From 740fab39e4c3379a358fa9e56d36c6e2305863a1 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@libreoffice.org>
Date: Wed, 19 Oct 2016 02:25:42 +0200
Subject: Add script to download a Debian ISO image and verify its integrity.

---
 download-iso    |  81 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 signing-key.gpg | Bin 0 -> 2225 bytes
 2 files changed, 81 insertions(+)
 create mode 100755 download-iso
 create mode 100644 signing-key.gpg

diff --git a/download-iso b/download-iso
new file mode 100755
index 0000000..e22b42e
--- /dev/null
+++ b/download-iso
@@ -0,0 +1,81 @@
+#!/bin/sh
+
+set -ue
+
+ARCH=$(dpkg-architecture -qDEB_TARGET_ARCH)
+DIST="./dist"
+RSYNC_HOST="ftp.de.debian.org"
+unset DEBIAN_VERSION
+
+HELP_MESSAGE="$(cat <<-EOF
+	Download Debian stable's netinst ISO image and verify its integrity
+	Usage $0 [OPTIONS]
+	    --arch=ARCH                 target architecture (default: "$ARCH")
+	    --dist-dir=DIR              build directory (default: "$DIST")
+	    --rsync-host=HOSTNAME       remote rsync(1) hostname (default: "$RSYNC_HOST")
+	    --debian-version=VERSION    Debian version to install (default: current stable)
+	    --help, -?                  this help
+EOF
+)"
+
+[ $(id -u) -ne 0 ] || echo "WARN: unecessary privileged network access" >&2
+
+usage() {
+    [ ${1+x} ] && echo "Unknown option '$1'" >&2
+    echo "Usage: $0 [OPTIONS] OUTPUT" >&2
+    echo "       $0 --help" >&2
+    exit 1
+}
+
+while [ $# -gt 0 ]; do
+    case "$1" in
+        --arch)   ARCH="$2"; shift;;
+        --arch=*) ARCH="${1#--arch=}";;
+        --dist-dir)   DIST="$2"; shift;;
+        --dist-dir=*) DIST="${1#--dist-dir=}";;
+        --rsync-host)   RSYNC_HOST="$2"; shift;;
+        --rsync-host=*) RSYNC_HOST="${1#--rsync-host=}";;
+        --debian-version)   DEBIAN_VERSION="$2"; shift;;
+        --debian-version=*) DEBIAN_VERSION="${1#--debian-version=}";;
+        --help|-\?) printf '%s\n' "$HELP_MESSAGE"; exit;;
+        -*) usage "$1";;
+        *) break;;
+    esac
+    shift
+done
+[ $# -eq 0 ] || usage
+
+# Get current Debian stable version (incl. point release)
+RSYNC="rsync --no-motd --info=NAME --inplace"
+[ ${DEBIAN_VERSION+x} ] || DEBIAN_VERSION="$(
+    dir="$(mktemp --tmpdir --directory)"
+    rsync -lq "$RSYNC_HOST::debian-cd/current" "$dir"
+    readlink "$dir/current"
+    rm -f "$dir/current"
+    rmdir "$dir"
+)"
+ISO_FILENAME="debian-$DEBIAN_VERSION-$ARCH-netinst.iso"
+
+
+#######################################################################
+# Download netinst ISO image and verify its integrity
+#
+mkdir -pv "$DIST"
+$RSYNC -t --files-from=- "$RSYNC_HOST::debian-cd/$DEBIAN_VERSION/$ARCH/iso-cd/" "$DIST" <<-EOF
+	/$ISO_FILENAME
+	/SHA512SUMS
+	/SHA512SUMS.sign
+EOF
+
+echo "Verifying integrity (OpenPGP signature on SHA-512 manifest)..." >&2
+gpgv --keyring './signing-key.gpg' "$DIST/SHA512SUMS.sign" "$DIST/SHA512SUMS"
+
+echo -n "Verifying integrity (SHA-512 checksum)... " >&2
+if ( cd "$DIST" && sha512sum -c SHA512SUMS 2>/dev/null ) | grep -Fxq "$ISO_FILENAME: OK" ; then
+    echo OK >&2
+else
+    echo 'Failed!' >&2
+    exit 1
+fi
+
+echo "$DIST/$ISO_FILENAME"
diff --git a/signing-key.gpg b/signing-key.gpg
new file mode 100644
index 0000000..1a0797d
Binary files /dev/null and b/signing-key.gpg differ
-- 
cgit v1.2.3