diff options
author | Guilhem Moulin <guilhem@libreoffice.org> | 2016-10-19 02:25:42 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@libreoffice.org> | 2016-10-19 02:25:42 +0200 |
commit | 740fab39e4c3379a358fa9e56d36c6e2305863a1 (patch) | |
tree | ec5c8cb7bb78a8f135bd3750236c3819023dd391 | |
parent | 9a520f20f7b6f9e6ad0ad97f1fcd0531e1e7c19e (diff) |
Add script to download a Debian ISO image and verify its integrity.
-rwxr-xr-x | download-iso | 81 | ||||
-rw-r--r-- | signing-key.gpg | bin | 0 -> 2225 bytes |
2 files changed, 81 insertions, 0 deletions
diff --git a/download-iso b/download-iso new file mode 100755 index 0000000..e22b42e --- /dev/null +++ b/download-iso @@ -0,0 +1,81 @@ +#!/bin/sh + +set -ue + +ARCH=$(dpkg-architecture -qDEB_TARGET_ARCH) +DIST="./dist" +RSYNC_HOST="ftp.de.debian.org" +unset DEBIAN_VERSION + +HELP_MESSAGE="$(cat <<-EOF + Download Debian stable's netinst ISO image and verify its integrity + Usage $0 [OPTIONS] + --arch=ARCH target architecture (default: "$ARCH") + --dist-dir=DIR build directory (default: "$DIST") + --rsync-host=HOSTNAME remote rsync(1) hostname (default: "$RSYNC_HOST") + --debian-version=VERSION Debian version to install (default: current stable) + --help, -? this help +EOF +)" + +[ $(id -u) -ne 0 ] || echo "WARN: unecessary privileged network access" >&2 + +usage() { + [ ${1+x} ] && echo "Unknown option '$1'" >&2 + echo "Usage: $0 [OPTIONS] OUTPUT" >&2 + echo " $0 --help" >&2 + exit 1 +} + +while [ $# -gt 0 ]; do + case "$1" in + --arch) ARCH="$2"; shift;; + --arch=*) ARCH="${1#--arch=}";; + --dist-dir) DIST="$2"; shift;; + --dist-dir=*) DIST="${1#--dist-dir=}";; + --rsync-host) RSYNC_HOST="$2"; shift;; + --rsync-host=*) RSYNC_HOST="${1#--rsync-host=}";; + --debian-version) DEBIAN_VERSION="$2"; shift;; + --debian-version=*) DEBIAN_VERSION="${1#--debian-version=}";; + --help|-\?) printf '%s\n' "$HELP_MESSAGE"; exit;; + -*) usage "$1";; + *) break;; + esac + shift +done +[ $# -eq 0 ] || usage + +# Get current Debian stable version (incl. point release) +RSYNC="rsync --no-motd --info=NAME --inplace" +[ ${DEBIAN_VERSION+x} ] || DEBIAN_VERSION="$( + dir="$(mktemp --tmpdir --directory)" + rsync -lq "$RSYNC_HOST::debian-cd/current" "$dir" + readlink "$dir/current" + rm -f "$dir/current" + rmdir "$dir" +)" +ISO_FILENAME="debian-$DEBIAN_VERSION-$ARCH-netinst.iso" + + +####################################################################### +# Download netinst ISO image and verify its integrity +# +mkdir -pv "$DIST" +$RSYNC -t --files-from=- "$RSYNC_HOST::debian-cd/$DEBIAN_VERSION/$ARCH/iso-cd/" "$DIST" <<-EOF + /$ISO_FILENAME + /SHA512SUMS + /SHA512SUMS.sign +EOF + +echo "Verifying integrity (OpenPGP signature on SHA-512 manifest)..." >&2 +gpgv --keyring './signing-key.gpg' "$DIST/SHA512SUMS.sign" "$DIST/SHA512SUMS" + +echo -n "Verifying integrity (SHA-512 checksum)... " >&2 +if ( cd "$DIST" && sha512sum -c SHA512SUMS 2>/dev/null ) | grep -Fxq "$ISO_FILENAME: OK" ; then + echo OK >&2 +else + echo 'Failed!' >&2 + exit 1 +fi + +echo "$DIST/$ISO_FILENAME" diff --git a/signing-key.gpg b/signing-key.gpg Binary files differnew file mode 100644 index 0000000..1a0797d --- /dev/null +++ b/signing-key.gpg |