New feature to verify signature

Signed-off-by: Alexey Gladkov <[email protected]>

Author: legionus

features/gpg/README.md

@@ -0,0 +1,12 @@
+# Feature: gpg
+
+Feature adds GnuPG (The Universal Crypto Engine) and public keys to the image to
+verify image signatures.
+
+https://www.gnupg.org/software/index.html
+
+## Parameters
+
+- **GPG_PUBKEYS** -- List of files with public gpg keys.
+- **GPG_PROG** -- The name of the gpg utility. This may be necessary if gpg is
+  gpg-1.x and not gpg-2.x or higher.

features/gpg/config.mk

@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+#$(call feature-requires,pipeline)
+
+GPG_DATADIR = $(FEATURESDIR)/gpg/data
+
+GPG_PROG ?= gpg2
+GPG_PUBKEYS ?=

features/gpg/rules.mk

@@ -0,0 +1,17 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+PUT_FEATURE_DIRS  += $(GPG_DATADIR)
+PUT_FEATURE_PROGS += $(GPG_PROG)
+
+ifeq ($(GPG_PUBKEYS),)
+$(error "GPG_PUBKEYS" must be specified)
+endif
+
+PHONY += gpg
+
+gpg: create
+	@$(VMSG) "Putting gpg keyring ..."
+	@mkdir -p -- $(ROOTDIR)/etc/initrd/gnupg
+	@$(GPG_PROG) --import --homedir "$(ROOTDIR)/etc/initrd/gnupg" $(GPG_PUBKEYS)
+	@[ -e "$(ROOTDIR)"/bin/gpg ] || ln -s -- "`type -P $(GPG_PROG)`" "$(ROOTDIR)"/bin/gpg
+
+pack: gpg

features/pipeline/data/bin/pipeline-sh-functions

@@ -131,4 +131,41 @@ pipe_failed()
 	[ "$failed" -le "${PIPE_RETRY:-}" ]
 }
 
+in_comma_list()
+{
+	local var arg list
+
+	var="$1"; shift
+
+	list=()
+	readarray -t -d, list < <(printf '%s' "$1")
+
+	for arg in "${list[@]}"; do
+		[ "$var" != "$arg" ] || return 0
+	done
+	return 1
+}
+
+pipe_gpg_verify()
+{
+	local stepname signfile datafile err
+
+	stepname="$1"; shift
+	signfile="$1"; shift
+	datafile="$1"; shift
+
+	in_comma_list "$stepname" "${PIPE_VERIFY_SIGN-}" ||
+		return 0
+
+	if [ ! -f "$signfile" ]; then
+		message "unable to verify the signature because the signature file could not be found: $signfile"
+		exit 2
+	fi
+
+	if ! err="$(gpg --verify --homedir /etc/initrd/gnupg "$signfile" "$datafile")"; then
+		printf >&2 '%s\n' "$err"
+		exit 2
+	fi
+}
+
 fi # __pipeline_sh_functions

features/pipeline/data/etc/initrd/cmdline.d/pipeline

@@ -1,5 +1,6 @@
 register_parameter string PIPELINE
 register_parameter number PIPE_RETRY
+register_parameter string PIPE_VERIFY_SIGN
 register_array string PING
 register_array string GETIMAGE
 register_array string MOUNTFS

features/pipeline/data/lib/pipeline/getimage

@@ -14,7 +14,11 @@ if [ -n "${url##file://*}" ]; then
 		sleep 3
 	done
 else
-	cp -f -- "${url#file://}" "$datadir/image"
+	target="${url#file://}"
+
+	pipe_gpg_verify "getimage" "$target.asc" "$target"
+
+	cp -f -- "$target" "$datadir/image"
 fi
 modprobe -q 'devname:loop-control' ||:
 run mount -o ro,loop "$datadir/image" "$destdir"

features/pipeline/data/lib/pipeline/mountfs

@@ -14,6 +14,8 @@ opts="$(get_parameter MOUNTFS_OPTS)"
 if [ ! -c "$target" ] && [ ! -b "$target" ]; then
 	modprobe -q 'devname:loop-control' ||:
 	opts="${opts:+$opts,}ro,loop"
+
+	pipe_gpg_verify "mountfs" "$target.asc" "$target"
 fi
 
 run mount ${opts:+-o $opts} "$target" "$destdir"