diff options
author | Carlo Landmeter <clandmeter@alpinelinux.org> | 2018-06-27 12:55:19 +0000 |
---|---|---|
committer | Carlo Landmeter <clandmeter@alpinelinux.org> | 2018-08-11 09:46:57 +0000 |
commit | 2682f6a7441fe2b549f19d5453e9f8c785305bc2 (patch) | |
tree | ac397530a123d97c224d4bad8fd80a2b0dd8ea7c /sign_images.sh | |
parent | 0995c816219a8f6c700e58e6bcca32331cd5529c (diff) | |
download | alpine-netboot-master.tar.bz2 alpine-netboot-master.tar.xz |
Do not generate images locally but instead generate signatures locally
and use images from offical mirror.
- generate ipxe boot script from template
- add option to start sshd with firstboot
- add version information when selecting branch
- verify netboot releases with gpg signature
- added ncopa.asc gpg public key
Diffstat (limited to 'sign_images.sh')
-rwxr-xr-x | sign_images.sh | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/sign_images.sh b/sign_images.sh new file mode 100755 index 0000000..3835c09 --- /dev/null +++ b/sign_images.sh @@ -0,0 +1,48 @@ +#!/bin/sh + +branch=$1 +arch=$2 +version=$3 +mirror=http://dl-cdn.alpinelinux.org/alpine +sigs=/var/www/localhost/htdocs/sigs/$branch/$arch/$version +tarball=alpine-netboot-$version-$arch.tar.gz + +# CA Settings +CA_CRT="/etc/ssl/alpine-netboot-ca/ca.crt" +SIGN_CRT="/etc/ssl/alpine-netboot-ca/codesign.crt" +SIGN_KEY="/etc/ssl/alpine-netboot-ca/codesign.key" +PASS_FILE="/etc/ssl/alpine-netboot-ca/passwd" + +sign_image() { + local in=$1 out=$2 + echo "Signing image: $in" + openssl cms -sign -binary -noattr -in "$in" \ + -signer "$SIGN_CRT" -inkey "$SIGN_KEY" \ + -certfile "$CA_CRT" \ + -outform DER -out "$out" \ + -passin file:"$PASS_FILE" +} + +fetch_and_verify() { + for file in "$tarball" "$tarball".asc; do + wget -q -P "$tmpdir" "$mirror"/$branch/releases/$arch/$file + done + gpg --verify "$tmpdir/$tarball".asc "$tmpdir/$tarball" &> /dev/null +} + +tmpdir=$(mktemp -d) +mkdir -p "$sigs" && rm -f "$sigs"/* + +if fetch_and_verify; then + tar -C "$tmpdir" -zxvf "$tmpdir"/"$tarball" | while read file; do + case $file in + *modloop*|*vmlinuz*|*initramfs*) + sign_image "$tmpdir/$file" "$sigs/${file##*/}.sig" ;; + esac + done +else + echo "Failed to verify: $branch/$tarball" +fi + +rm -rf "$tmpdir" + |