Merge pull request #966 from chaosoffire-org/fix-3

Fix GPG verification for CentOS, Gentoo, Rocky Linux, and VoidLinux

Author: stgraber

sources/centos-http.go

@@ -102,7 +102,7 @@ func (s *centOS) Run() error {
 		}
 
 		// Only verify file if possible.
-		if strings.HasSuffix(checksumFile, ".asc") || checksumFile == "SHA256SUM" || checksumFile == "CHECKSUM" {
+		if strings.HasSuffix(checksumFile, ".asc") {
 			valid, err := s.VerifyFile(filepath.Join(fpath, checksumFile), "")
 			if err != nil {
 				return fmt.Errorf("Failed to verify %q: %w", checksumFile, err)

sources/gentoo.go

@@ -76,20 +76,20 @@ func (s *gentoo) Run() error {
 	}
 
 	if !s.definition.Source.SkipVerification {
-		_, err = s.DownloadHash(s.definition.Image, tarball+".DIGESTS.asc", "", nil)
+		_, err = s.DownloadHash(s.definition.Image, tarball+".DIGESTS", "", nil)
 		if err != nil {
-			return fmt.Errorf("Failed to download %q: %w", tarball+".DIGESTS.asc", err)
+			return fmt.Errorf("Failed to download %q: %w", tarball+".DIGESTS", err)
 		}
 
 		valid, err := s.VerifyFile(
-			filepath.Join(fpath, fname+".DIGESTS.asc"),
+			filepath.Join(fpath, fname+".DIGESTS"),
 			"")
 		if err != nil {
-			return fmt.Errorf("Failed to verify %q: %w", filepath.Join(fpath, fname+".DIGESTS.asc"), err)
+			return fmt.Errorf("Failed to verify %q: %w", filepath.Join(fpath, fname+".DIGESTS"), err)
 		}
 
 		if !valid {
-			return fmt.Errorf("Failed to verify %q", fname+".DIGESTS.asc")
+			return fmt.Errorf("Failed to verify %q", fname+".DIGESTS")
 		}
 	}
 

sources/rocky-http.go

@@ -50,20 +50,38 @@ func (s *rockylinux) Run() error {
 
 	checksumFile := ""
 	if !s.definition.Source.SkipVerification {
-		checksumFile = "CHECKSUM"
-
-		fpath, err := s.DownloadHash(s.definition.Image, baseURL+checksumFile, "", nil)
-		if err != nil {
-			return fmt.Errorf("Failed to download %q: %w", baseURL+checksumFile, err)
-		}
+		// Rocky Linux 8 and 9 do not provide any GPG signature for the CHECKSUM file.
+		// Rocky Linux 10 provides a detached signature.
+		majorVersion := strings.Split(s.definition.Image.Release, ".")[0]
 
-		valid, err := s.VerifyFile(filepath.Join(fpath, checksumFile), "")
-		if err != nil {
-			return fmt.Errorf("Failed to verify %q: %w", checksumFile, err)
-		}
+		checksumFile = "CHECKSUM"
 
-		if !valid {
-			return fmt.Errorf("Invalid signature for %q", checksumFile)
+		switch majorVersion {
+		case "8", "9":
+			fpath, err = s.DownloadHash(s.definition.Image, baseURL+checksumFile, "", nil)
+			if err != nil {
+				return fmt.Errorf("Failed to download %q: %w", baseURL+checksumFile, err)
+			}
+
+		default:
+			fpath, err = s.DownloadHash(s.definition.Image, baseURL+checksumFile+".asc", "", nil)
+			if err != nil {
+				return fmt.Errorf("Failed to download %q: %w", baseURL+checksumFile+".asc", err)
+			}
+
+			_, err = s.DownloadHash(s.definition.Image, baseURL+checksumFile, "", nil)
+			if err != nil {
+				return fmt.Errorf("Failed to download %q: %w", baseURL+checksumFile, err)
+			}
+
+			valid, err := s.VerifyFile(filepath.Join(fpath, checksumFile), filepath.Join(fpath, checksumFile+".asc"))
+			if err != nil {
+				return fmt.Errorf("Failed to verify %q: %w", checksumFile, err)
+			}
+
+			if !valid {
+				return fmt.Errorf("Invalid signature for %q", checksumFile)
+			}
 		}
 	}
 

sources/voidlinux-http.go

@@ -39,13 +39,11 @@ func (s *voidlinux) Run() error {
 		return fmt.Errorf("Failed to parse URL %q: %w", tarball, err)
 	}
 
-	skip, err := s.validateGPGRequirements(url)
-	if err != nil {
-		return fmt.Errorf("Failed to validate GPG requirements: %w", err)
+	if !s.definition.Source.SkipVerification && url.Scheme != "https" &&
+		len(s.definition.Source.Keys) == 0 {
+		return errors.New("GPG keys are required if downloading from HTTP")
 	}
 
-	s.definition.Source.SkipVerification = skip
-
 	var fpath string
 
 	if s.definition.Source.SkipVerification {
@@ -58,7 +56,8 @@ func (s *voidlinux) Run() error {
 		return fmt.Errorf("Failed to download %q: %w", tarball, err)
 	}
 
-	if !s.definition.Source.SkipVerification {
+	// Force gpg checks when using http
+	if !s.definition.Source.SkipVerification && url.Scheme != "https" {
 		_, err = s.DownloadHash(s.definition.Image, digests, "", nil)
 		if err != nil {
 			return fmt.Errorf("Failed to download %q: %w", digests, err)