    if [ "${CDLB_COMPUTED}" != "${CDLB_EXPECTED}" ]; then

-      printf "[PANIC] Recomputing hash for: [sha512] failed.\n"
+      printf "\e[91m[FATAL] Recomputing hash for: [%s] failed. \n\e[0m" "${CDLB_SHA}"
      sleep 16
-      # TODO panic  "[PANIC] Recomputing hash for: [sha512] failed."
+      # TODO panic "[FATAL] Recomputing hash for: [sha512] failed."

    fi

-    printf "Hash verification successful for: [sha512]\n"
-
-    printf "Verification of authenticity and integrity of '0030-verify-checksums' successfully completed. Proceeding."
-
+    printf "\e[92m[INFO] Recomputing hash for: [%s] successful. \n\e[0m" "${CDLB_SHA}"
+    printf "\e[92m[INFO] Verification of authenticity and integrity of [%s] successfully completed. \n\e[0m" "${CDLB_SHA}"
    log_end_msg
    printf "\n"

@@ -128,6 +162,7 @@ Verify_checksums() {
  ### Checksum and checksum signature verification -----------------------------------------------------------------------------
  log_begin_msg "Verifying checksums"
  printf "\n"
+  printf "\e[95m[INFO] Verifying checksums ... \n\e[0m"

  # shellcheck disable=SC2001
  for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do
@@ -139,24 +174,30 @@ Verify_checksums() {

      if [ -e "${_CHECKSUM}" ]; then

-        printf "Found [%s] ...\n" "${_CHECKSUM}"
+        printf "\e[95m[INFO] Found [%s] ... \n\e[0m" "${_CHECKSUM}"

-        if [ -e "/bin/${_DIGEST}sum" ]; then
+        if [ -e "/usr/bin/${_DIGEST}sum" ]; then
+
+          printf "\e[95m[INFO] Found [%s] ... \n\e[0m" "/usr/bin/${_DIGEST}sum"

          if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then

-            printf "Checking Signature of [%s] ...\n" "${_CHECKSUM}"
+            printf "\e[95m[INFO] Checking signature of [%s] ... \n\e[0m" "${_CHECKSUM}"
+
            _CHECKSUM_SIGNATURE="${_CHECKSUM}.sig"
-            gpgv --keyring 0030-verify-checksums_public.gpg "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}"
+
+            /usr/bin/gpgv --no-default-keyring --keyring "${_KEYFILE}" --status-fd 1 "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}"
            _RETURN_PGP="${?}"

+            printf "\e[92m[INFO] Checking signature of [%s] successful. \n\e[0m" "${_CHECKSUM}"
+
          else

            _RETURN_PGP="na"

          fi

-          printf "Checking Hashes of [%s] ...\n" "${_CHECKSUM}"
+          printf "\e[92m[INFO] Found [%s] done. \n\e[0m" "/usr/bin/${_DIGEST}sum"

          # shellcheck disable=SC2312
          grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}"
@@ -167,7 +208,7 @@ Verify_checksums() {

        else

-          printf "Not found [%s] ...\n" "/bin/${_DIGEST}sum"
+          printf "\e[93m[WARN] NOT Found [%s]. \n\e[0m" "/usr/bin/${_DIGEST}sum"

        fi

@@ -178,26 +219,44 @@ Verify_checksums() {
  done

  log_end_msg
+  printf "\n"

  case "${_RETURN_PGP},${_RETURN_SHA}" in

    "0,0")
-      log_success_msg "Verification of signature AND checksum file successful; continuing booting in 8 seconds."
+      printf "\e[92m[INFO] Verification of [GPG signature] and [sha checksum] file successful; continuing booting in 8 seconds. \n\e[0m"
+      printf "\e[92m[INFO] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
      sleep 8
+      log_success_msg "Verification of [GPG signature] and [sha checksum] file successful; continuing booting in 8 seconds."
      return 0
      ;;

    "na,0")
-      log_success_msg "Verification of checksum file successful; continuing booting in 8 seconds."
+      printf "\e[92m[INFO] Verification of [sha checksum] file successful; continuing booting in 8 seconds. \n\e[0m"
+      printf "\e[92m[INFO] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
      sleep 8
+      log_success_msg "Verification of [sha checksum] file successful; continuing booting in 8 seconds."
      return 0
      ;;

+    "0,"*)
+      printf "\e[91m[FATAL] Verification of [GPG signature] file successful, while verification of [sha checksum] file failed. \n\e[0m"
+      printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
+      sleep 8
+      panic "Verification of [GPG signature] file successful, while verification of [sha checksum] file failed."
+      ;;
+
    *",0")
-      panic "Verification of signature file failed while verification of checksum file successful."
+      printf "\e[91m[FATAL] Verification of [GPG signature] file failed, while verification of [sha checksum] file successful. \n\e[0m"
+      printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
+      sleep 8
+      panic "Verification of [GPG signature] file failed, while verification of [sha checksum] file successful."
      ;;

    "na,"*)
+      printf "\e[91m[FATAL] Verification of [sha checksum] file failed. \n\e[0m"
+      printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
+      sleep 8
      panic "Verification of checksum file failed."
      ;;