[lxc-devel] [distrobuilder/master] sources: Require GPG keys for HTTP downloads

monstermunchkin on Github lxc-bot at linuxcontainers.org
Thu Mar 8 08:28:30 UTC 2018


A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 379 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180308/73e06212/attachment.bin>
-------------- next part --------------
From c42f1e7e1b160c31707ded42d965a593c6aa14c9 Mon Sep 17 00:00:00 2001
From: Thomas Hipp <thomas.hipp at canonical.com>
Date: Thu, 8 Mar 2018 09:27:23 +0100
Subject: [PATCH] sources: Require GPG keys for HTTP downloads

Resolves #43

Signed-off-by: Thomas Hipp <thomas.hipp at canonical.com>
---
 sources/alpine-http.go    | 31 ++++++++++++++++++++++---------
 sources/archlinux-http.go | 31 ++++++++++++++++++++++---------
 sources/centos-http.go    | 27 +++++++++++++++++++++------
 sources/ubuntu-http.go    | 40 +++++++++++++++++++++++++++-------------
 4 files changed, 92 insertions(+), 37 deletions(-)

diff --git a/sources/alpine-http.go b/sources/alpine-http.go
index c5bf779..ab2d515 100644
--- a/sources/alpine-http.go
+++ b/sources/alpine-http.go
@@ -3,6 +3,7 @@ package sources
 import (
 	"errors"
 	"fmt"
+	"net/url"
 	"os"
 	"path/filepath"
 	"strings"
@@ -26,22 +27,34 @@ func (s *AlpineLinuxHTTP) Run(source shared.DefinitionSource, release, arch, roo
 	tarball := fmt.Sprintf("%s/v%s/releases/%s/%s", source.URL,
 		strings.Join(strings.Split(release, ".")[0:2], "."), arch, fname)
 
-	err := shared.Download(tarball, tarball+".sha256")
+	url, err := url.Parse(tarball)
 	if err != nil {
 		return err
 	}
 
-	shared.Download(tarball+".asc", "")
-	valid, err := shared.VerifyFile(
-		filepath.Join(os.TempDir(), fname),
-		filepath.Join(os.TempDir(), fname+".asc"),
-		source.Keys,
-		source.Keyserver)
+	if url.Scheme != "https" && len(source.Keys) == 0 {
+		return errors.New("GPG keys are required if downloading from HTTP")
+	}
+
+	err = shared.Download(tarball, tarball+".sha256")
 	if err != nil {
 		return err
 	}
-	if !valid {
-		return errors.New("Failed to verify tarball")
+
+	// Force gpg checks when using http
+	if url.Scheme != "https" {
+		shared.Download(tarball+".asc", "")
+		valid, err := shared.VerifyFile(
+			filepath.Join(os.TempDir(), fname),
+			filepath.Join(os.TempDir(), fname+".asc"),
+			source.Keys,
+			source.Keyserver)
+		if err != nil {
+			return err
+		}
+		if !valid {
+			return errors.New("Failed to verify tarball")
+		}
 	}
 
 	// Unpack
diff --git a/sources/archlinux-http.go b/sources/archlinux-http.go
index efa22b5..df86218 100644
--- a/sources/archlinux-http.go
+++ b/sources/archlinux-http.go
@@ -3,6 +3,7 @@ package sources
 import (
 	"errors"
 	"fmt"
+	"net/url"
 	"os"
 	"path"
 	"path/filepath"
@@ -25,23 +26,35 @@ func (s *ArchLinuxHTTP) Run(source shared.DefinitionSource, release, arch, rootf
 	fname := fmt.Sprintf("archlinux-bootstrap-%s-x86_64.tar.gz", release)
 	tarball := fmt.Sprintf("%s/%s/%s", source.URL, release, fname)
 
-	err := shared.Download(tarball, "")
+	url, err := url.Parse(tarball)
 	if err != nil {
 		return err
 	}
 
-	shared.Download(tarball+".sig", "")
+	if url.Scheme != "https" && len(source.Keys) == 0 {
+		return errors.New("GPG keys are required if downloading from HTTP")
+	}
 
-	valid, err := shared.VerifyFile(
-		filepath.Join(os.TempDir(), fname),
-		filepath.Join(os.TempDir(), fname+".sig"),
-		source.Keys,
-		source.Keyserver)
+	err = shared.Download(tarball, "")
 	if err != nil {
 		return err
 	}
-	if !valid {
-		return errors.New("Failed to verify tarball")
+
+	// Force gpg checks when using http
+	if url.Scheme != "https" {
+		shared.Download(tarball+".sig", "")
+
+		valid, err := shared.VerifyFile(
+			filepath.Join(os.TempDir(), fname),
+			filepath.Join(os.TempDir(), fname+".sig"),
+			source.Keys,
+			source.Keyserver)
+		if err != nil {
+			return err
+		}
+		if !valid {
+			return errors.New("Failed to verify tarball")
+		}
 	}
 
 	// Unpack
diff --git a/sources/centos-http.go b/sources/centos-http.go
index 244e56d..c0c855a 100644
--- a/sources/centos-http.go
+++ b/sources/centos-http.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"net/http"
+	"net/url"
 	"os"
 	"path"
 	"path/filepath"
@@ -34,17 +35,31 @@ func (s *CentOSHTTP) Run(source shared.DefinitionSource, release, arch, rootfsDi
 		return fmt.Errorf("Couldn't get name of iso")
 	}
 
-	shared.Download(baseURL+"sha256sum.txt.asc", "")
-	valid, err := shared.VerifyFile(filepath.Join(os.TempDir(), "sha256sum.txt.asc"), "",
-		source.Keys, source.Keyserver)
+	url, err := url.Parse(baseURL)
 	if err != nil {
 		return err
 	}
-	if !valid {
-		return errors.New("Failed to verify tarball")
+
+	checksumFile := ""
+	// Force gpg checks when using http
+	if url.Scheme != "https" {
+		if len(source.Keys) == 0 {
+			return errors.New("GPG keys are required if downloading from HTTP")
+		}
+
+		checksumFile = "sha256sum.txt.asc"
+		shared.Download(baseURL+checksumFile, "")
+		valid, err := shared.VerifyFile(filepath.Join(os.TempDir(), checksumFile), "",
+			source.Keys, source.Keyserver)
+		if err != nil {
+			return err
+		}
+		if !valid {
+			return errors.New("Failed to verify tarball")
+		}
 	}
 
-	err = shared.Download(baseURL+s.fname, "sha256sum.txt.asc")
+	err = shared.Download(baseURL+s.fname, checksumFile)
 	if err != nil {
 		return fmt.Errorf("Error downloading CentOS image: %s", err)
 	}
diff --git a/sources/ubuntu-http.go b/sources/ubuntu-http.go
index bfda436..e7f8a44 100644
--- a/sources/ubuntu-http.go
+++ b/sources/ubuntu-http.go
@@ -1,9 +1,11 @@
 package sources
 
 import (
+	"errors"
 	"fmt"
 	"io/ioutil"
 	"net/http"
+	"net/url"
 	"os"
 	"path"
 	"path/filepath"
@@ -40,24 +42,36 @@ func (s *UbuntuHTTP) Run(source shared.DefinitionSource, release, arch, rootfsDi
 		}
 	}
 
-	shared.Download(baseURL+"SHA256SUMS.gpg", "")
-	shared.Download(baseURL+"SHA256SUMS", "")
-
-	valid, err := shared.VerifyFile(
-		filepath.Join(os.TempDir(), "SHA256SUMS"),
-		filepath.Join(os.TempDir(), "SHA256SUMS.gpg"),
-		source.Keys,
-		source.Keyserver)
+	url, err := url.Parse(baseURL)
 	if err != nil {
 		return err
 	}
-	if !valid {
-		return fmt.Errorf("Failed to validate tarball")
+
+	checksumFile := ""
+	// Force gpg checks when using http
+	if url.Scheme != "https" {
+		if len(source.Keys) == 0 {
+			return errors.New("GPG keys are required if downloading from HTTP")
+		}
+
+		checksumFile = baseURL + "SHA256SUMS"
+		shared.Download(baseURL+"SHA256SUMS.gpg", "")
+		shared.Download(checksumFile, "")
+
+		valid, err := shared.VerifyFile(
+			filepath.Join(os.TempDir(), "SHA256SUMS"),
+			filepath.Join(os.TempDir(), "SHA256SUMS.gpg"),
+			source.Keys,
+			source.Keyserver)
+		if err != nil {
+			return err
+		}
+		if !valid {
+			return fmt.Errorf("Failed to validate tarball")
+		}
 	}
 
-	err = shared.Download(
-		baseURL+s.fname,
-		baseURL+"SHA256SUMS")
+	err = shared.Download(baseURL+s.fname, checksumFile)
 	if err != nil {
 		return fmt.Errorf("Error downloading Ubuntu image: %s", err)
 	}


More information about the lxc-devel mailing list