1
Description: maas-import-pxe-files doesn't cryptographically verify what it downloads
2
Origin: https://bugs.launchpad.net/maas/+bug/1039513
5
=== modified file 'scripts/maas-import-pxe-files'
7
scripts/maas-import-pxe-files | 96 ++++++++++++++++++++++++++++++++++++++----
8
1 file changed, 89 insertions(+), 7 deletions(-)
10
Index: b/scripts/maas-import-pxe-files
11
===================================================================
12
--- a/scripts/maas-import-pxe-files
13
+++ b/scripts/maas-import-pxe-files
15
local_settings="$(pwd)/$settings"
16
[ -r $local_settings ] && . $local_settings
18
+# Location of the GPG keyring for the Ubuntu archive.
19
+GPG_KEYRING="${GPG_KEYRING:-/usr/share/keyrings/ubuntu-archive-keyring.gpg}"
21
# Download locations for Ubuntu releases.
22
MAIN_ARCHIVE=${MAIN_ARCHIVE:-http://archive.ubuntu.com/ubuntu/}
23
PORTS_ARCHIVE=${PORTS_ARCHIVE:-http://ports.ubuntu.com/ubuntu-ports/}
26
IMPORT_EPHEMERALS=${IMPORT_EPHEMERALS:-1}
35
# Show script usage/summary.
42
-# Put together a full URL for where the installer files for architecture $1
43
-# and release $2 can be downloaded.
44
-compose_installer_download_url() {
45
+# Return a URL that points to the images directory for the relevant
47
+compose_installer_base_url() {
48
local arch=$1 release=$2
52
local installer_url="$MAIN_ARCHIVE/dists/$release/main/installer-${arch%%/*}"
53
- echo "$installer_url/current/images/netboot/ubuntu-installer/${arch%%/*}/"
54
+ echo "$installer_url/current/images/"
57
# No ARM server installers were available in precise, so always go for -updates for now
61
local installer_url="$PORTS_ARCHIVE/dists/${release}${updates}/main/installer-${arch%%/*}"
62
- echo "$installer_url/current/images/${arch#*/}/netboot/"
63
+ echo "$installer_url/current/images/"
66
+ echo "Unknown architecture: $arch" >&2
72
+# Return the URL part that is appended to the base url that gives the location
74
+compose_installer_download_url_postfix() {
79
+ echo "netboot/ubuntu-installer/${arch%%/*}/"
82
+ echo "${arch#*/}/netboot/"
85
echo "Unknown architecture: $arch" >&2
90
+# Put together a full URL for where the installer files for architecture $1
91
+# and release $2 can be downloaded.
92
+compose_installer_download_url() {
93
+ local arch=$1 release=$2
95
+ base_url=$(compose_installer_base_url $arch $release)
96
+ postfix=$(compose_installer_download_url_postfix $arch)
98
+ echo "$base_url/$postfix"
101
+fetch_server_md5sums() {
105
+ $DOWNLOAD "$base_url/MD5SUMS" &&
106
+ $DOWNLOAD "$base_url/MD5SUMS.gpg" ||
107
+ fail "unable to download $base_url/MD5SUMS[.gpg]"
109
+ ignore=$(gpg --keyring=$GPG_KEYRING --verify MD5SUMS.gpg MD5SUMS 2>&1) ||
110
+ fail "failed to verify MD5SUMS via $GPG_KEYRING ($base_url/MD5SUMS)"
113
+get_md5sum_for_file() {
116
+ # The filename supplied in $1 must be the full path as seen in the
117
+ # MD5SUMS file. The files are rooted from a single place so the grepped
118
+ # string will only match once.
119
+ server_md5sum=$(grep $filename MD5SUMS|awk '{print $1}') ||
120
+ fail "failed to find checksum for $filename"
121
+ echo $server_md5sum
125
+ local server_md5sum=$1 file_on_disk=$2
128
+ md5sum=$(md5sum $file_on_disk|awk '{print $1}')
130
+ if [ "$md5sum" != "$server_md5sum" ]; then
131
+ fail "md5 checksum mismatch for $file_on_disk: expected $server_md5sum, got $md5sum"
135
# Return a list of files for architecture $1 and release $2 that need to be
137
@@ -147,16 +218,23 @@
138
# architecture $1 and install it into the TFTP directory hierarchy.
139
update_install_files() {
140
local arch=$1 release=$2
141
- local files file url
142
+ local files file url file_prefix filename_in_md5sums_file md5sum
144
files=$(compose_installer_download_files $arch $release)
145
url=$(compose_installer_download_url $arch $release)
148
pushd "install" >/dev/null
149
+ fetch_server_md5sums $(compose_installer_base_url $arch $release)
150
+ echo "MD5SUMS GPG signature OK for $arch $release"
154
+ file_prefix=$(compose_installer_download_url_postfix $arch)
155
+ filename_in_md5sums_file=$file_prefix$file
156
+ md5sum=$(get_md5sum_for_file $filename_in_md5sums_file)
157
+ check_checksum $md5sum $file
158
+ echo "'$file' md5sum OK"
160
rename_installer_download_files $arch $release
166
+if [ ! -f "$GPG_KEYRING" ]; then
167
+ fail "gpg keyring $GPG_KEYRING is not a file"