From 103d9b212a24dac01d254a60dcaa228203f745a6 Mon Sep 17 00:00:00 2001 From: Robin Schneider Date: Wed, 10 Aug 2016 09:39:24 +0200 Subject: [PATCH 1/2] Enforce the correct OpenPGP pubkey for verification Closes: https://github.com/nextcloud/vm/issues/11 Follows good example from: https://github.com/nextcloud/docker/blob/master/Dockerfile Related to: https://github.com/nextcloud/server/issues/755 --- nextcloud_install_production.sh | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/nextcloud_install_production.sh b/nextcloud_install_production.sh index fae033b8..54eb0dbe 100644 --- a/nextcloud_install_production.sh +++ b/nextcloud_install_production.sh @@ -39,7 +39,7 @@ ADDRESS=$(hostname -I | cut -d ' ' -f 1) GITHUB_REPO="https://raw.githubusercontent.com/nextcloud/vm/master" STATIC="https://raw.githubusercontent.com/nextcloud/vm/master/static" NCREPO="https://download.nextcloud.com/server/releases/" -GPGKEY="https://nextcloud.com/nextcloud.asc" +OpenPGP_fingerprint='28806A878AE423A28372792ED75899B9A724937A' # Commands CLEARBOOT=$(dpkg -l linux-* | awk '/^ii/{ print $2}' | grep -v -e `uname -r | cut -f1,2 -d"-"` | grep -e [0-9] | xargs sudo apt-get -y purge) # Linux user, and Nextcloud user @@ -273,10 +273,9 @@ apt-get install unzip -y wget -q $NCREPO/$STABLEVERSION.zip -P $HTML mkdir -p $GPGDIR wget -q $NCREPO/$STABLEVERSION.zip.asc -P $GPGDIR -wget -q $GPGKEY -P $GPGDIR chmod -R 600 $GPGDIR -gpg --homedir $GPGDIR --import $GPGDIR/nextcloud.asc -gpg --homedir $GPGDIR --verify $GPGDIR/$STABLEVERSION.zip.asc $HTML/$STABLEVERSION.zip +gpg --homedir $GPGDIR --keyserver ha.pool.sks-keyservers.net --recv-keys "$OpenPGP_fingerprint" +gpg --homedir $GPGDIR --verify $GPGDIR/$STABLEVERSION.zip.asc $HTML/$STABLEVERSION.zip if [[ $? > 0 ]] then echo "Package NOT OK! Installation is aborted..." From 78c1f3f1374b6e8f9fc180016e1450afab52f2d8 Mon Sep 17 00:00:00 2001 From: Robin Schneider Date: Wed, 10 Aug 2016 09:42:11 +0200 Subject: [PATCH 2/2] Import the NextCloud pubkey into the keyring of root for later use People might download tarballs from their VMs later on and might want to verify them with the already bootstrapped trust chain! So why not just include it? --- nextcloud_install_production.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nextcloud_install_production.sh b/nextcloud_install_production.sh index 54eb0dbe..808f9143 100644 --- a/nextcloud_install_production.sh +++ b/nextcloud_install_production.sh @@ -274,8 +274,8 @@ wget -q $NCREPO/$STABLEVERSION.zip -P $HTML mkdir -p $GPGDIR wget -q $NCREPO/$STABLEVERSION.zip.asc -P $GPGDIR chmod -R 600 $GPGDIR -gpg --homedir $GPGDIR --keyserver ha.pool.sks-keyservers.net --recv-keys "$OpenPGP_fingerprint" -gpg --homedir $GPGDIR --verify $GPGDIR/$STABLEVERSION.zip.asc $HTML/$STABLEVERSION.zip +gpg --keyserver ha.pool.sks-keyservers.net --recv-keys "$OpenPGP_fingerprint" +gpg --verify $GPGDIR/$STABLEVERSION.zip.asc $HTML/$STABLEVERSION.zip if [[ $? > 0 ]] then echo "Package NOT OK! Installation is aborted..."