diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/revbump.sh b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/revbump.sh index 15c8330ffe..1eec12f5a6 100755 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/revbump.sh +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/revbump.sh @@ -4,12 +4,2638 @@ set -e +print_keys() { + # Signing keys for Linux kernel releases. + cat < " - echo "Example: $0 4.9.9-r2 ~/coreos/linux" + echo "Example: $0 4.9.9-r2 ~/linux" exit 2 fi @@ -32,6 +2658,12 @@ if [[ ! -f $(echo "${srcdir}"/0001*.patch) ]]; then echo "${srcdir} contains no patch files." exit 1 fi +for prog in ebuild gpg2 sha256sum wget xz; do + if ! type -P $prog >/dev/null; then + echo "Couldn't find $prog program." + exit 1 + fi +done old_kernrelease=$(echo "${old_ebuild}" | cut -f3 -d- | cut -f1-2 -d.) new_kernrelease=$(echo "${new_pvr}" | cut -f1 -d- | cut -f1-2 -d.) @@ -51,3 +2683,21 @@ popd >/dev/null echo '"' >> "${new_ebuild}" rm "${old_ebuild}" + +ebuild "${new_ebuild}" manifest +# Download the files ourselves, check signatures, and verify that the hashes +# match the manifest +gpghome=$(mktemp -d gnupghome-XXXXXX) +export GNUPGHOME="${gpghome}" +trap "rm -r $gpghome" EXIT +print_keys | gpg2 -q --import +# Assumes SHA-256 hash is in a fixed field +awk '{print $2, $5}' Manifest | while read filename sha256; do + echo "Checking ${filename}..." + signame="${filename%.xz}.sign" + wget -q "https://cdn.kernel.org/pub/linux/kernel/v4.x/$filename" + wget -q "https://cdn.kernel.org/pub/linux/kernel/v4.x/$signame" + sha256sum --quiet --strict -c - <<<"$sha256 $filename" + xz -dc "$filename" | gpg2 --verify --trust-model always "$signame" - + rm "$filename" "$signame" +done