Page MenuHomeVyOS Platform

It would be handy if sha1 would be checked for downloaded geoip db
Open, WishlistPublicFEATURE REQUEST

Description

Currently the geoip db is downloaded during creation of ISO by:

https://github.com/vyos/vyos-build/blob/current/data/live-build-config/hooks/live/40-init-geoip-database.chroot

it can also be updated after install by issuing the command:

update geoip

It would have been handy if both the 40-init-geoip-database.chroot and the script being runned for "update geoip" could do a sha1sum verification of downloaded (and extracted) content. Perhaps when the file is downloaded that it also creates a .sha1 and .sha1_expected in the same directory?

Like download to /tmp and if successful verification move it to the actual location of /usr/share/vyos-geoip/dbip-country-lite.csv.gz.

Note that the checksum available at db-ip.com is for the extracted file and not the compressed file.

The current checksum is currently available at:

https://db-ip.com/db/download/ip-to-country-lite

It can be debated what should happen if that fails.

Like for creation of ISO if that should be a hard stop (error and stop the whole process) or a soft stop (warning and continue with creating the ISO) where the later could just create an additional file such as:

/usr/share/vyos-geoip/dbip-country-lite.csv.gz.WRONG_CHEKSUM

to contain for example:

date and time:
source url:
checksum url:
expected sha1:
actual sha1:

along with a log entry that the checksum was incorrect but its moving on (same if you run update geoip in CLI where the warning also should be printed to the console).

Having the checksum from time of creation stored both as .sha1 and .sha1_expected will make it possible to verify the file later on (like if you suspect something went bad with the storage).

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Improvement (missing useful functionality)