V9.14.022.2026.06.10: Harden checksum verification fail-closed

2026-06-10 23:13:08 +02:00
parent 9ef535554a
commit b78779e790
2 changed files with 102 additions and 0 deletions
@@ -48,9 +48,20 @@ Verify_checksums() {

  _KEYFILE=""

+  _MANIFEST_FOUND="false"
+
  _MP=""

+  _RETURN_PGP=""
+
+  _RETURN_SHA=""
+
+  _VERIFICATION_EXECUTED="false"
+
+  _VERIFICATION_SUCCEEDED="false"
+
  ### Parse commandline arguments ----------------------------------------------------------------------------------------------
+  # shellcheck disable=SC2154
  for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do

    case "${_PARAMETER}" in
@@ -203,10 +214,12 @@ Verify_checksums() {

      if [ -e "${_CHECKSUM}" ]; then

+        _MANIFEST_FOUND="true"
        printf "\e[95m[INFO] Found: [%s] ... \n\e[0m" "${_CHECKSUM}"

        if [ -e "/usr/bin/${_DIGEST}sum" ]; then

+          _VERIFICATION_EXECUTED="true"
          printf "\e[95m[INFO] Found: [%s] ... \n\e[0m" "/usr/bin/${_DIGEST}sum"

          if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
@@ -237,6 +250,7 @@ Verify_checksums() {
          if grep -v '^#' "${_CHECKSUM}" | /usr/bin/"${_DIGEST}"sum -c > "${_TTY}"; then

            _RETURN_SHA="${?}"
+            _VERIFICATION_SUCCEEDED="true"
            printf "\e[92m[INFO] Found: [%s] successful verified: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}"

          else
@@ -265,6 +279,33 @@ Verify_checksums() {
  log_end_msg
  printf "\n"

+  if [ "${_MANIFEST_FOUND}" != "true" ]; then
+
+    printf "\e[91m[FATAL] No supported checksum manifest found. \n\e[0m"
+    sleep 8
+    panic "No supported checksum manifest found."
+    return 1
+
+  fi
+
+  if [ "${_VERIFICATION_EXECUTED}" != "true" ]; then
+
+    printf "\e[91m[FATAL] No supported checksum verification tool was available. \n\e[0m"
+    sleep 8
+    panic "No supported checksum verification tool was available."
+    return 1
+
+  fi
+
+  if [ "${_VERIFICATION_SUCCEEDED}" != "true" ]; then
+
+    printf "\e[91m[FATAL] No supported checksum manifest was verified successfully. \n\e[0m"
+    sleep 8
+    panic "No supported checksum manifest was verified successfully."
+    return 1
+
+  fi
+
  case "${_RETURN_PGP},${_RETURN_SHA}" in

    "0,0")
@@ -288,6 +329,7 @@ Verify_checksums() {
      printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
      sleep 8
      panic "Verification of [GPG signature] file successful, while verification of [sha checksum] file failed."
+      return 1
      ;;

    *",0")
@@ -295,6 +337,7 @@ Verify_checksums() {
      printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
      sleep 8
      panic "Verification of [GPG signature] file failed, while verification of [sha checksum] file successful."
+      return 1
      ;;

    "na,"*)
@@ -302,6 +345,14 @@ Verify_checksums() {
      printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
      sleep 8
      panic "Verification of checksum file failed."
+      return 1
+      ;;
+
+    *)
+      printf "\e[91m[FATAL] Checksum verification ended in an unsupported state. \n\e[0m"
+      sleep 8
+      panic "Checksum verification ended in an unsupported state."
+      return 1
      ;;

  esac