[lxc-devel] [distrobuilder/master] sources: Require GPG keys for HTTP downloads
monstermunchkin on Github
lxc-bot at linuxcontainers.org
Thu Mar 8 08:28:30 UTC 2018
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 379 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180308/73e06212/attachment.bin>
-------------- next part --------------
From c42f1e7e1b160c31707ded42d965a593c6aa14c9 Mon Sep 17 00:00:00 2001
From: Thomas Hipp <thomas.hipp at canonical.com>
Date: Thu, 8 Mar 2018 09:27:23 +0100
Subject: [PATCH] sources: Require GPG keys for HTTP downloads
Resolves #43
Signed-off-by: Thomas Hipp <thomas.hipp at canonical.com>
---
sources/alpine-http.go | 31 ++++++++++++++++++++++---------
sources/archlinux-http.go | 31 ++++++++++++++++++++++---------
sources/centos-http.go | 27 +++++++++++++++++++++------
sources/ubuntu-http.go | 40 +++++++++++++++++++++++++++-------------
4 files changed, 92 insertions(+), 37 deletions(-)
diff --git a/sources/alpine-http.go b/sources/alpine-http.go
index c5bf779..ab2d515 100644
--- a/sources/alpine-http.go
+++ b/sources/alpine-http.go
@@ -3,6 +3,7 @@ package sources
import (
"errors"
"fmt"
+ "net/url"
"os"
"path/filepath"
"strings"
@@ -26,22 +27,34 @@ func (s *AlpineLinuxHTTP) Run(source shared.DefinitionSource, release, arch, roo
tarball := fmt.Sprintf("%s/v%s/releases/%s/%s", source.URL,
strings.Join(strings.Split(release, ".")[0:2], "."), arch, fname)
- err := shared.Download(tarball, tarball+".sha256")
+ url, err := url.Parse(tarball)
if err != nil {
return err
}
- shared.Download(tarball+".asc", "")
- valid, err := shared.VerifyFile(
- filepath.Join(os.TempDir(), fname),
- filepath.Join(os.TempDir(), fname+".asc"),
- source.Keys,
- source.Keyserver)
+ if url.Scheme != "https" && len(source.Keys) == 0 {
+ return errors.New("GPG keys are required if downloading from HTTP")
+ }
+
+ err = shared.Download(tarball, tarball+".sha256")
if err != nil {
return err
}
- if !valid {
- return errors.New("Failed to verify tarball")
+
+ // Force gpg checks when using http
+ if url.Scheme != "https" {
+ shared.Download(tarball+".asc", "")
+ valid, err := shared.VerifyFile(
+ filepath.Join(os.TempDir(), fname),
+ filepath.Join(os.TempDir(), fname+".asc"),
+ source.Keys,
+ source.Keyserver)
+ if err != nil {
+ return err
+ }
+ if !valid {
+ return errors.New("Failed to verify tarball")
+ }
}
// Unpack
diff --git a/sources/archlinux-http.go b/sources/archlinux-http.go
index efa22b5..df86218 100644
--- a/sources/archlinux-http.go
+++ b/sources/archlinux-http.go
@@ -3,6 +3,7 @@ package sources
import (
"errors"
"fmt"
+ "net/url"
"os"
"path"
"path/filepath"
@@ -25,23 +26,35 @@ func (s *ArchLinuxHTTP) Run(source shared.DefinitionSource, release, arch, rootf
fname := fmt.Sprintf("archlinux-bootstrap-%s-x86_64.tar.gz", release)
tarball := fmt.Sprintf("%s/%s/%s", source.URL, release, fname)
- err := shared.Download(tarball, "")
+ url, err := url.Parse(tarball)
if err != nil {
return err
}
- shared.Download(tarball+".sig", "")
+ if url.Scheme != "https" && len(source.Keys) == 0 {
+ return errors.New("GPG keys are required if downloading from HTTP")
+ }
- valid, err := shared.VerifyFile(
- filepath.Join(os.TempDir(), fname),
- filepath.Join(os.TempDir(), fname+".sig"),
- source.Keys,
- source.Keyserver)
+ err = shared.Download(tarball, "")
if err != nil {
return err
}
- if !valid {
- return errors.New("Failed to verify tarball")
+
+ // Force gpg checks when using http
+ if url.Scheme != "https" {
+ shared.Download(tarball+".sig", "")
+
+ valid, err := shared.VerifyFile(
+ filepath.Join(os.TempDir(), fname),
+ filepath.Join(os.TempDir(), fname+".sig"),
+ source.Keys,
+ source.Keyserver)
+ if err != nil {
+ return err
+ }
+ if !valid {
+ return errors.New("Failed to verify tarball")
+ }
}
// Unpack
diff --git a/sources/centos-http.go b/sources/centos-http.go
index 244e56d..c0c855a 100644
--- a/sources/centos-http.go
+++ b/sources/centos-http.go
@@ -5,6 +5,7 @@ import (
"fmt"
"io/ioutil"
"net/http"
+ "net/url"
"os"
"path"
"path/filepath"
@@ -34,17 +35,31 @@ func (s *CentOSHTTP) Run(source shared.DefinitionSource, release, arch, rootfsDi
return fmt.Errorf("Couldn't get name of iso")
}
- shared.Download(baseURL+"sha256sum.txt.asc", "")
- valid, err := shared.VerifyFile(filepath.Join(os.TempDir(), "sha256sum.txt.asc"), "",
- source.Keys, source.Keyserver)
+ url, err := url.Parse(baseURL)
if err != nil {
return err
}
- if !valid {
- return errors.New("Failed to verify tarball")
+
+ checksumFile := ""
+ // Force gpg checks when using http
+ if url.Scheme != "https" {
+ if len(source.Keys) == 0 {
+ return errors.New("GPG keys are required if downloading from HTTP")
+ }
+
+ checksumFile = "sha256sum.txt.asc"
+ shared.Download(baseURL+checksumFile, "")
+ valid, err := shared.VerifyFile(filepath.Join(os.TempDir(), checksumFile), "",
+ source.Keys, source.Keyserver)
+ if err != nil {
+ return err
+ }
+ if !valid {
+ return errors.New("Failed to verify tarball")
+ }
}
- err = shared.Download(baseURL+s.fname, "sha256sum.txt.asc")
+ err = shared.Download(baseURL+s.fname, checksumFile)
if err != nil {
return fmt.Errorf("Error downloading CentOS image: %s", err)
}
diff --git a/sources/ubuntu-http.go b/sources/ubuntu-http.go
index bfda436..e7f8a44 100644
--- a/sources/ubuntu-http.go
+++ b/sources/ubuntu-http.go
@@ -1,9 +1,11 @@
package sources
import (
+ "errors"
"fmt"
"io/ioutil"
"net/http"
+ "net/url"
"os"
"path"
"path/filepath"
@@ -40,24 +42,36 @@ func (s *UbuntuHTTP) Run(source shared.DefinitionSource, release, arch, rootfsDi
}
}
- shared.Download(baseURL+"SHA256SUMS.gpg", "")
- shared.Download(baseURL+"SHA256SUMS", "")
-
- valid, err := shared.VerifyFile(
- filepath.Join(os.TempDir(), "SHA256SUMS"),
- filepath.Join(os.TempDir(), "SHA256SUMS.gpg"),
- source.Keys,
- source.Keyserver)
+ url, err := url.Parse(baseURL)
if err != nil {
return err
}
- if !valid {
- return fmt.Errorf("Failed to validate tarball")
+
+ checksumFile := ""
+ // Force gpg checks when using http
+ if url.Scheme != "https" {
+ if len(source.Keys) == 0 {
+ return errors.New("GPG keys are required if downloading from HTTP")
+ }
+
+ checksumFile = baseURL + "SHA256SUMS"
+ shared.Download(baseURL+"SHA256SUMS.gpg", "")
+ shared.Download(checksumFile, "")
+
+ valid, err := shared.VerifyFile(
+ filepath.Join(os.TempDir(), "SHA256SUMS"),
+ filepath.Join(os.TempDir(), "SHA256SUMS.gpg"),
+ source.Keys,
+ source.Keyserver)
+ if err != nil {
+ return err
+ }
+ if !valid {
+ return fmt.Errorf("Failed to validate tarball")
+ }
}
- err = shared.Download(
- baseURL+s.fname,
- baseURL+"SHA256SUMS")
+ err = shared.Download(baseURL+s.fname, checksumFile)
if err != nil {
return fmt.Errorf("Error downloading Ubuntu image: %s", err)
}
More information about the lxc-devel
mailing list