main/openrc: add modloop signature verification

7e1d41d6 · Carlo Landmeter · 392aa6fc · 7e1d41d6 · 7e1d41d6
Commit 7e1d41d6 authored 6 years ago by Carlo Landmeter
--- a/main/openrc/APKBUILD
+++ b/main/openrc/APKBUILD
@@ -2,7 +2,7 @@
 pkgname=openrc
 pkgver=0.39.2
 _ver=${pkgver/_git*/}
-pkgrel=2
+pkgrel=3
 pkgdesc="OpenRC manages the services, startup and shutdown of a host"
 url="https://gitweb.gentoo.org/proj/openrc.git"
 arch="all"
@@ -96,7 +96,7 @@ e56ea82dbf8bf6b4cff4fa48db8e4f06589094ba99aad930fc498e2fe235db6ce2afe96e2bc047dd
 259552165ee5e9ca973bbe18d1d9ec5cc67526cb26a9e0ac717076ef4913bb7ff4055d6ccb9f77996ed9c00b67f46edba552e1a21b836068a112dda2428502b3  hostname.initd
 c06eac7264f6cc6888563feeae5ca745aae538323077903de1b19102e4f16baa34c18b8c27af5dd5423e7670834e2261e9aa55f2b1ec8d8fdc2be105fe894d55  hwdrivers.initd
 b04058ec630e19de0bafefe06198dc1bff8c8d5d2c89e4660dd83dda8bb82a76cdb1d8661cce88e4a406aa6b4152e17efff52d3eb18ffaec0751d0b6cdbcc48a  modules.initd
-27c036a2c07f658f7fb1e066c59dc494674ba0d81bcb85fea9caffec28ee537eb11e863e20aa4b1c88607f12496ac66d5b092c787c86ff8b8a80e423a8d99440  modloop.initd
+595098085d5a1204e3c5af59bb4a3b3d1fb2980db77925995aa1ec43ef5ae378cef736ddc7924191a99d39c93891d59274fbba08127b15d584c2f82b067ef683  modloop.initd
 55df0ac13dac1f215f0c573ac07b150d31232a5204eccfc8941d5af73f91b4535a85d79b7f6514217038ecbe6bffa28cb83fd8d46fd4c596e07103deb8bc8a57  networking.initd
 80e43ded522e2d48b876131c7c9997debd43f3790e0985801a8c1dd60bc6e09f625b35a127bf225eb45a65eec7808a50d1c08a5e8abceafc61726211e061e0a2  modloop.confd
 d76c75c58e6f4b0801edac4e081b725ef3d50a9a8c9bbb5692bf4d0f804af7d383bf71a73d5d03ed348a89741ef0b2427eb6a7cbf5a9b9ff60a240639fa6ec88  sysfsconf.initd

--- a/main/openrc/modloop.initd
+++ b/main/openrc/modloop.initd
@@ -31,6 +31,7 @@ find_modloop() {
 	IFS="$oifs"
 	for line; do
 		img=${line%%:*}
+		verify_modloop "$img" || eerror "Failed to verify signature of $img!"
 		mount "$img" -o loop,ro /.modloop || continue
 		if [ -d /.modloop/modules/$kver ]; then
 			return 0
@@ -40,6 +41,22 @@ find_modloop() {
 	return 1
 }

+verify_modloop() {
+	local modloop=$1 key=
+	for key in /etc/apk/keys/*.pub; do
+		local sig=/var/cache/misc/${modloop##*/}.SIGN.RSA.${key##*/}
+		if [ -f "$sig" ]; then
+			if ! command -v openssl > /dev/null; then
+				ewarn "Missing openssl. Modloop verification disabled!"
+				return 0
+			fi
+			einfo "Verifying modloop"
+			openssl dgst -sha1 -verify "$key" -signature "$sig" "$modloop" \
+				>/dev/null 2>&1 || return 1
+		fi
+	done
+}
+
 find_backing_file() {
 	local dir="$1"
 	local dev=$(df -P "$dir" | tail -1 | awk '{print $1}')
@@ -54,7 +71,9 @@ start() {
 	case "$KOPT_modloop" in
 		http://*|https://*|ftp://*)
 			modloop=$modloop_dldir/${KOPT_modloop##*/}
-			[ ! -f "$modloop" ] && wget -P "$modloop_dldir" "$KOPT_modloop"
+			if [ ! -f "$modloop" ]; then
+				wget -P "$modloop_dldir" "$KOPT_modloop" || eend 1
+			fi
 			;;
 		*)
 			for dir in $(mountdirs); do
@@ -69,6 +88,7 @@ start() {

 	ebegin "Mounting modloop $modloop"
 	if [ -n "$modloop" ]; then
+		verify_modloop "$modloop" || eerror "Failed to verify signature of $img!"
 		mount -o loop,ro $modloop /.modloop
 		eend $? || return 1
 	else