From 0d3371feae2d3d3f55c7c1d14481bb08eda7a20f Mon Sep 17 00:00:00 2001 From: gdm85 Date: Wed, 30 Mar 2016 19:32:48 +0200 Subject: [PATCH] Fixed use of HTTP over HTTPS for anonscm.debian.org Verify downloaded GPG public over HTTP Added FIXMEs for remaining unsecure downloads over HTTP --- bootstrap-salt.sh | 30 +++++++++++++++++++++++++++--- 1 file changed, 27 insertions(+), 3 deletions(-) diff --git a/bootstrap-salt.sh b/bootstrap-salt.sh index d2c1e12..0aa4444 100755 --- a/bootstrap-salt.sh +++ b/bootstrap-salt.sh @@ -629,6 +629,28 @@ __fetch_url() { ftp -o "$1" "$2" >/dev/null 2>&1 # OpenBSD } +#--- FUNCTION ------------------------------------------------------------------------------------------------------- +# NAME: __fetch_verify +# DESCRIPTION: Retrieves a URL, verifies its content and writes it to standard output +#---------------------------------------------------------------------------------------------------------------------- +__fetch_verify() { + local tmpf url sum size + url="$1" + sum="$2" + size="$3" + + tmpf=$(mktemp) && \ + __fetch_url "$tmpf" "$url" && \ + test $(stat --format=%s "$tmpf") -eq "$size" && \ + test $(md5sum "$tmpf" | awk '{ print $1 }') = "$sum" && \ + cat "$tmpf" && \ + rm -f "$tmpf" + if [ $? -eq 0 ]; then + return 0 + fi + echo "Failed verification of $url" + return 1 +} #--- FUNCTION ------------------------------------------------------------------------------------------------------- # NAME: __gather_hardware_info @@ -1172,6 +1194,7 @@ __debian_derivatives_translation() { __set_suse_pkg_repo() { suse_pkg_url_path="${DISTRO_REPO}/systemsmanagement:saltstack.repo" if [ "$_DOWNSTREAM_PKG_REPO" -eq $BS_TRUE ]; then + # FIXME: cleartext download over unsecure protocol (HTTP) suse_pkg_url_base="http://download.opensuse.org/repositories/systemsmanagement:saltstack" else suse_pkg_url_base="https://repo.saltstack.com/opensuse" @@ -2383,7 +2406,7 @@ install_debian_6_deps() { fi # shellcheck disable=SC2086 - wget $_WGET_ARGS -q http://debian.saltstack.com/debian-salt-team-joehealy.gpg.key -O - | apt-key add - || return 1 + __fetch_verify http://debian.saltstack.com/debian-salt-team-joehealy.gpg.key 267d1f152d0cc94b23eb4c6993ba3d67 3100 | apt-key add - || return 1 if [ "$_PIP_ALLOWED" -eq $BS_TRUE ]; then echowarn "PyZMQ will be installed from PyPI in order to compile it against ZMQ3" @@ -2505,7 +2528,7 @@ install_debian_7_deps() { fi # shellcheck disable=SC2086 - wget $_WGET_ARGS -q http://debian.saltstack.com/debian-salt-team-joehealy.gpg.key -O - | apt-key add - || return 1 + __fetch_verify http://debian.saltstack.com/debian-salt-team-joehealy.gpg.key 267d1f152d0cc94b23eb4c6993ba3d67 3100 | apt-key add - || return 1 apt-get update || return 1 __apt_get_install_noinput -t wheezy-backports libzmq3 libzmq3-dev python-zmq python-apt || return 1 @@ -2823,7 +2846,7 @@ install_debian_git_post() { if [ -f "${_SALT_GIT_CHECKOUT_DIR}/debian/salt-$fname.init" ]; then __copyfile "${_SALT_GIT_CHECKOUT_DIR}/debian/salt-$fname.init" "/etc/init.d/salt-$fname" else - __fetch_url "/etc/init.d/salt-$fname" "http://anonscm.debian.org/cgit/pkg-salt/salt.git/plain/debian/salt-${fname}.init" + __fetch_url "/etc/init.d/salt-$fname" "https://anonscm.debian.org/cgit/pkg-salt/salt.git/plain/debian/salt-${fname}.init" fi if [ ! -f "/etc/init.d/salt-$fname" ]; then echowarn "The init script for salt-$fname was not found, skipping it..." @@ -4446,6 +4469,7 @@ install_freebsd_restart_daemons() { # __choose_openbsd_mirror() { + # FIXME: cleartext download over unsecure protocol (HTTP) MIRRORS_LIST_URL=http://www.openbsd.org/ftp.html MIRROR_LIST_FILE=/tmp/openbsd-mirrors.html OPENBSD_REPO=''