aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@libreoffice.org>2016-10-19 02:25:42 +0200
committerGuilhem Moulin <guilhem@libreoffice.org>2016-10-19 02:25:42 +0200
commit740fab39e4c3379a358fa9e56d36c6e2305863a1 (patch)
treeec5c8cb7bb78a8f135bd3750236c3819023dd391
parent9a520f20f7b6f9e6ad0ad97f1fcd0531e1e7c19e (diff)
Add script to download a Debian ISO image and verify its integrity.
-rwxr-xr-xdownload-iso81
-rw-r--r--signing-key.gpgbin0 -> 2225 bytes
2 files changed, 81 insertions, 0 deletions
diff --git a/download-iso b/download-iso
new file mode 100755
index 0000000..e22b42e
--- /dev/null
+++ b/download-iso
@@ -0,0 +1,81 @@
+#!/bin/sh
+
+set -ue
+
+ARCH=$(dpkg-architecture -qDEB_TARGET_ARCH)
+DIST="./dist"
+RSYNC_HOST="ftp.de.debian.org"
+unset DEBIAN_VERSION
+
+HELP_MESSAGE="$(cat <<-EOF
+ Download Debian stable's netinst ISO image and verify its integrity
+ Usage $0 [OPTIONS]
+ --arch=ARCH target architecture (default: "$ARCH")
+ --dist-dir=DIR build directory (default: "$DIST")
+ --rsync-host=HOSTNAME remote rsync(1) hostname (default: "$RSYNC_HOST")
+ --debian-version=VERSION Debian version to install (default: current stable)
+ --help, -? this help
+EOF
+)"
+
+[ $(id -u) -ne 0 ] || echo "WARN: unecessary privileged network access" >&2
+
+usage() {
+ [ ${1+x} ] && echo "Unknown option '$1'" >&2
+ echo "Usage: $0 [OPTIONS] OUTPUT" >&2
+ echo " $0 --help" >&2
+ exit 1
+}
+
+while [ $# -gt 0 ]; do
+ case "$1" in
+ --arch) ARCH="$2"; shift;;
+ --arch=*) ARCH="${1#--arch=}";;
+ --dist-dir) DIST="$2"; shift;;
+ --dist-dir=*) DIST="${1#--dist-dir=}";;
+ --rsync-host) RSYNC_HOST="$2"; shift;;
+ --rsync-host=*) RSYNC_HOST="${1#--rsync-host=}";;
+ --debian-version) DEBIAN_VERSION="$2"; shift;;
+ --debian-version=*) DEBIAN_VERSION="${1#--debian-version=}";;
+ --help|-\?) printf '%s\n' "$HELP_MESSAGE"; exit;;
+ -*) usage "$1";;
+ *) break;;
+ esac
+ shift
+done
+[ $# -eq 0 ] || usage
+
+# Get current Debian stable version (incl. point release)
+RSYNC="rsync --no-motd --info=NAME --inplace"
+[ ${DEBIAN_VERSION+x} ] || DEBIAN_VERSION="$(
+ dir="$(mktemp --tmpdir --directory)"
+ rsync -lq "$RSYNC_HOST::debian-cd/current" "$dir"
+ readlink "$dir/current"
+ rm -f "$dir/current"
+ rmdir "$dir"
+)"
+ISO_FILENAME="debian-$DEBIAN_VERSION-$ARCH-netinst.iso"
+
+
+#######################################################################
+# Download netinst ISO image and verify its integrity
+#
+mkdir -pv "$DIST"
+$RSYNC -t --files-from=- "$RSYNC_HOST::debian-cd/$DEBIAN_VERSION/$ARCH/iso-cd/" "$DIST" <<-EOF
+ /$ISO_FILENAME
+ /SHA512SUMS
+ /SHA512SUMS.sign
+EOF
+
+echo "Verifying integrity (OpenPGP signature on SHA-512 manifest)..." >&2
+gpgv --keyring './signing-key.gpg' "$DIST/SHA512SUMS.sign" "$DIST/SHA512SUMS"
+
+echo -n "Verifying integrity (SHA-512 checksum)... " >&2
+if ( cd "$DIST" && sha512sum -c SHA512SUMS 2>/dev/null ) | grep -Fxq "$ISO_FILENAME: OK" ; then
+ echo OK >&2
+else
+ echo 'Failed!' >&2
+ exit 1
+fi
+
+echo "$DIST/$ISO_FILENAME"
diff --git a/signing-key.gpg b/signing-key.gpg
new file mode 100644
index 0000000..1a0797d
--- /dev/null
+++ b/signing-key.gpg
Binary files differ