diff options
author | Alex Brandt <alunduil@alunduil.com> | 2016-02-03 09:57:52 -0600 |
---|---|---|
committer | Alex Brandt <alunduil@alunduil.com> | 2016-02-03 09:57:52 -0600 |
commit | 1584f21d3862ea46c657f4f3a13de7913659489a (patch) | |
tree | 0567ab240b85903a49d1adc0e6503bf5fe3fe154 | |
parent | Merge pull request #23 from steev/master (diff) | |
parent | make if VerifyShaOfStage3 more readable (diff) | |
download | docker-images-1584f21d3862ea46c657f4f3a13de7913659489a.tar.gz docker-images-1584f21d3862ea46c657f4f3a13de7913659489a.tar.bz2 docker-images-1584f21d3862ea46c657f4f3a13de7913659489a.zip |
Merge pull request #27 from ChaosEngine/master
Added SHA512 DIGEST verification
-rwxr-xr-x | amd64-hardened-nomultilib/build.sh | 58 | ||||
-rwxr-xr-x | amd64-hardened/build.sh | 58 | ||||
-rwxr-xr-x | amd64-nomultilib/build.sh | 60 | ||||
-rwxr-xr-x | amd64/build.sh | 58 | ||||
-rwxr-xr-x | x86/build.sh | 55 |
5 files changed, 189 insertions, 100 deletions
diff --git a/amd64-hardened-nomultilib/build.sh b/amd64-hardened-nomultilib/build.sh index 96f6ad8..ea64118 100755 --- a/amd64-hardened-nomultilib/build.sh +++ b/amd64-hardened-nomultilib/build.sh @@ -1,29 +1,47 @@ +# First param is package tarball, 2nd is the *.DIGEST file +VerifyShaOfStage3() +{ + test_sum=$(awk -v myvar="$1" '$2==myvar {for(i=1; i<=1; i++) { print $1; exit}}' $2) + calculated_sum=$(sha512sum $1 | awk '{print $1}' -) + if [[ "$test_sum" == "$calculated_sum" ]]; then + return 0 + else + return 1 + fi +} + suffix=$3 # e.g. -hardened arch=$1 -busybox_version=$2 dist="http://distfiles.gentoo.org/releases/${arch}/autobuilds/" -stage3="$(wget -q -O- ${dist}/latest-stage3-${arch}${suffix}.txt | tail -n 1 | cut -f 1 -d ' ')" +stage3path="$(wget -q -O- ${dist}/latest-stage3-${arch}${suffix}.txt | tail -n 1 | cut -f 1 -d ' ')" +stage3="$(basename ${stage3path})" +# Create working directory, keep a copy of busybox handy mkdir newWorldOrder; cd newWorldOrder -echo "Downloading and extracting ${stage3}..." -wget -q -c "${dist}/${stage3}" -bunzip2 -c $(basename ${stage3}) | tar --exclude "./etc/hosts" --exclude "./sys/*" -xf - -rm -f $(basename ${stage3}) -wget -q -O /busybox "http://www.busybox.net/downloads/binaries/latest/busybox-${busybox_version}" -chmod +x /busybox -/busybox rm -rf /lib* /usr /var /bin /sbin /opt /mnt /media /root /home /run /tmp -/busybox cp -fRap lib* / -/busybox cp -fRap bin boot home media mnt opt root run sbin tmp usr var / -/busybox cp -fRap etc/* /etc/ -cd / -#commit suicide -/busybox rm -rf newWorldOrder /busybox /build.sh /linuxrc +cp /bin/busybox . -latest_stage3=$(curl "${base_url}/latest-stage3-amd64-hardened+nomultilib.txt" 2>/dev/null | grep -v '#' | awk '{print $1}') -stage3=$(basename "${latest_stage3}") +echo "Downloading and extracting ${stage3path}..." +wget -q -c "${dist}/${stage3path}" "${dist}/${stage3path}.DIGESTS" +if VerifyShaOfStage3 $stage3 "${stage3}.DIGESTS"; then + echo "DIGEST sum is okey"; +else + echo "DIGEST sum is NOT okey"; + return 1; +fi +bunzip2 -c ${stage3} | tar --exclude "./etc/hosts" --exclude "./sys/*" -xf - +/newWorldOrder/busybox rm -f $stage3 -# Self destruct -rm -f /Dockerfile /build.sh +echo "Installing stage 3" +/newWorldOrder/busybox rm -rf /lib* /usr /var /bin /sbin /opt /mnt /media /root /home /run /tmp +/newWorldOrder/busybox cp -fRap lib* / +/newWorldOrder/busybox cp -fRap bin boot home media mnt opt root run sbin tmp usr var / +/newWorldOrder/busybox cp -fRap etc/* /etc/ -echo "Bootstrapped ${stage3} into /:" +# Cleaning +cd / +/newWorldOrder/busybox rm -rf /newWorldOrder /build.sh /linuxrc + +# Say hello +echo "Bootstrapped ${stage3path} into /:" ls --color -lah + diff --git a/amd64-hardened/build.sh b/amd64-hardened/build.sh index 5f7ef00..ea64118 100755 --- a/amd64-hardened/build.sh +++ b/amd64-hardened/build.sh @@ -1,29 +1,47 @@ +# First param is package tarball, 2nd is the *.DIGEST file +VerifyShaOfStage3() +{ + test_sum=$(awk -v myvar="$1" '$2==myvar {for(i=1; i<=1; i++) { print $1; exit}}' $2) + calculated_sum=$(sha512sum $1 | awk '{print $1}' -) + if [[ "$test_sum" == "$calculated_sum" ]]; then + return 0 + else + return 1 + fi +} + suffix=$3 # e.g. -hardened arch=$1 -busybox_version=$2 dist="http://distfiles.gentoo.org/releases/${arch}/autobuilds/" -stage3="$(wget -q -O- ${dist}/latest-stage3-${arch}${suffix}.txt | tail -n 1 | cut -f 1 -d ' ')" +stage3path="$(wget -q -O- ${dist}/latest-stage3-${arch}${suffix}.txt | tail -n 1 | cut -f 1 -d ' ')" +stage3="$(basename ${stage3path})" +# Create working directory, keep a copy of busybox handy mkdir newWorldOrder; cd newWorldOrder -echo "Downloading and extracting ${stage3}..." -wget -q -c "${dist}/${stage3}" -bunzip2 -c $(basename ${stage3}) | tar --exclude "./etc/hosts" --exclude "./sys/*" -xf - -rm -f $(basename ${stage3}) -wget -q -O /busybox "http://www.busybox.net/downloads/binaries/latest/busybox-${busybox_version}" -chmod +x /busybox -/busybox rm -rf /lib* /usr /var /bin /sbin /opt /mnt /media /root /home /run /tmp -/busybox cp -fRap lib* / -/busybox cp -fRap bin boot home media mnt opt root run sbin tmp usr var / -/busybox cp -fRap etc/* /etc/ -cd / -#commit suicide -/busybox rm -rf newWorldOrder /busybox /build.sh /linuxrc +cp /bin/busybox . -latest_stage3=$(curl "${base_url}/latest-stage3-amd64-hardened.txt" 2>/dev/null | grep -v '#' | awk '{print $1}') -stage3=$(basename "${latest_stage3}") +echo "Downloading and extracting ${stage3path}..." +wget -q -c "${dist}/${stage3path}" "${dist}/${stage3path}.DIGESTS" +if VerifyShaOfStage3 $stage3 "${stage3}.DIGESTS"; then + echo "DIGEST sum is okey"; +else + echo "DIGEST sum is NOT okey"; + return 1; +fi +bunzip2 -c ${stage3} | tar --exclude "./etc/hosts" --exclude "./sys/*" -xf - +/newWorldOrder/busybox rm -f $stage3 -# Self destruct -rm -f /Dockerfile /build.sh +echo "Installing stage 3" +/newWorldOrder/busybox rm -rf /lib* /usr /var /bin /sbin /opt /mnt /media /root /home /run /tmp +/newWorldOrder/busybox cp -fRap lib* / +/newWorldOrder/busybox cp -fRap bin boot home media mnt opt root run sbin tmp usr var / +/newWorldOrder/busybox cp -fRap etc/* /etc/ -echo "Bootstrapped ${stage3} into /:" +# Cleaning +cd / +/newWorldOrder/busybox rm -rf /newWorldOrder /build.sh /linuxrc + +# Say hello +echo "Bootstrapped ${stage3path} into /:" ls --color -lah + diff --git a/amd64-nomultilib/build.sh b/amd64-nomultilib/build.sh index ade04b8..ea64118 100755 --- a/amd64-nomultilib/build.sh +++ b/amd64-nomultilib/build.sh @@ -1,29 +1,47 @@ -suffix=$3 # e.g. -nomultilib +# First param is package tarball, 2nd is the *.DIGEST file +VerifyShaOfStage3() +{ + test_sum=$(awk -v myvar="$1" '$2==myvar {for(i=1; i<=1; i++) { print $1; exit}}' $2) + calculated_sum=$(sha512sum $1 | awk '{print $1}' -) + if [[ "$test_sum" == "$calculated_sum" ]]; then + return 0 + else + return 1 + fi +} + +suffix=$3 # e.g. -hardened arch=$1 -busybox_version=$2 dist="http://distfiles.gentoo.org/releases/${arch}/autobuilds/" -stage3="$(wget -q -O- ${dist}/latest-stage3-${arch}${suffix}.txt | tail -n 1 | cut -f 1 -d ' ')" +stage3path="$(wget -q -O- ${dist}/latest-stage3-${arch}${suffix}.txt | tail -n 1 | cut -f 1 -d ' ')" +stage3="$(basename ${stage3path})" +# Create working directory, keep a copy of busybox handy mkdir newWorldOrder; cd newWorldOrder -echo "Downloading and extracting ${stage3}..." -wget -q -c "${dist}/${stage3}" -bunzip2 -c $(basename ${stage3}) | tar --exclude "./etc/hosts" --exclude "./sys/*" -xf - -rm -f $(basename ${stage3}) -wget -q -O /busybox "http://www.busybox.net/downloads/binaries/latest/busybox-${busybox_version}" -chmod +x /busybox -/busybox rm -rf /lib* /usr /var /bin /sbin /opt /mnt /media /root /home /run /tmp -/busybox cp -fRap lib* / -/busybox cp -fRap bin boot home media mnt opt root run sbin tmp usr var / -/busybox cp -fRap etc/* /etc/ -cd / -#commit suicide -/busybox rm -rf newWorldOrder /busybox /build.sh /linuxrc +cp /bin/busybox . -latest_stage3=$(curl "${base_url}/latest-stage3-amd64-nomultilib.txt" 2>/dev/null | grep -v '#' | awk '{print $1}') -stage3=$(basename "${latest_stage3}") +echo "Downloading and extracting ${stage3path}..." +wget -q -c "${dist}/${stage3path}" "${dist}/${stage3path}.DIGESTS" +if VerifyShaOfStage3 $stage3 "${stage3}.DIGESTS"; then + echo "DIGEST sum is okey"; +else + echo "DIGEST sum is NOT okey"; + return 1; +fi +bunzip2 -c ${stage3} | tar --exclude "./etc/hosts" --exclude "./sys/*" -xf - +/newWorldOrder/busybox rm -f $stage3 -# Self destruct -rm -f /Dockerfile /build.sh +echo "Installing stage 3" +/newWorldOrder/busybox rm -rf /lib* /usr /var /bin /sbin /opt /mnt /media /root /home /run /tmp +/newWorldOrder/busybox cp -fRap lib* / +/newWorldOrder/busybox cp -fRap bin boot home media mnt opt root run sbin tmp usr var / +/newWorldOrder/busybox cp -fRap etc/* /etc/ -echo "Bootstrapped ${stage3} into /:" +# Cleaning +cd / +/newWorldOrder/busybox rm -rf /newWorldOrder /build.sh /linuxrc + +# Say hello +echo "Bootstrapped ${stage3path} into /:" ls --color -lah + diff --git a/amd64/build.sh b/amd64/build.sh index 5c80d28..ea64118 100755 --- a/amd64/build.sh +++ b/amd64/build.sh @@ -1,31 +1,47 @@ +# First param is package tarball, 2nd is the *.DIGEST file +VerifyShaOfStage3() +{ + test_sum=$(awk -v myvar="$1" '$2==myvar {for(i=1; i<=1; i++) { print $1; exit}}' $2) + calculated_sum=$(sha512sum $1 | awk '{print $1}' -) + if [[ "$test_sum" == "$calculated_sum" ]]; then + return 0 + else + return 1 + fi +} + suffix=$3 # e.g. -hardened arch=$1 -busybox_version=$2 dist="http://distfiles.gentoo.org/releases/${arch}/autobuilds/" -stage3="$(wget -q -O- ${dist}/latest-stage3-${arch}${suffix}.txt | tail -n 1 | cut -f 1 -d ' ')" +stage3path="$(wget -q -O- ${dist}/latest-stage3-${arch}${suffix}.txt | tail -n 1 | cut -f 1 -d ' ')" +stage3="$(basename ${stage3path})" +# Create working directory, keep a copy of busybox handy mkdir newWorldOrder; cd newWorldOrder -echo "Downloading and extracting ${stage3}..." -wget -q -c "${dist}/${stage3}" -bunzip2 -c $(basename ${stage3}) | tar --exclude "./etc/hosts" --exclude "./sys/*" -xf - -rm -f $(basename ${stage3}) -wget -q -O /busybox "http://www.busybox.net/downloads/binaries/latest/busybox-${busybox_version}" -chmod +x /busybox -/busybox rm -rf /lib* /usr /var /bin /sbin /opt /mnt /media /root /home /run /tmp -/busybox cp -fRap lib* / -/busybox cp -fRap bin boot home media mnt opt root run sbin tmp usr var / -/busybox cp -fRap etc/* /etc/ -cd / -#commit suicide -/busybox rm -rf newWorldOrder /busybox /build.sh /linuxrc - +cp /bin/busybox . -latest_stage3=$(curl "${base_url}/latest-stage3-amd64.txt" 2>/dev/null | grep -v '#' | awk '{print $1}') -stage3=$(basename "${latest_stage3}") +echo "Downloading and extracting ${stage3path}..." +wget -q -c "${dist}/${stage3path}" "${dist}/${stage3path}.DIGESTS" +if VerifyShaOfStage3 $stage3 "${stage3}.DIGESTS"; then + echo "DIGEST sum is okey"; +else + echo "DIGEST sum is NOT okey"; + return 1; +fi +bunzip2 -c ${stage3} | tar --exclude "./etc/hosts" --exclude "./sys/*" -xf - +/newWorldOrder/busybox rm -f $stage3 +echo "Installing stage 3" +/newWorldOrder/busybox rm -rf /lib* /usr /var /bin /sbin /opt /mnt /media /root /home /run /tmp +/newWorldOrder/busybox cp -fRap lib* / +/newWorldOrder/busybox cp -fRap bin boot home media mnt opt root run sbin tmp usr var / +/newWorldOrder/busybox cp -fRap etc/* /etc/ -# Self destruct -rm -f /Dockerfile /build.sh +# Cleaning +cd / +/newWorldOrder/busybox rm -rf /newWorldOrder /build.sh /linuxrc -echo "Bootstrapped ${stage3} into /:" +# Say hello +echo "Bootstrapped ${stage3path} into /:" ls --color -lah + diff --git a/x86/build.sh b/x86/build.sh index 528a0ae..4c23847 100755 --- a/x86/build.sh +++ b/x86/build.sh @@ -1,29 +1,48 @@ +# First param is package tarball, 2nd is the *.DIGEST file +VerifyShaOfStage3() +{ + test_sum=$(awk -v myvar="$1" '$2==myvar {for(i=1; i<=1; i++) { print $1; exit}}' $2) + calculated_sum=$(sha512sum $1 | awk '{print $1}' -) + if [[ "$test_sum" == "$calculated_sum" ]]; then + return 0 + else + return 1 + fi +} + suffix=$3 # e.g. -hardened arch=$1 busybox_version=$2 dist="http://distfiles.gentoo.org/releases/${arch}/autobuilds/" -stage3="$(wget -q -O- ${dist}/latest-stage3-${busybox_version}${suffix}.txt | tail -n 1 | cut -f 1 -d ' ')" +stage3path="$(wget -q -O- ${dist}/latest-stage3-${busybox_version}${suffix}.txt | tail -n 1 | cut -f 1 -d ' ')" +stage3="$(basename ${stage3path})" +# Create working directory, keep a copy of busybox handy mkdir newWorldOrder; cd newWorldOrder -echo "Downloading and extracting ${stage3}..." -wget -q -c "${dist}/${stage3}" -bunzip2 -c $(basename ${stage3}) | tar --exclude "./etc/hosts" --exclude "./sys/*" -xf - -rm -f $(basename ${stage3}) -wget -q -O /busybox "http://www.busybox.net/downloads/binaries/latest/busybox-${busybox_version}" -chmod +x /busybox -/busybox rm -rf /lib* /usr /var /bin /sbin /opt /mnt /media /root /home /run /tmp -/busybox cp -fRap lib* / -/busybox cp -fRap bin boot home media mnt opt root run sbin tmp usr var / -/busybox cp -fRap etc/* /etc/ -cd / -#commit suicide -/busybox rm -rf newWorldOrder /busybox /build.sh /linuxrc - +cp /bin/busybox . +echo "Downloading and extracting ${stage3path}..." +wget -q -c "${dist}/${stage3path}" "${dist}/${stage3path}.DIGESTS" +if VerifyShaOfStage3 $stage3 "${stage3}.DIGESTS"; then + echo "DIGEST sum is okey"; +else + echo "DIGEST sum is NOT okey"; + return 1; +fi +bunzip2 -c ${stage3} | tar --exclude "./etc/hosts" --exclude "./sys/*" -xf - +/newWorldOrder/busybox rm -f $stage3 +echo "Installing stage 3" +/newWorldOrder/busybox rm -rf /lib* /usr /var /bin /sbin /opt /mnt /media /root /home /run /tmp +/newWorldOrder/busybox cp -fRap lib* / +/newWorldOrder/busybox cp -fRap bin boot home media mnt opt root run sbin tmp usr var / +/newWorldOrder/busybox cp -fRap etc/* /etc/ -# Self destruct -rm -f /Dockerfile /build.sh +# Cleaning +cd / +/newWorldOrder/busybox rm -rf /newWorldOrder /build.sh /linuxrc -echo "Bootstrapped ${stage3} into /:" +# Say hello +echo "Bootstrapped ${stage3path} into /:" ls --color -lah + |