msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V9.14.022.2026.06.10: Harden checksum verification fail-closed

Browse Source
This commit is contained in:
André H. Zimnol
2026-06-10 23:13:08 +02:00
parent 9ef535554a
commit b78779e790
2 changed files with 102 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums
+51
View File
@@ -89,9 +89,20 @@ Verify_checksums() {
_KEYFILE="" _KEYFILE=""
_MANIFEST_FOUND="false"
_MP="" _MP=""
_RETURN_PGP=""
_RETURN_SHA=""
_VERIFICATION_EXECUTED="false"
_VERIFICATION_SUCCEEDED="false"
### Parse commandline arguments ---------------------------------------------------------------------------------------------- ### Parse commandline arguments ----------------------------------------------------------------------------------------------
# shellcheck disable=SC2154
for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do
case "${_PARAMETER}" in case "${_PARAMETER}" in
@@ -244,10 +255,12 @@ Verify_checksums() {
if [ -e "${_CHECKSUM}" ]; then if [ -e "${_CHECKSUM}" ]; then
_MANIFEST_FOUND="true"
log_in "Found: [${_CHECKSUM}] ..." log_in "Found: [${_CHECKSUM}] ..."
if [ -e "/usr/bin/${_DIGEST}sum" ]; then if [ -e "/usr/bin/${_DIGEST}sum" ]; then
_VERIFICATION_EXECUTED="true"
log_in "Found: [/usr/bin/${_DIGEST}sum] ..." log_in "Found: [/usr/bin/${_DIGEST}sum] ..."
if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
@@ -279,6 +292,7 @@ Verify_checksums() {
if grep -v '^#' "${_CHECKSUM}" | LC_ALL=C /usr/bin/"${_DIGEST}"sum -c > "${_CHECKSUM_LOG}" 2>&1; then if grep -v '^#' "${_CHECKSUM}" | LC_ALL=C /usr/bin/"${_DIGEST}"sum -c > "${_CHECKSUM_LOG}" 2>&1; then
_RETURN_SHA="${?}" _RETURN_SHA="${?}"
_VERIFICATION_SUCCEEDED="true"
cat "${_CHECKSUM_LOG}" > "${_TTY}" cat "${_CHECKSUM_LOG}" > "${_TTY}"
log_ok "Found: [/usr/bin/${_DIGEST}sum] successful verified: [${_CHECKSUM}]" log_ok "Found: [/usr/bin/${_DIGEST}sum] successful verified: [${_CHECKSUM}]"
@@ -313,6 +327,33 @@ Verify_checksums() {
log_end_msg log_end_msg
printf "\n" printf "\n"
if [ "${_MANIFEST_FOUND}" != "true" ]; then
log_er "No supported checksum manifest found."
sleep 8
panic "No supported checksum manifest found."
return 1
fi
if [ "${_VERIFICATION_EXECUTED}" != "true" ]; then
log_er "No supported checksum verification tool was available."
sleep 8
panic "No supported checksum verification tool was available."
return 1
fi
if [ "${_VERIFICATION_SUCCEEDED}" != "true" ]; then
log_er "No supported checksum manifest was verified successfully."
sleep 8
panic "No supported checksum manifest was verified successfully."
return 1
fi
case "${_RETURN_PGP},${_RETURN_SHA}" in case "${_RETURN_PGP},${_RETURN_SHA}" in
"0,0") "0,0")
@@ -331,18 +372,28 @@ Verify_checksums() {
log_er "Verification of [GPG signature] file successful, while verification of [sha checksum] file failed." log_er "Verification of [GPG signature] file successful, while verification of [sha checksum] file failed."
sleep 8 sleep 8
panic "Verification of [GPG signature] file successful, while verification of [sha checksum] file failed." panic "Verification of [GPG signature] file successful, while verification of [sha checksum] file failed."
return 1
;; ;;
*",0") *",0")
log_er "Verification of [GPG signature] file failed, while verification of [sha checksum] file successful." log_er "Verification of [GPG signature] file failed, while verification of [sha checksum] file successful."
sleep 8 sleep 8
panic "Verification of [GPG signature] file failed, while verification of [sha checksum] file successful." panic "Verification of [GPG signature] file failed, while verification of [sha checksum] file successful."
return 1
;; ;;
"na,"*) "na,"*)
log_er "Verification of [sha checksum] file failed." log_er "Verification of [sha checksum] file failed."
sleep 8 sleep 8
panic "Verification of [sha checksum] file failed." panic "Verification of [sha checksum] file failed."
return 1
;;
*)
log_er "Checksum verification ended in an unsupported state."
sleep 8
panic "Checksum verification ended in an unsupported state."
return 1
;; ;;
esac esac
scripts/usr/lib/live/boot/0030-ciss-verify-checksums
+51
View File
@@ -48,9 +48,20 @@ Verify_checksums() {
_KEYFILE="" _KEYFILE=""
_MANIFEST_FOUND="false"
_MP="" _MP=""
_RETURN_PGP=""
_RETURN_SHA=""
_VERIFICATION_EXECUTED="false"
_VERIFICATION_SUCCEEDED="false"
### Parse commandline arguments ---------------------------------------------------------------------------------------------- ### Parse commandline arguments ----------------------------------------------------------------------------------------------
# shellcheck disable=SC2154
for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do
case "${_PARAMETER}" in case "${_PARAMETER}" in
@@ -203,10 +214,12 @@ Verify_checksums() {
if [ -e "${_CHECKSUM}" ]; then if [ -e "${_CHECKSUM}" ]; then
_MANIFEST_FOUND="true"
printf "\e[95m[INFO] Found: [%s] ... \n\e[0m" "${_CHECKSUM}" printf "\e[95m[INFO] Found: [%s] ... \n\e[0m" "${_CHECKSUM}"
if [ -e "/usr/bin/${_DIGEST}sum" ]; then if [ -e "/usr/bin/${_DIGEST}sum" ]; then
_VERIFICATION_EXECUTED="true"
printf "\e[95m[INFO] Found: [%s] ... \n\e[0m" "/usr/bin/${_DIGEST}sum" printf "\e[95m[INFO] Found: [%s] ... \n\e[0m" "/usr/bin/${_DIGEST}sum"
if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
@@ -237,6 +250,7 @@ Verify_checksums() {
if grep -v '^#' "${_CHECKSUM}" | /usr/bin/"${_DIGEST}"sum -c > "${_TTY}"; then if grep -v '^#' "${_CHECKSUM}" | /usr/bin/"${_DIGEST}"sum -c > "${_TTY}"; then
_RETURN_SHA="${?}" _RETURN_SHA="${?}"
_VERIFICATION_SUCCEEDED="true"
printf "\e[92m[INFO] Found: [%s] successful verified: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}" printf "\e[92m[INFO] Found: [%s] successful verified: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}"
else else
@@ -265,6 +279,33 @@ Verify_checksums() {
log_end_msg log_end_msg
printf "\n" printf "\n"
if [ "${_MANIFEST_FOUND}" != "true" ]; then
printf "\e[91m[FATAL] No supported checksum manifest found. \n\e[0m"
sleep 8
panic "No supported checksum manifest found."
return 1
fi
if [ "${_VERIFICATION_EXECUTED}" != "true" ]; then
printf "\e[91m[FATAL] No supported checksum verification tool was available. \n\e[0m"
sleep 8
panic "No supported checksum verification tool was available."
return 1
fi
if [ "${_VERIFICATION_SUCCEEDED}" != "true" ]; then
printf "\e[91m[FATAL] No supported checksum manifest was verified successfully. \n\e[0m"
sleep 8
panic "No supported checksum manifest was verified successfully."
return 1
fi
case "${_RETURN_PGP},${_RETURN_SHA}" in case "${_RETURN_PGP},${_RETURN_SHA}" in
"0,0") "0,0")
@@ -288,6 +329,7 @@ Verify_checksums() {
printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}" printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
sleep 8 sleep 8
panic "Verification of [GPG signature] file successful, while verification of [sha checksum] file failed." panic "Verification of [GPG signature] file successful, while verification of [sha checksum] file failed."
return 1
;; ;;
*",0") *",0")
@@ -295,6 +337,7 @@ Verify_checksums() {
printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}" printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
sleep 8 sleep 8
panic "Verification of [GPG signature] file failed, while verification of [sha checksum] file successful." panic "Verification of [GPG signature] file failed, while verification of [sha checksum] file successful."
return 1
;; ;;
"na,"*) "na,"*)
@@ -302,6 +345,14 @@ Verify_checksums() {
printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}" printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
sleep 8 sleep 8
panic "Verification of checksum file failed." panic "Verification of checksum file failed."
return 1
;;
*)
printf "\e[91m[FATAL] Checksum verification ended in an unsupported state. \n\e[0m"
sleep 8
panic "Checksum verification ended in an unsupported state."
return 1
;; ;;
esac esac