Verify image checksum

OpenNebula · Oct 25, 2023 · 8382177 · 8382177
1 parent 156fd53
commit 8382177
Show file tree

Hide file tree

Showing 4 changed files with 62 additions and 25 deletions.
diff --git a/Makefile b/Makefile
@@ -23,18 +23,37 @@ all-%: download-% installer-% customize-%
 
 #------------------------------------------------------------------------------
 # Download
-#  - download to build/01_base/$DISTRO
-#  - no file suffix, could be iso, qcow2 whatever
-#  - TODO: add chesksum verfication somehow
+#  - validate target is in $DISTRO list + SHA256|512_$DISTRO is defined
+#  - download to build/01_base/$DISTRO use .img suffix (coudld be iso, qcow2)
+#  - verify sha256/sha512 checksum
 #------------------------------------------------------------------------------
 download: $(patsubst %, download-%, $(DISTROS))
 
-download-%: ${DIR_BASE}/%.img
+download-%: validate-% ${DIR_BASE}/%.img
 	@${INFO} "Download ${*} done"
 
-${DIR_BASE}/%.img: validate-%
+validate-%:
+	@if [[ ! "$(DISTROS)" == *"${*}"* ]]; then \
+		${ERROR} "Unknown distro ${*}"; \
+	fi
+	@if [[ -z "${SHA256_${*}}" ]] && [[ -z "${SHA512_${*}}"  ]]; then \
+		${ERROR} "Undefined checksum for ${*}, add SHA256_${*} or SHA512_${*} var to Makefile.distros"; \
+	fi
+
+${DIR_BASE}/%.img:
 	@${INFO} "Starting $* download"
 	curl -sS -L -f -o "$@" "${URL_${*}}"
+	@if [[ -n "${SHA256_${*}}" ]]; then \
+		echo "${SHA256_${*}}  ${DIR_BASE}/$*.img" > ${DIR_BASE}/$*.img.sha256; \
+		if ! sha256sum -c ${DIR_BASE}/$*.img.sha256; then \
+	        ${ERROR} "${*} sha256ssum WRONG, delete ${DIR_BASE}/$*.img or update the checksum"; \
+		fi \
+	elif [[ -n "${SHA512_${*}}" ]]; then \
+		echo "${SHA512_${*}}  ${DIR_BASE}/$*.img" > ${DIR_BASE}/$*.img.sha512; \
+		if ! sha512sum -c ${DIR_BASE}/$*.img.sha512; then \
+	        ${ERROR} "${*} sha512sum WRONG, delete ${DIR_BASE}/$*.img or update the checksum"; \
+		fi \
+	fi
 
 #------------------------------------------------------------------------------
 # Install (optional)
@@ -89,15 +108,6 @@ context-linux: $(patsubst %, context-linux/out/%, $(LINUX_CONTEXT_PACKAGES))
 context-linux/out/%:
 	cd context-linux; ./generate-all.sh
 
-#------------------------------------------------------------------------------
-# validate before download
-#------------------------------------------------------------------------------
-validate-%:
-	@if [[ ! "$(DISTROS)" == *"${*}"* ]]; then \
-		echo "[ERROR] Unknown distro ${*}"; \
-		exit 1; \
-	fi
-
 #------------------------------------------------------------------------------
 # help
 #------------------------------------------------------------------------------

diff --git a/Makefile.config b/Makefile.config
@@ -18,11 +18,7 @@ DIR_EXPORT    ?= $(DIR_BUILD)/03_export
 DIR_PACKER    ?= $(DIR_BUILD)/_packer
 
 # create them if not present
-$(shell \
-	mkdir -p ${DIR_BASE} \
-	mkdir -p ${DIR_INSTALL} \
-	mkdir -p ${DIR_EXPORT} \
-)
+$(shell mkdir -p ${DIR_BASE} ${DIR_INSTALL})
 
 # # don't delete downloaded or installed images
 .SECONDARY: $(patsubst %, $(DIR_BASE)/%.img, $(DISTROS))
@@ -59,6 +55,7 @@ QEMU_BINARY ?= $(shell \
 
 # logging func
 INFO=sh -c 'if [ $(VERBOSE) = 1 ]; then  echo [INFO] $$1; fi' INFO
+ERROR=sh -c 'echo [ERROR] $$1; exit 1;' ERROR
 
 # export all variables
 export

diff --git a/Makefile.distros b/Makefile.distros
@@ -17,7 +17,7 @@ URL_alpine316     := https://dl-cdn.alpinelinux.org/alpine/v3.16/releases/x86_64
 URL_alpine317     := https://dl-cdn.alpinelinux.org/alpine/v3.17/releases/x86_64/alpine-virt-3.17.5-x86_64.iso
 URL_alt9          := https://mirror.yandex.ru/altlinux/p9/images/cloud/x86_64/alt-p9-cloud-x86_64.qcow2
 URL_alt10         := https://mirror.yandex.ru/altlinux/p10/images/cloud/x86_64/alt-p10-cloud-x86_64.qcow2
-URL_debian10      := https://cdimage.debian.org/cdimage/openstack/current-10/debian-10-openstack-arm64.qcow2
+URL_debian10      := https://cdimage.debian.org/cdimage/openstack/current-10/debian-10-openstack-amd64.qcow2
 URL_debian11      := https://cdimage.debian.org/cdimage/cloud/bullseye/latest/debian-11-generic-amd64.qcow2
 URL_debian12      := https://cdimage.debian.org/cdimage/cloud/bookworm/latest/debian-12-generic-amd64.qcow2
 URL_devuan3       := https://files.devuan.org/devuan_beowulf/installer-iso/devuan_beowulf_3.1.1_amd64_server.iso
@@ -29,9 +29,35 @@ URL_freebsd13     := https://download.freebsd.org/ftp/releases/amd64/amd64/ISO-I
 URL_ol8           := https://yum.oracle.com/templates/OracleLinux/OL8/u7/x86_64/OL8U7_x86_64-kvm-b148.qcow
 URL_ol9           := https://yum.oracle.com/templates/OracleLinux/OL9/u1/x86_64/OL9U1_x86_64-kvm-b158.qcow
 URL_opensuse15    := https://download.opensuse.org/distribution/leap/15.5/appliances/openSUSE-Leap-15.5-Minimal-VM.x86_64-Cloud.qcow2
-URL_rocky         := https://download.rockylinux.org/pub/rocky/8/isos/x86_64/Rocky-x86_64-boot.iso
-URL_rocky         := https://download.rockylinux.org/pub/rocky/9/isos/x86_64/Rocky-x86_64-boot.iso
+URL_rocky8        := https://download.rockylinux.org/pub/rocky/8/isos/x86_64/Rocky-x86_64-boot.iso
+URL_rocky9        := https://download.rockylinux.org/pub/rocky/9/isos/x86_64/Rocky-x86_64-boot.iso
 URL_ubuntu2004    := https://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-amd64.img
 URL_ubuntu2004min := https://cloud-images.ubuntu.com/minimal/releases/focal/release/ubuntu-20.04-minimal-cloudimg-amd64.img
 URL_ubuntu2204    := https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img
 URL_ubuntu2204min := https://cloud-images.ubuntu.com/minimal/releases/jammy/release/ubuntu-22.04-minimal-cloudimg-amd64.img
+
+# SHA256
+SHA256_alma8         := cff37f240c3d62cf0930e4e1bfbcf7048e80d36e08eafd4ece7a05eb0306c902
+SHA256_alma9         := c3d2ea8fbe1e33415897a9b1351c2cdb9eb56778d11f327ed6966622c830ae09
+SHA256_alpine316     := 6b447e9b2e2ca561c01b03a7b21b6839c718ed85323d2d100ff2e10ea5191470
+SHA256_alpine317     := d3aec585da8327095edb37b4b7b5eed4623a993196edf12e74641ee5f16291f6
+SHA256_alt9          := f3837a01518003f4ecaeca4148c3a1c5904a4657f72d9b55d6e8bd0903ca270f
+SHA256_alt10         := c20730ca87b8cb026ced7dd254abce05cd0deb33f60f4dab6c17968f8bc968d5
+SHA256_debian10      := beabb9bfdb70850ef839ccaff8b79cf3fce87a6bf3aefe893fbc83c875b3d65a
+SHA512_debian11      := 78fe9e9a71fa2d63715a2e156939964b45cfaa5c91b634af1b5a06fa359dd612f027332f65319ec08d4aa204672df95a75812d7a6a016659112b931b4d94f6b6
+SHA512_debian12      := b2ddc01e8d13dabbcfde6661541aae92219be2d442653950f0e44613ddebaeb80dc7a83e0202c5509c5e72f4bd1f4edee4c83f35191f2562b3f31e20e9e87ec2
+SHA256_devuan3       := e6e3fc1bdbf626a871d8c27608129c4788623121c8ea059f60607a93c30892de
+SHA256_devuan4       := b2c0d159e9d7219422ef9e40673c3126aee118b57df79484384e7995abd2ba0f
+SHA256_fedora37      := b5b9bec91eee65489a5745f6ee620573b23337cbb1eb4501ce200b157a01f3a0
+SHA256_fedora38      := d334670401ff3d5b4129fcc662cf64f5a6e568228af59076cc449a4945318482
+SHA256_freebsd12     := 606435637b76991f96df68f561badf03266f3d5452e9f72ed9b130d96b188800
+SHA256_freebsd13     := b76ab084e339ee05f59be81354c8cb7dfadf9518e0548f88017d2759a910f17c
+SHA256_ol8           := 72cd18d63f2fee35d7c590da35a61470a77798b567c6ee87528a185ea9c546f1
+SHA256_ol9           := 9a57fa5590646454f89ad465015ae7a1b3b2856142b3f960aa6b36263ec36acd
+SHA256_opensuse15    := c596e6f78d7be8a6b3fad894ccbe9c316321288fa7d7761e0a91c20d24000b5b
+SHA256_rocky8        := 96c9d96c33ebacc8e909dcf8abf067b6bb30588c0c940a9c21bb9b83f3c99868
+SHA256_rocky9        := 11e42da96a7b336de04e60d05e54a22999c4d7f3e92c19ebf31f9c71298f5b42
+SHA256_ubuntu2004    := bfa805bde8f2d199b8e4a306a3a5823e18b1547833b90d60d8a689e7270e43ff
+SHA256_ubuntu2004min := 46cec7bfb7c45bbbecfe167032485a1eea30c7c5408e6f8f4ee9ed454c0119e7
+SHA256_ubuntu2204    := cec51cde3fde0b6c0107bc5c6a0b3a5f44d52ad99373aa9a8386f1d782c07c51
+SHA256_ubuntu2204min := 646511fab9d51933ff88cafa079dd2f2eb74564131927561b538825033ed9ded
diff --git a/Makefile.distros-nonfree b/Makefile.distros-nonfree
@@ -1,6 +1,10 @@
 #ifeq (${NONFREE}, yes)
 -include Makefile.secrets
-DISTROS    += rhel8 rhel9
-URL_rhel8  := http://storage/images/base/rhel8.qcow2
-URL_rhel9  := http://storage/images/base/rhel9.qcow2
+DISTROS       += rhel8 rhel9
+
+URL_rhel8     := http://storage/images/base/rhel8.qcow2
+URL_rhel9     := http://storage/images/base/rhel9.qcow2
+
+SHA256_rhel8  := 02cf0181020c7fa4beb45b62b66bb39940b78f6fb2a301cde2e9131aea1490fb
+SHA256_rhel9  := 53d341fdf6327ac4f12c2a84d6130fea3c9070bbc6919266dca7763820af3cac
 #endif