From dc20e4e98174d2940af145efa732f2dc4115f337 Mon Sep 17 00:00:00 2001
From: Thomas Bächler <thomas@archlinux.org>
Date: Sat, 13 Feb 2016 01:08:49 +0100
Subject: Add the verify=y option to verify the squashfs signature with gpg

---
 hooks/archiso | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

(limited to 'hooks/archiso')

diff --git a/hooks/archiso b/hooks/archiso
index fb76327..b78f4db 100644
--- a/hooks/archiso
+++ b/hooks/archiso
@@ -105,6 +105,15 @@ _verify_checksum() {
     return ${_status}
 }
 
+_verify_signature() {
+    local _status
+    cd "/run/archiso/bootmnt/${archisobasedir}/${arch}"
+    gpg --homedir /gpg --status-fd 1 --verify airootfs.sfs.sig 2>/dev/null | grep -qE '^\[GNUPG:\] GOODSIG'
+    _status=$?
+    cd "${OLDPWD}"
+    return ${_status}
+}
+
 run_hook() {
     [[ -z "${arch}" ]] && arch="$(uname -m)"
     [[ -z "${copytoram_size}" ]] && copytoram_size="75%"
@@ -159,6 +168,21 @@ archiso_mount_handler() {
         fi
     fi
 
+    if [[ "${verify}" == "y" ]]; then
+        if [[ -f "/run/archiso/bootmnt/${archisobasedir}/${arch}/airootfs.sfs.sig" ]]; then
+            msg -n ":: Signature verification requested, please wait..."
+            if _verify_signature; then
+                msg "done. Signature is OK, continue booting."
+            else
+                echo "ERROR: one or more files are corrupted"
+                launch_interactive_shell
+            fi
+        else
+            echo "ERROR: verify=y option specified but ${archisobasedir}/${arch}/airootfs.sfs.sig not found"
+            launch_interactive_shell
+        fi
+    fi
+
     if [[ "${copytoram}" == "y" ]]; then
         msg ":: Mounting /run/archiso/copytoram (tmpfs) filesystem, size=${copytoram_size}"
         mkdir -p /run/archiso/copytoram
-- 
cgit v1.2.3-70-g09d2