diff options
author | Chaos <haos.engine@gmail.com> | 2015-10-28 23:10:35 +0100 |
---|---|---|
committer | Chaos <haos.engine@gmail.com> | 2015-10-28 23:10:35 +0100 |
commit | 15874c0533cc2f87ccfdcd9ea75defa4c3852083 (patch) | |
tree | f57f399c88ed4840fd7af151cd901daffdc8cebe | |
parent | Merge branch 'master' of https://github.com/gentoo/gentoo-docker-images (diff) | |
download | docker-images-15874c0533cc2f87ccfdcd9ea75defa4c3852083.tar.gz docker-images-15874c0533cc2f87ccfdcd9ea75defa4c3852083.tar.bz2 docker-images-15874c0533cc2f87ccfdcd9ea75defa4c3852083.zip |
added SHA512 stage3 verification
-rwxr-xr-x | amd64-hardened-nomultilib/build.sh | 56 | ||||
-rwxr-xr-x | amd64-hardened/build.sh | 1 | ||||
-rwxr-xr-x | amd64-nomultilib/build.sh | 58 |
3 files changed, 73 insertions, 42 deletions
diff --git a/amd64-hardened-nomultilib/build.sh b/amd64-hardened-nomultilib/build.sh index 96f6ad8..83bbbed 100755 --- a/amd64-hardened-nomultilib/build.sh +++ b/amd64-hardened-nomultilib/build.sh @@ -1,29 +1,45 @@ +# First param is package tarball, 2nd is the *.DIGEST file +VerifyShaOfStage3() +{ + #echo $1 $2 + #ls -l $1 $2 + test_sum=$(awk -v myvar="$1" '$2==myvar {for(i=1; i<=1; i++) { print $1; exit}}' $2) + calculated_sum=$(sha512sum $1 | awk '{print $1}' -) + #echo aaaa $test_sum bbb $calculated_sum + if [[ "$test_sum" == "$calculated_sum" ]]; then + return 0 + else + return 1 + fi +} + suffix=$3 # e.g. -hardened arch=$1 -busybox_version=$2 dist="http://distfiles.gentoo.org/releases/${arch}/autobuilds/" -stage3="$(wget -q -O- ${dist}/latest-stage3-${arch}${suffix}.txt | tail -n 1 | cut -f 1 -d ' ')" +stage3path="$(wget -q -O- ${dist}/latest-stage3-${arch}${suffix}.txt | tail -n 1 | cut -f 1 -d ' ')" +stage3="$(basename ${stage3path})" +# Create working directory, keep a copy of busybox handy mkdir newWorldOrder; cd newWorldOrder -echo "Downloading and extracting ${stage3}..." -wget -q -c "${dist}/${stage3}" -bunzip2 -c $(basename ${stage3}) | tar --exclude "./etc/hosts" --exclude "./sys/*" -xf - -rm -f $(basename ${stage3}) -wget -q -O /busybox "http://www.busybox.net/downloads/binaries/latest/busybox-${busybox_version}" -chmod +x /busybox -/busybox rm -rf /lib* /usr /var /bin /sbin /opt /mnt /media /root /home /run /tmp -/busybox cp -fRap lib* / -/busybox cp -fRap bin boot home media mnt opt root run sbin tmp usr var / -/busybox cp -fRap etc/* /etc/ -cd / -#commit suicide -/busybox rm -rf newWorldOrder /busybox /build.sh /linuxrc +cp /bin/busybox . -latest_stage3=$(curl "${base_url}/latest-stage3-amd64-hardened+nomultilib.txt" 2>/dev/null | grep -v '#' | awk '{print $1}') -stage3=$(basename "${latest_stage3}") +echo "Downloading and extracting ${stage3path}..." +wget -q -c "${dist}/${stage3path}" "${dist}/${stage3path}.DIGESTS" +if VerifyShaOfStage3 $stage3 "${stage3}.DIGESTS"; then echo "DIGEST sum is okey"; else echo "DIGEST sum is NOT okey"; return 1; fi +bunzip2 -c ${stage3} | tar --exclude "./etc/hosts" --exclude "./sys/*" -xf - +/newWorldOrder/busybox rm -f $stage3 -# Self destruct -rm -f /Dockerfile /build.sh +echo "Installing stage 3" +/newWorldOrder/busybox rm -rf /lib* /usr /var /bin /sbin /opt /mnt /media /root /home /run /tmp +/newWorldOrder/busybox cp -fRap lib* / +/newWorldOrder/busybox cp -fRap bin boot home media mnt opt root run sbin tmp usr var / +/newWorldOrder/busybox cp -fRap etc/* /etc/ -echo "Bootstrapped ${stage3} into /:" +# Cleaning +cd / +/newWorldOrder/busybox rm -rf /newWorldOrder /build.sh /linuxrc + +# Say hello +echo "Bootstrapped ${stage3path} into /:" ls --color -lah + diff --git a/amd64-hardened/build.sh b/amd64-hardened/build.sh index 644f62d..83bbbed 100755 --- a/amd64-hardened/build.sh +++ b/amd64-hardened/build.sh @@ -21,7 +21,6 @@ stage3="$(basename ${stage3path})" # Create working directory, keep a copy of busybox handy mkdir newWorldOrder; cd newWorldOrder -<<<<<<< HEAD cp /bin/busybox . echo "Downloading and extracting ${stage3path}..." diff --git a/amd64-nomultilib/build.sh b/amd64-nomultilib/build.sh index ade04b8..83bbbed 100755 --- a/amd64-nomultilib/build.sh +++ b/amd64-nomultilib/build.sh @@ -1,29 +1,45 @@ -suffix=$3 # e.g. -nomultilib +# First param is package tarball, 2nd is the *.DIGEST file +VerifyShaOfStage3() +{ + #echo $1 $2 + #ls -l $1 $2 + test_sum=$(awk -v myvar="$1" '$2==myvar {for(i=1; i<=1; i++) { print $1; exit}}' $2) + calculated_sum=$(sha512sum $1 | awk '{print $1}' -) + #echo aaaa $test_sum bbb $calculated_sum + if [[ "$test_sum" == "$calculated_sum" ]]; then + return 0 + else + return 1 + fi +} + +suffix=$3 # e.g. -hardened arch=$1 -busybox_version=$2 dist="http://distfiles.gentoo.org/releases/${arch}/autobuilds/" -stage3="$(wget -q -O- ${dist}/latest-stage3-${arch}${suffix}.txt | tail -n 1 | cut -f 1 -d ' ')" +stage3path="$(wget -q -O- ${dist}/latest-stage3-${arch}${suffix}.txt | tail -n 1 | cut -f 1 -d ' ')" +stage3="$(basename ${stage3path})" +# Create working directory, keep a copy of busybox handy mkdir newWorldOrder; cd newWorldOrder -echo "Downloading and extracting ${stage3}..." -wget -q -c "${dist}/${stage3}" -bunzip2 -c $(basename ${stage3}) | tar --exclude "./etc/hosts" --exclude "./sys/*" -xf - -rm -f $(basename ${stage3}) -wget -q -O /busybox "http://www.busybox.net/downloads/binaries/latest/busybox-${busybox_version}" -chmod +x /busybox -/busybox rm -rf /lib* /usr /var /bin /sbin /opt /mnt /media /root /home /run /tmp -/busybox cp -fRap lib* / -/busybox cp -fRap bin boot home media mnt opt root run sbin tmp usr var / -/busybox cp -fRap etc/* /etc/ -cd / -#commit suicide -/busybox rm -rf newWorldOrder /busybox /build.sh /linuxrc +cp /bin/busybox . -latest_stage3=$(curl "${base_url}/latest-stage3-amd64-nomultilib.txt" 2>/dev/null | grep -v '#' | awk '{print $1}') -stage3=$(basename "${latest_stage3}") +echo "Downloading and extracting ${stage3path}..." +wget -q -c "${dist}/${stage3path}" "${dist}/${stage3path}.DIGESTS" +if VerifyShaOfStage3 $stage3 "${stage3}.DIGESTS"; then echo "DIGEST sum is okey"; else echo "DIGEST sum is NOT okey"; return 1; fi +bunzip2 -c ${stage3} | tar --exclude "./etc/hosts" --exclude "./sys/*" -xf - +/newWorldOrder/busybox rm -f $stage3 -# Self destruct -rm -f /Dockerfile /build.sh +echo "Installing stage 3" +/newWorldOrder/busybox rm -rf /lib* /usr /var /bin /sbin /opt /mnt /media /root /home /run /tmp +/newWorldOrder/busybox cp -fRap lib* / +/newWorldOrder/busybox cp -fRap bin boot home media mnt opt root run sbin tmp usr var / +/newWorldOrder/busybox cp -fRap etc/* /etc/ -echo "Bootstrapped ${stage3} into /:" +# Cleaning +cd / +/newWorldOrder/busybox rm -rf /newWorldOrder /build.sh /linuxrc + +# Say hello +echo "Bootstrapped ${stage3path} into /:" ls --color -lah + |