use images from offical mirrorHEADmaster

Do not generate images locally but instead generate signatures locally
and use images from offical mirror.

- generate ipxe boot script from template
- add option to start sshd with firstboot
- add version information when selecting branch
- verify netboot releases with gpg signature
- added ncopa.asc gpg public key

1 files changed, 48 insertions, 0 deletions

diff --git a/sign_images.sh b/sign_images.sh
new file mode 100755
index 0000000..3835c09
--- /dev/null
+++ b/sign_images.sh
@@ -0,0 +1,48 @@
+#!/bin/sh
+
+branch=$1
+arch=$2
+version=$3
+mirror=http://dl-cdn.alpinelinux.org/alpine
+sigs=/var/www/localhost/htdocs/sigs/$branch/$arch/$version
+tarball=alpine-netboot-$version-$arch.tar.gz
+
+# CA Settings
+CA_CRT="/etc/ssl/alpine-netboot-ca/ca.crt"
+SIGN_CRT="/etc/ssl/alpine-netboot-ca/codesign.crt"
+SIGN_KEY="/etc/ssl/alpine-netboot-ca/codesign.key"
+PASS_FILE="/etc/ssl/alpine-netboot-ca/passwd"
+
+sign_image() {
+	local in=$1 out=$2
+	echo "Signing image: $in"
+	openssl cms -sign -binary -noattr -in "$in" \
+	-signer "$SIGN_CRT" -inkey "$SIGN_KEY" \
+	-certfile "$CA_CRT" \
+	-outform DER -out "$out" \
+	-passin file:"$PASS_FILE"
+}
+
+fetch_and_verify() {
+	for file in "$tarball" "$tarball".asc; do
+		wget -q -P "$tmpdir" "$mirror"/$branch/releases/$arch/$file
+	done
+	gpg --verify "$tmpdir/$tarball".asc "$tmpdir/$tarball" &> /dev/null
+}
+
+tmpdir=$(mktemp -d)
+mkdir -p "$sigs" && rm -f "$sigs"/*
+
+if fetch_and_verify; then
+	tar -C "$tmpdir" -zxvf "$tmpdir"/"$tarball" | while read file; do
+		case $file in
+		*modloop*|*vmlinuz*|*initramfs*)
+		sign_image "$tmpdir/$file" "$sigs/${file##*/}.sig" ;;
+		esac
+	done
+else
+	echo "Failed to verify: $branch/$tarball"
+fi
+
+rm -rf "$tmpdir"
+