diff options
Diffstat (limited to 'main/openrc/modloop.initd')
| -rwxr-xr-x[-rw-r--r--] | main/openrc/modloop.initd | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/main/openrc/modloop.initd b/main/openrc/modloop.initd index dcc43448b1..a815d66f5a 100644..100755 --- a/main/openrc/modloop.initd +++ b/main/openrc/modloop.initd @@ -31,6 +31,7 @@ find_modloop() { IFS="$oifs" for line; do img=${line%%:*} + verify_modloop "$img" || eerror "Failed to verify signature of $img!" mount "$img" -o loop,ro /.modloop || continue if [ -d /.modloop/modules/$kver ]; then return 0 @@ -40,6 +41,22 @@ find_modloop() { return 1 } +verify_modloop() { + local modloop=$1 key= + for key in /etc/apk/keys/*.pub; do + local sig=/var/cache/misc/${modloop##*/}.SIGN.RSA.${key##*/} + if [ -f "$sig" ]; then + if ! command -v openssl > /dev/null; then + ewarn "Missing openssl. Modloop verification disabled!" + return 0 + fi + einfo "Verifying modloop" + openssl dgst -sha1 -verify "$key" -signature "$sig" "$modloop" \ + >/dev/null 2>&1 || return 1 + fi + done +} + find_backing_file() { local dir="$1" local dev=$(df -P "$dir" | tail -1 | awk '{print $1}') @@ -54,7 +71,9 @@ start() { case "$KOPT_modloop" in http://*|https://*|ftp://*) modloop=$modloop_dldir/${KOPT_modloop##*/} - [ ! -f "$modloop" ] && wget -P "$modloop_dldir" "$KOPT_modloop" + if [ ! -f "$modloop" ]; then + wget -P "$modloop_dldir" "$KOPT_modloop" || eend 1 + fi ;; *) for dir in $(mountdirs); do @@ -69,6 +88,7 @@ start() { ebegin "Mounting modloop $modloop" if [ -n "$modloop" ]; then + verify_modloop "$modloop" || eerror "Failed to verify signature of $img!" mount -o loop,ro $modloop /.modloop eend $? || return 1 else |