definition: Add Source.SkipVerification
This allows for the source verification to be skipped if needed. Signed-off-by: Thomas Hipp <thomas.hipp@canonical.com>
This commit is contained in:
parent
91598f1fa2
commit
fb39a671f7
@ -42,15 +42,16 @@ type DefinitionImage struct {
|
||||
|
||||
// A DefinitionSource specifies the download type and location
|
||||
type DefinitionSource struct {
|
||||
Downloader string `yaml:"downloader"`
|
||||
URL string `yaml:"url,omitempty"`
|
||||
Keys []string `yaml:"keys,omitempty"`
|
||||
Keyserver string `yaml:"keyserver,omitempty"`
|
||||
Variant string `yaml:"variant,omitempty"`
|
||||
Suite string `yaml:"suite,omitempty"`
|
||||
SameAs string `yaml:"same_as,omitempty"`
|
||||
AptSources string `yaml:"apt_sources,omitempty"`
|
||||
IgnoreRelease bool `yaml:"ignore_release,omitempty"`
|
||||
Downloader string `yaml:"downloader"`
|
||||
URL string `yaml:"url,omitempty"`
|
||||
Keys []string `yaml:"keys,omitempty"`
|
||||
Keyserver string `yaml:"keyserver,omitempty"`
|
||||
Variant string `yaml:"variant,omitempty"`
|
||||
Suite string `yaml:"suite,omitempty"`
|
||||
SameAs string `yaml:"same_as,omitempty"`
|
||||
AptSources string `yaml:"apt_sources,omitempty"`
|
||||
IgnoreRelease bool `yaml:"ignore_release,omitempty"`
|
||||
SkipVerification bool `yaml:"skip_verification,omitempty"`
|
||||
}
|
||||
|
||||
// A DefinitionTargetLXCConfig represents the config part of the metadata.
|
||||
|
@ -56,17 +56,22 @@ func (s *AlpineLinuxHTTP) Run(definition shared.Definition, rootfsDir string) er
|
||||
return err
|
||||
}
|
||||
|
||||
if url.Scheme != "https" && len(definition.Source.Keys) == 0 {
|
||||
if !definition.Source.SkipVerification && url.Scheme != "https" &&
|
||||
len(definition.Source.Keys) == 0 {
|
||||
return errors.New("GPG keys are required if downloading from HTTP")
|
||||
}
|
||||
|
||||
err = shared.DownloadSha256(tarball, tarball+".sha256")
|
||||
if definition.Source.SkipVerification {
|
||||
err = shared.DownloadSha256(tarball, "")
|
||||
} else {
|
||||
err = shared.DownloadSha256(tarball, tarball+".sha256")
|
||||
}
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// Force gpg checks when using http
|
||||
if url.Scheme != "https" {
|
||||
if !definition.Source.SkipVerification && url.Scheme != "https" {
|
||||
shared.DownloadSha256(tarball+".asc", "")
|
||||
valid, err := shared.VerifyFile(
|
||||
filepath.Join(os.TempDir(), fname),
|
||||
|
@ -33,7 +33,8 @@ func (s *ArchLinuxHTTP) Run(definition shared.Definition, rootfsDir string) erro
|
||||
return err
|
||||
}
|
||||
|
||||
if url.Scheme != "https" && len(definition.Source.Keys) == 0 {
|
||||
if !definition.Source.SkipVerification && url.Scheme != "https" &&
|
||||
len(definition.Source.Keys) == 0 {
|
||||
return errors.New("GPG keys are required if downloading from HTTP")
|
||||
}
|
||||
|
||||
@ -43,7 +44,7 @@ func (s *ArchLinuxHTTP) Run(definition shared.Definition, rootfsDir string) erro
|
||||
}
|
||||
|
||||
// Force gpg checks when using http
|
||||
if url.Scheme != "https" {
|
||||
if !definition.Source.SkipVerification && url.Scheme != "https" {
|
||||
shared.DownloadSha256(tarball+".sig", "")
|
||||
|
||||
valid, err := shared.VerifyFile(
|
||||
|
@ -45,21 +45,23 @@ func (s *CentOSHTTP) Run(definition shared.Definition, rootfsDir string) error {
|
||||
}
|
||||
|
||||
checksumFile := ""
|
||||
// Force gpg checks when using http
|
||||
if url.Scheme != "https" {
|
||||
if len(definition.Source.Keys) == 0 {
|
||||
return errors.New("GPG keys are required if downloading from HTTP")
|
||||
}
|
||||
if !definition.Source.SkipVerification {
|
||||
// Force gpg checks when using http
|
||||
if url.Scheme != "https" {
|
||||
if len(definition.Source.Keys) == 0 {
|
||||
return errors.New("GPG keys are required if downloading from HTTP")
|
||||
}
|
||||
|
||||
checksumFile = "sha256sum.txt.asc"
|
||||
shared.DownloadSha256(baseURL+checksumFile, "")
|
||||
valid, err := shared.VerifyFile(filepath.Join(os.TempDir(), checksumFile), "",
|
||||
definition.Source.Keys, definition.Source.Keyserver)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if !valid {
|
||||
return errors.New("Failed to verify tarball")
|
||||
checksumFile = "sha256sum.txt"
|
||||
shared.DownloadSha256(baseURL+checksumFile, "")
|
||||
valid, err := shared.VerifyFile(filepath.Join(os.TempDir(), checksumFile), "",
|
||||
definition.Source.Keys, definition.Source.Keyserver)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if !valid {
|
||||
return errors.New("Failed to verify tarball")
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -33,6 +33,10 @@ func (s *Debootstrap) Run(definition shared.Definition, rootfsDir string) error
|
||||
args = append(args, "--arch", definition.Image.ArchitectureMapped)
|
||||
}
|
||||
|
||||
if definition.Source.SkipVerification {
|
||||
args = append(args, "--no-check-gpg")
|
||||
}
|
||||
|
||||
if len(definition.Source.Keys) > 0 {
|
||||
keyring, err := shared.CreateGPGKeyring(definition.Source.Keyserver, definition.Source.Keys)
|
||||
if err != nil {
|
||||
|
@ -44,17 +44,22 @@ func (s *GentooHTTP) Run(definition shared.Definition, rootfsDir string) error {
|
||||
return err
|
||||
}
|
||||
|
||||
if url.Scheme != "https" && len(definition.Source.Keys) == 0 {
|
||||
if !definition.Source.SkipVerification && url.Scheme != "https" &&
|
||||
len(definition.Source.Keys) == 0 {
|
||||
return errors.New("GPG keys are required if downloading from HTTP")
|
||||
}
|
||||
|
||||
err = shared.DownloadSha512(tarball, tarball+".DIGESTS")
|
||||
if definition.Source.SkipVerification {
|
||||
err = shared.DownloadSha512(tarball, "")
|
||||
} else {
|
||||
err = shared.DownloadSha512(tarball, tarball+".DIGESTS")
|
||||
}
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// Force gpg checks when using http
|
||||
if url.Scheme != "https" {
|
||||
if !definition.Source.SkipVerification && url.Scheme != "https" {
|
||||
shared.DownloadSha512(tarball+".DIGESTS.asc", "")
|
||||
valid, err := shared.VerifyFile(
|
||||
filepath.Join(os.TempDir(), fname+".DIGESTS.asc"),
|
||||
|
@ -51,7 +51,7 @@ func (s *UbuntuHTTP) Run(definition shared.Definition, rootfsDir string) error {
|
||||
|
||||
checksumFile := ""
|
||||
// Force gpg checks when using http
|
||||
if url.Scheme != "https" {
|
||||
if !definition.Source.SkipVerification && url.Scheme != "https" {
|
||||
if len(definition.Source.Keys) == 0 {
|
||||
return errors.New("GPG keys are required if downloading from HTTP")
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user