msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity
Files
845a5a29c31142d9314708fa5cf5a2f75f52282d3c3e9be6a35fe28d4ff6cc3c
CISS.debian.live.builder/scripts/usr/lib/live/boot/0030-verify-checksums
Marc S. Weidner ef87becefe
Some checks failed
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m37s
Details
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 1m9s
Details
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Failing after 1m0s
Details
V8.13.384.2025.11.06 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-11-06 19:59:22 +01:00

213 lines
5.6 KiB
Bash
Raw Blame History

#!/bin/sh
# bashsupport disable=BP5007
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: GPL-3.0-or-later
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Modified Version of the original file:
### https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums'
### In case of successful verification of the offered checksum, proceed with booting; otherwise panic.
#######################################
# Modified checksum-integrity and authenticity-verification-script for continuing the boot process.
# Globals:
# LIVE_BOOT_CMDLINE
# _TTY
# Arguments:
# 1: _MOUNTPOINT
# Returns:
# 0 : Successful verification
#######################################
Verify_checksums() {
_MOUNTPOINT="${1}"
_TTY="/dev/tty8"
LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}"
LIVE_VERIFY_CHECKSUMS_SIGNATURES="false"
for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do
case "${_PARAMETER}" in
live-boot.verify-checksums=* | verify-checksums=*)
LIVE_VERIFY_CHECKSUMS="true"
LIVE_VERIFY_CHECKSUMS_DIGESTS="${_PARAMETER#*verify-checksums=}"
;;
live-boot.verify-checksums | verify-checksums)
LIVE_VERIFY_CHECKSUMS="true"
;;
live-boot.verify-checksums-signatures | verify-checksums-signatures)
LIVE_VERIFY_CHECKSUMS_SIGNATURES="true"
;;
esac
done
case "${LIVE_VERIFY_CHECKSUMS}" in
true)
:
;;
*)
return 0
;;
esac
# shellcheck disable=SC2164
cd "${_MOUNTPOINT}"
### CDLB verification of script integrity itself -----------------------------------------------------------------------------
if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
log_begin_msg "Verifying integrity of '0030-verify-checksums' ..."
printf "\n"
CDLB_SCRIPT="$(basename "${0}")"
CDLB_SHA="sha512"
CDLB_CMD="" CDLB_COMPUTED="" CDLB_EXPECTED="" CDLB_HASHFILE="" CDLB_ITEM="" CDLB_SIG_FILE=""
for CDLB_ITEM in ${CDLB_SHA}; do
CDLB_HASHFILE="${CDLB_SCRIPT}.${CDLB_ITEM}"
CDLB_SIG_FILE="${CDLB_HASHFILE}.sig"
CDLB_CMD="${CDLB_ITEM}sum"
printf "Verifying signature of: [%s]\n" "${CDLB_HASHFILE}"
if ! gpgv --keyring 0030-verify-checksums_public.gpg "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then
printf "Signature verification failed for: [%s]\n" "${CDLB_HASHFILE}"
sleep 8
# TODO: Remove debug mode
# return 0
else
printf "Signature verification successful for: [%s]\n" "${CDLB_HASHFILE}"
fi
printf "Recomputing hash for: [%s]\n" "${CDLB_ITEM}"
CDLB_COMPUTED=$("${CDLB_CMD}" "${CDLB_SCRIPT}" | { read -r first rest || exit 1; printf '%s\n' "${first}"; })
read -r CDLB_EXPECTED < "${CDLB_HASHFILE}"
if [ "${CDLB_COMPUTED}" != "${CDLB_EXPECTED}" ]; then
printf "Recomputed hash mismatch for: [%s]\n" "${CDLB_ITEM}"
sleep 8
# TODO: Remove debug mode
# return 0
fi
printf "Hash verification successful for: [%s]\n" "${CDLB_ITEM}"
done
printf "Verifying integrity of '0030-verify-checksums' successfully completed. Proceeding."
log_end_msg
printf "\n"
fi
### Checksum and checksum signature verification -----------------------------------------------------------------------------
log_begin_msg "Verifying checksums"
printf "\n"
# shellcheck disable=SC2001
for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do
# shellcheck disable=SC2060
_CHECKSUMS="$(echo "${_DIGEST}" | tr [a-z] [A-Z])SUMS ${_DIGEST}sum.txt"
for _CHECKSUM in ${_CHECKSUMS}; do
if [ -e "${_CHECKSUM}" ]; then
printf "Found [%s] ...\n" "${_CHECKSUM}"
if [ -e "/bin/${_DIGEST}sum" ]; then
if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
printf "Checking Signature of [%s] ...\n" "${_CHECKSUM}"
_CHECKSUM_SIGNATURE="${_CHECKSUM}.sig"
gpgv --keyring 0030-verify-checksums_public.gpg "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}"
_RETURN_PGP="${?}"
else
_RETURN_PGP="na"
fi
printf "Checking Hashes of [%s] ...\n" "${_CHECKSUM}"
# shellcheck disable=SC2312
grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}"
_RETURN_SHA="${?}"
# Stop after the first verification.
break 2
else
printf "Not found [%s] ...\n" "/bin/${_DIGEST}sum"
fi
fi
done
done
log_end_msg
case "${_RETURN_PGP},${_RETURN_SHA}" in
0,0)
log_success_msg "Verification of signature AND checksum file successful; continuing booting in 8 seconds."
sleep 8
return 0
;;
na,0)
log_success_msg "Verification of checksum file successful; continuing booting in 8 seconds."
sleep 8
return 0
;;
*,0)
panic "Verification of signature file failed while verification of checksum file successful."
;;
na,*)
panic "Verification of checksum file failed."
;;
esac
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
Reference in New Issue View Git Blame Copy Permalink