From 1bffbd88133c30b7b04d2eedec313c9a654576ed Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Mon, 16 Feb 2015 07:33:25 -0500 Subject: [PATCH] fc21: Verify all packages downloaded for installation are signed and verify --- scripts_fedora/01_install_core.sh | 22 ++++++++----- scripts_fedora/add_3rd_party_software.sh | 41 +++++++++++++----------- scripts_fedora/distribution.sh | 23 +++++++++++++ 3 files changed, 60 insertions(+), 26 deletions(-) diff --git a/scripts_fedora/01_install_core.sh b/scripts_fedora/01_install_core.sh index c246864..760d73c 100755 --- a/scripts_fedora/01_install_core.sh +++ b/scripts_fedora/01_install_core.sh @@ -1,22 +1,28 @@ -#!/bin/sh +#!/bin/bash -e +# vim: set ts=4 sw=4 sts=4 et : + +source "${SCRIPTSDIR}/distribution.sh" if ! [ -f "${INSTALLDIR}/tmp/.prepared_base" ]; then echo "-> Initializing RPM database..." - rpm --initdb --root=$INSTALLDIR - rpm --import --root=$INSTALLDIR $SCRIPTSDIR/keys/* + rpm --initdb --root="${INSTALLDIR}" + rpm --import --root="${INSTALLDIR}" "${SCRIPTSDIR}/keys/"* if [ "$DIST" == "fc21" ]; then echo "-> Retreiving core RPM packages..." INITIAL_PACKAGES="filesystem setup fedora-release" - yum --disablerepo=\* --enablerepo=fedora -y --installroot="${INSTALLDIR}" --releasever=${DIST/fc/} install --downloadonly --downloaddir="$SCRIPTSDIR/base_rpms_${DIST}" ${INITIAL_PACKAGES} + + yum --disablerepo=\* --enablerepo=fedora -y --installroot="${INSTALLDIR}" --releasever=${DIST/fc/} install --downloadonly --downloaddir="${SCRIPTSDIR}/base_rpms_${DIST}" ${INITIAL_PACKAGES} + + verifyPackages "${SCRIPTSDIR}/base_rpms_${DIST}"/* || exit 1 fi echo "-> Installing core RPM packages..." - rpm -i --root=$INSTALLDIR $SCRIPTSDIR/base_rpms/*.rpm || exit 1 + rpm -i --root="${INSTALLDIR}" "${SCRIPTSDIR}/base_rpms/"*.rpm || exit 1 touch "${INSTALLDIR}/tmp/.prepared_base" fi -cp $SCRIPTSDIR/resolv.conf $INSTALLDIR/etc -cp $SCRIPTSDIR/network $INSTALLDIR/etc/sysconfig -cp -a /dev/null /dev/zero /dev/random /dev/urandom $INSTALLDIR/dev/ +cp "${SCRIPTSDIR}/resolv.conf" "${INSTALLDIR}/etc" +cp "${SCRIPTSDIR}/network" "${INSTALLDIR}/etc/sysconfig" +cp -a /dev/null /dev/zero /dev/random /dev/urandom "${INSTALLDIR}/dev/" diff --git a/scripts_fedora/add_3rd_party_software.sh b/scripts_fedora/add_3rd_party_software.sh index 49016a7..4180c60 100755 --- a/scripts_fedora/add_3rd_party_software.sh +++ b/scripts_fedora/add_3rd_party_software.sh @@ -44,16 +44,29 @@ trap cleanup EXIT # - pub 4096R/A668B376 2013-06-28 RPM Fusion nonfree repository for Fedora (21) # Key fingerprint = E160 058E F06F A4C3 C15D 0F86 0174 46D1 A668 B376 +#### "---------------------------------------------------------------------- +info " Verifing any repos before copying over to ${INSTALLDIR}" +#### "---------------------------------------------------------------------- +if [ ${VERSION} -ge 20 ]; then + # Import repo keys + rpm --import --root="${INSTALLDIR}" "${SCRIPTSDIR}/3rd_party_software/RPM-GPG-KEY-rpmfusion-free-fedora-${VERSION}" + rpm --import --root="${INSTALLDIR}" "${SCRIPTSDIR}/3rd_party_software/RPM-GPG-KEY-rpmfusion-nonfree-fedora-${VERSION}" + + # Verify repos + verifyPackages "${SCRIPTSDIR}/3rd_party_software/rpmfusion-free-release-${VERSION}.noarch.rpm" \ + "${SCRIPTSDIR}/3rd_party_software/rpmfusion-nonfree-release-${VERSION}.noarch.rpm" \ + || exit 1 + #### '---------------------------------------------------------------------- info ' Copying 3rd party software to "tmp" directory to prepare for installation' #### '---------------------------------------------------------------------- -cp -rp ${SCRIPTSDIR}/3rd_party_software ${INSTALLDIR}/tmp +cp -rp "${SCRIPTSDIR}/3rd_party_software" "${INSTALLDIR}/tmp" #### '---------------------------------------------------------------------- info ' Installing google-chrome repos' #### '---------------------------------------------------------------------- -cp ${SCRIPTSDIR}/3rd_party_software/google-linux_signing_key.pub ${INSTALLDIR}/etc/pki/rpm-gpg/ -cat << EOF > ${INSTALLDIR}/etc/yum.repos.d/google-chrome.repo +cp "${SCRIPTSDIR}/3rd_party_software/google-linux_signing_key.pub" "${INSTALLDIR}/etc/pki/rpm-gpg/" +cat << EOF > "${INSTALLDIR}/etc/yum.repos.d/google-chrome.repo" [google-chrome] name=google-chrome - \$basearch baseurl=http://dl.google.com/linux/chrome/rpm/stable/\$basearch @@ -65,16 +78,16 @@ EOF #### '---------------------------------------------------------------------- info ' Installing adobe repo' #### '---------------------------------------------------------------------- -rpm -i --root=${INSTALLDIR} ${SCRIPTSDIR}/3rd_party_software/adobe-release-x86_64-*.noarch.rpm || exit 1 +rpm -i --root="${INSTALLDIR}" "${SCRIPTSDIR}/3rd_party_software/adobe-release-x86_64-"*.noarch.rpm || exit 1 if [ "$TEMPLATE_FLAVOR" == "fullyloaded" ]; then #### '------------------------------------------------------------------ info ' Installing 3rd party software' #### '------------------------------------------------------------------ - mount --bind /etc/resolv.conf ${INSTALLDIR}/etc/resolv.conf + mount --bind /etc/resolv.conf "${INSTALLDIR}/etc/resolv.conf" chroot yum install $YUM_OPTS -y google-chrome-stable - rpm --import --root=${INSTALLDIR} ${INSTALLDIR}/etc/pki/rpm-gpg/RPM-GPG-KEY-adobe-linux - yum install -c $PWD/yum.conf $YUM_OPTS -y --installroot=${INSTALLDIR} flash-plugin || exit 1 + rpm --import --root="${INSTALLDIR}" "${INSTALLDIR}/etc/pki/rpm-gpg/RPM-GPG-KEY-adobe-linux" + yum install -c "$PWD/yum.conf" $YUM_OPTS -y --installroot="${INSTALLDIR}" flash-plugin || exit 1 else chroot yum-config-manager --disable google-chrome > /dev/null chroot yum-config-manager --disable adobe-linux-x86_64 > /dev/null @@ -83,18 +96,10 @@ fi #### '---------------------------------------------------------------------- info ' Installing rpmfusion repos' #### '---------------------------------------------------------------------- -if [ ${VERSION} -ge 20 ]; then - # Import repo keys - chroot rpm --import /tmp/3rd_party_software/RPM-GPG-KEY-rpmfusion-free-fedora-21 - chroot rpm --import /tmp/3rd_party_software/RPM-GPG-KEY-rpmfusion-nonfree-fedora-21 - - # Verify repos - chroot rpm --checksig /tmp/3rd_party_software/rpmfusion-free-release-21.noarch.rpm - chroot rpm --checksig /tmp/3rd_party_software/rpmfusion-nonfree-release-21.noarch.rpm # Install repos - chroot rpm -i /tmp/3rd_party_software/rpmfusion-free-release-21.noarch.rpm - chroot rpm -i /tmp/3rd_party_software/rpmfusion-nonfree-release-21.noarch.rpm + chroot rpm -i /tmp/3rd_party_software/rpmfusion-free-release-${VERSION}.noarch.rpm + chroot rpm -i /tmp/3rd_party_software/rpmfusion-nonfree-release-${VERSION}.noarch.rpm # Disable rpmfusion-free repos chroot yum-config-manager --disable rpmfusion-free > /dev/null @@ -128,6 +133,6 @@ fi #### '---------------------------------------------------------------------- info ' Cleanup' #### '---------------------------------------------------------------------- -rm -rf ${INSTALLDIR}/tmp/3rd_party_software +rm -rf "${INSTALLDIR}/tmp/3rd_party_software" trap - ERR EXIT trap diff --git a/scripts_fedora/distribution.sh b/scripts_fedora/distribution.sh index 67fb5d5..abc8cc2 100644 --- a/scripts_fedora/distribution.sh +++ b/scripts_fedora/distribution.sh @@ -45,6 +45,29 @@ function yumInstall() { umount ${INSTALLDIR}/etc/resolv.conf } +# ============================================================================== +# Verify RPM packages +# ============================================================================== +function verifyPackages() { + for file in $@; do + result=$(rpm --root="${INSTALLDIR}" --checksig "${file}") || { + echo "Filename: ${file} failed verification. Exiting!" + exit 1 + } + result_status="${result##*:}" + echo "${result_status}" | grep -q 'PGP' && { + echo "Filename: ${file} contains an invalid PGP signature. Exiting!" + exit 1 + } + echo "${result_status}" | grep -q 'pgp' || { + echo "Filename: ${file} is not signed. Exiting!" + exit 1 + } + done + + return 0 +} + # ============================================================================== # Install extra packages in script_${DIST}/packages.list file # -and / or- TEMPLATE_FLAVOR directories