fc21: Verify all packages downloaded for installation are signed and verify

9 years ago · 1bffbd8813
parent 96442c83cb
commit 1bffbd8813
3 changed files with 60 additions and 26 deletions
--- a/scripts_fedora/01_install_core.sh
+++ b/scripts_fedora/01_install_core.sh
@ -1,22 +1,28 @@
-#!/bin/sh
+#!/bin/bash -e
+# vim: set ts=4 sw=4 sts=4 et :
+
+source "${SCRIPTSDIR}/distribution.sh"

 if ! [ -f "${INSTALLDIR}/tmp/.prepared_base" ]; then
    echo "-> Initializing RPM database..."
-    rpm --initdb --root=$INSTALLDIR
-    rpm --import --root=$INSTALLDIR $SCRIPTSDIR/keys/*
+    rpm --initdb --root="${INSTALLDIR}"
+    rpm --import --root="${INSTALLDIR}" "${SCRIPTSDIR}/keys/"*

    if [ "$DIST" == "fc21" ]; then
        echo "-> Retreiving core RPM packages..."
        INITIAL_PACKAGES="filesystem setup fedora-release"
-        yum --disablerepo=\* --enablerepo=fedora -y --installroot="${INSTALLDIR}" --releasever=${DIST/fc/} install --downloadonly --downloaddir="$SCRIPTSDIR/base_rpms_${DIST}" ${INITIAL_PACKAGES}
+
+        yum --disablerepo=\* --enablerepo=fedora -y --installroot="${INSTALLDIR}" --releasever=${DIST/fc/} install --downloadonly --downloaddir="${SCRIPTSDIR}/base_rpms_${DIST}" ${INITIAL_PACKAGES}
+
+        verifyPackages "${SCRIPTSDIR}/base_rpms_${DIST}"/* || exit 1
    fi

    echo "-> Installing core RPM packages..."
-    rpm -i --root=$INSTALLDIR $SCRIPTSDIR/base_rpms/*.rpm || exit 1
+    rpm -i --root="${INSTALLDIR}" "${SCRIPTSDIR}/base_rpms/"*.rpm || exit 1

    touch "${INSTALLDIR}/tmp/.prepared_base"
 fi

-cp $SCRIPTSDIR/resolv.conf $INSTALLDIR/etc
-cp $SCRIPTSDIR/network $INSTALLDIR/etc/sysconfig
-cp -a /dev/null /dev/zero /dev/random /dev/urandom $INSTALLDIR/dev/
+cp "${SCRIPTSDIR}/resolv.conf" "${INSTALLDIR}/etc"
+cp "${SCRIPTSDIR}/network" "${INSTALLDIR}/etc/sysconfig"
+cp -a /dev/null /dev/zero /dev/random /dev/urandom "${INSTALLDIR}/dev/"
--- a/scripts_fedora/add_3rd_party_software.sh
+++ b/scripts_fedora/add_3rd_party_software.sh
@ -44,16 +44,29 @@ trap cleanup EXIT
 # - pub  4096R/A668B376 2013-06-28 RPM Fusion nonfree repository for Fedora (21) <rpmfusion-buildsys@lists.rpmfusion.org>
 # Key fingerprint = E160 058E F06F A4C3 C15D  0F86 0174 46D1 A668 B376

+#### "----------------------------------------------------------------------
+info " Verifing any repos before copying over to ${INSTALLDIR}"
+#### "----------------------------------------------------------------------
+if [ ${VERSION} -ge 20 ]; then
+    # Import repo keys
+    rpm --import --root="${INSTALLDIR}" "${SCRIPTSDIR}/3rd_party_software/RPM-GPG-KEY-rpmfusion-free-fedora-${VERSION}"
+    rpm --import --root="${INSTALLDIR}" "${SCRIPTSDIR}/3rd_party_software/RPM-GPG-KEY-rpmfusion-nonfree-fedora-${VERSION}"
+
+    # Verify repos
+    verifyPackages "${SCRIPTSDIR}/3rd_party_software/rpmfusion-free-release-${VERSION}.noarch.rpm" \
+                   "${SCRIPTSDIR}/3rd_party_software/rpmfusion-nonfree-release-${VERSION}.noarch.rpm" \
+                   || exit 1
+
 #### '----------------------------------------------------------------------
 info ' Copying 3rd party software to "tmp" directory to prepare for installation'
 #### '----------------------------------------------------------------------
-cp -rp ${SCRIPTSDIR}/3rd_party_software ${INSTALLDIR}/tmp
+cp -rp "${SCRIPTSDIR}/3rd_party_software" "${INSTALLDIR}/tmp"

 #### '----------------------------------------------------------------------
 info ' Installing google-chrome repos'
 #### '----------------------------------------------------------------------
-cp ${SCRIPTSDIR}/3rd_party_software/google-linux_signing_key.pub ${INSTALLDIR}/etc/pki/rpm-gpg/
-cat << EOF > ${INSTALLDIR}/etc/yum.repos.d/google-chrome.repo
+cp "${SCRIPTSDIR}/3rd_party_software/google-linux_signing_key.pub" "${INSTALLDIR}/etc/pki/rpm-gpg/"
+cat << EOF > "${INSTALLDIR}/etc/yum.repos.d/google-chrome.repo"
 [google-chrome]
 name=google-chrome - \$basearch
 baseurl=http://dl.google.com/linux/chrome/rpm/stable/\$basearch
@ -65,16 +78,16 @@ EOF
 #### '----------------------------------------------------------------------
 info ' Installing adobe repo'
 #### '----------------------------------------------------------------------
-rpm -i --root=${INSTALLDIR} ${SCRIPTSDIR}/3rd_party_software/adobe-release-x86_64-*.noarch.rpm || exit 1
+rpm -i --root="${INSTALLDIR}" "${SCRIPTSDIR}/3rd_party_software/adobe-release-x86_64-"*.noarch.rpm || exit 1

 if [ "$TEMPLATE_FLAVOR" == "fullyloaded" ]; then
    #### '------------------------------------------------------------------
    info ' Installing 3rd party software'
    #### '------------------------------------------------------------------
-    mount --bind /etc/resolv.conf ${INSTALLDIR}/etc/resolv.conf
+    mount --bind /etc/resolv.conf "${INSTALLDIR}/etc/resolv.conf"
    chroot yum install $YUM_OPTS -y google-chrome-stable
-    rpm --import --root=${INSTALLDIR} ${INSTALLDIR}/etc/pki/rpm-gpg/RPM-GPG-KEY-adobe-linux
-    yum install -c $PWD/yum.conf $YUM_OPTS -y --installroot=${INSTALLDIR} flash-plugin || exit 1
+    rpm --import --root="${INSTALLDIR}" "${INSTALLDIR}/etc/pki/rpm-gpg/RPM-GPG-KEY-adobe-linux"
+    yum install -c "$PWD/yum.conf" $YUM_OPTS -y --installroot="${INSTALLDIR}" flash-plugin || exit 1
 else
    chroot yum-config-manager --disable google-chrome > /dev/null
    chroot yum-config-manager --disable adobe-linux-x86_64 > /dev/null
@ -83,18 +96,10 @@ fi
 #### '----------------------------------------------------------------------
 info ' Installing rpmfusion repos'
 #### '----------------------------------------------------------------------
-if [ ${VERSION} -ge 20 ]; then
-    # Import repo keys
-    chroot rpm --import /tmp/3rd_party_software/RPM-GPG-KEY-rpmfusion-free-fedora-21
-    chroot rpm --import /tmp/3rd_party_software/RPM-GPG-KEY-rpmfusion-nonfree-fedora-21
-
-    # Verify repos
-    chroot rpm --checksig /tmp/3rd_party_software/rpmfusion-free-release-21.noarch.rpm
-    chroot rpm --checksig /tmp/3rd_party_software/rpmfusion-nonfree-release-21.noarch.rpm

    # Install repos
-    chroot rpm -i /tmp/3rd_party_software/rpmfusion-free-release-21.noarch.rpm
-    chroot rpm -i /tmp/3rd_party_software/rpmfusion-nonfree-release-21.noarch.rpm
+    chroot rpm -i /tmp/3rd_party_software/rpmfusion-free-release-${VERSION}.noarch.rpm
+    chroot rpm -i /tmp/3rd_party_software/rpmfusion-nonfree-release-${VERSION}.noarch.rpm

    # Disable rpmfusion-free repos
    chroot yum-config-manager --disable rpmfusion-free > /dev/null
@ -128,6 +133,6 @@ fi
 #### '----------------------------------------------------------------------
 info ' Cleanup'
 #### '----------------------------------------------------------------------
-rm -rf ${INSTALLDIR}/tmp/3rd_party_software
+rm -rf "${INSTALLDIR}/tmp/3rd_party_software"
 trap - ERR EXIT
 trap
--- a/scripts_fedora/distribution.sh
+++ b/scripts_fedora/distribution.sh
@ -45,6 +45,29 @@ function yumInstall() {
    umount ${INSTALLDIR}/etc/resolv.conf
 }

+# ==============================================================================
+# Verify RPM packages
+# ==============================================================================
+function verifyPackages() {
+    for file in $@; do
+        result=$(rpm --root="${INSTALLDIR}" --checksig "${file}") || {
+            echo "Filename: ${file} failed verification.  Exiting!"
+            exit 1
+        }
+        result_status="${result##*:}"
+        echo "${result_status}" | grep -q 'PGP' && {
+            echo "Filename: ${file} contains an invalid PGP signature.  Exiting!"
+            exit 1
+        }
+        echo "${result_status}" | grep -q 'pgp' || {
+            echo "Filename: ${file} is not signed.  Exiting!"
+            exit 1
+        }
+    done
+
+    return 0
+}
+
 # ==============================================================================
 # Install extra packages in script_${DIST}/packages.list file
 # -and / or- TEMPLATE_FLAVOR directories