fix integrity checks

Kicksecure · Jul 25, 2023 · 03cc6a6 · 03cc6a6
1 parent af2fc8d
commit 03cc6a6
Showing 1 changed file with 28 additions and 8 deletions.
diff --git a/usr/bin/installer-dist b/usr/bin/installer-dist
@@ -2371,19 +2371,36 @@ check_signature(){
   log info "Verifying file: '${signify_checksum_file}'"
   signify_pub_file="${log_dir_cur}/${signify_signer}.pub"
   echo "${signify_key}" | tee "${signify_pub_file}" >/dev/null
-  signify -V -p "${signify_pub_file}" \
-    -m "${signify_checksum_file}" | log info "Signify output: $(cat)" \
-    || return 1
+
+  signify -V -p "${signify_pub_file}" -m "${signify_checksum_file}"
+
+  ## | log info "Signify output: $(cat)" \
+  ## || return 1
+
   log info "Signify Signature Verification: 'success'"
 }
 
 
 ## Check hash sum.
 check_hash(){
   log info "Checking SHA512 checksum: '${directory_prefix}/${guest_file}.${guest_file_ext}'"
-  ${checkhash} "${directory_prefix}/${guest_file}.sha512sums" \
-    | log info "Checksum output: $(cat)" \
-    || return 1
+
+  ## TODO: 'cd' or 'pushd' / 'popd'?
+  ## 'cd' is required by sha512sum to look for the file inside the same folder.
+  cd "${directory_prefix}"
+
+  ## TODO: unit test with broken sha512sums file.
+  #echo "" > "${directory_prefix}/${guest_file}.sha512sums"
+  #
+  #touch "/tmp/empty"
+  #${checkhash} --check --strict --warn /tmp/empty
+
+  ${checkhash} --check --strict --warn "${directory_prefix}/${guest_file}.sha512sums"
+
+  ## TODO: Does not work. Fails to detect non-zero exit code.
+  ## | log info "Checksum output: $(cat)" \
+  ## || return 1
+
   log info "SHA512 Hash Verification: 'success'"
 }
 
@@ -2395,8 +2412,11 @@ check_integrity(){
     return 0
   fi
   log notice "Performing integrity checks."
-  check_signature || die 104 "${underline}Signify Signature Verification:${nounderline} Failed to verify signature."
-  check_hash || die 104 "${underline}SHA512 Hash Verification:${nounderline} Failed hash checking."
+
+  ## TODO: The '|| die' might break aborting with error if the verification tool failed to verify (non-zero exit code).
+  check_signature #|| die 104 "${underline}Signify Signature Verification:${nounderline} Failed to verify signature."
+  check_hash #|| die 104 "${underline}SHA512 Hash Verification:${nounderline} Failed hash checking."
+
   log notice "Integrity Check Result: 'success'"
 }