Change Details

By design only released versions will be signed by the GPG key to verify their authenticity. In order to also prevent transmission error on the Wire or your/our storage SHA256 hashes are calculated during the build process and published together with the ISO image. Now that the sha256 hash is available, the `add system image` command should also fetch the hash and verify it before installing the ISO image - If there is no hash we will keep installing the image and just ignore it. ## Good ``` [email protected]:~$ add system image http://foo.com/vyos-1.3-rolling-202010180826-amd64.iso Trying to fetch ISO file from http://foo.com/vyos-1.3-rolling-202010180826-amd64.iso % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 309M 100 309M 0 0 25.1M 0 0:00:12 0:00:12 --:--:-- 25.2M ISO download succeeded. Checking SHA256 (256-bit) checksum... % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 106 100 106 0 0 26500 0 --:--:-- --:--:-- --:--:-- 26500 Found it. Verifying checksum... SHA256 checksum valid. Checking for digital signature file... % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (22) The requested URL returned error: 404 Not Found Unable to fetch digital signature file. Do you want to continue without signature check? (yes/no) [yes] ``` ## Bad ``` [email protected]:~$ add system image http://foo.com/vyos-1.3-rolling-202010180826-amd64.iso Trying to fetch ISO file from http://foo.com/vyos-1.3-rolling-202010180826-amd64.iso % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 309M 100 309M 0 0 25.8M 0 0:00:11 0:00:11 --:--:-- 25.8M ISO download succeeded. Checking SHA256 (256-bit) checksum... % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 106 100 106 0 0 9636 0 --:--:-- --:--:-- --:--:-- 9636 Found it. Verifying checksum... vyos-1.3-rolling-202010180826-amd64.iso: FAILED sha256sum: WARNING: 1 computed checksum did NOT match Signature check FAILED. Installation will not be performed. Exiting... ``` I'm wondering why downloading an invalid ISO file was not cought by the integrated MD5 check `Checking MD5 checksums of files on the ISO image...OK.`? PR:

By design only released versions will be signed by the GPG key to verify their authenticity. In order to also prevent transmission error on the Wire or your/our storage SHA256 hashes are calculated during the build process and published together with the ISO image. Now that the sha256 hash is available, the `add system image` command should also fetch the hash and verify it before installing the ISO image - If there is no hash we will keep installing the image and just ignore it. ## Good ``` [email protected]:~$ add system image http://foo.com/vyos-1.3-rolling-202010180826-amd64.iso Trying to fetch ISO file from http://foo.com/vyos-1.3-rolling-202010180826-amd64.iso % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 309M 100 309M 0 0 25.1M 0 0:00:12 0:00:12 --:--:-- 25.2M ISO download succeeded. Checking SHA256 (256-bit) checksum... % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 106 100 106 0 0 26500 0 --:--:-- --:--:-- --:--:-- 26500 Found it. Verifying checksum... SHA256 checksum valid. Checking for digital signature file... % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (22) The requested URL returned error: 404 Not Found Unable to fetch digital signature file. Do you want to continue without signature check? (yes/no) [yes] ``` ## Bad ``` [email protected]:~$ add system image http://foo.com/vyos-1.3-rolling-202010180826-amd64.iso Trying to fetch ISO file from http://foo.com/vyos-1.3-rolling-202010180826-amd64.iso % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 309M 100 309M 0 0 25.8M 0 0:00:11 0:00:11 --:--:-- 25.8M ISO download succeeded. Checking SHA256 (256-bit) checksum... % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 106 100 106 0 0 9636 0 --:--:-- --:--:-- --:--:-- 9636 Found it. Verifying checksum... vyos-1.3-rolling-202010180826-amd64.iso: FAILED sha256sum: WARNING: 1 computed checksum did NOT match Signature check FAILED. Installation will not be performed. Exiting... ``` I'm wondering why downloading an invalid ISO file was not cought by the integrated MD5 check `Checking MD5 checksums of files on the ISO image...OK.`? PR: https://github.com/vyos/vyatta-cfg-system/pull/131 We probably also want to switch from MD5 to SHA256 inside the ISO image

By design only released versions will be signed by the GPG key to verify their authenticity. In order to also prevent transmission error on the Wire or your/our storage SHA256 hashes are calculated during the build process and published together with the ISO image. Now that the sha256 hash is available, the `add system image` command should also fetch the hash and verify it before installing the ISO image - If there is no hash we will keep installing the image and just ignore it. ## Good ``` [email protected]:~$ add system image http://foo.com/vyos-1.3-rolling-202010180826-amd64.iso Trying to fetch ISO file from http://foo.com/vyos-1.3-rolling-202010180826-amd64.iso % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 309M 100 309M 0 0 25.1M 0 0:00:12 0:00:12 --:--:-- 25.2M ISO download succeeded. Checking SHA256 (256-bit) checksum... % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 106 100 106 0 0 26500 0 --:--:-- --:--:-- --:--:-- 26500 Found it. Verifying checksum... SHA256 checksum valid. Checking for digital signature file... % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (22) The requested URL returned error: 404 Not Found Unable to fetch digital signature file. Do you want to continue without signature check? (yes/no) [yes] ``` ## Bad ``` [email protected]:~$ add system image http://foo.com/vyos-1.3-rolling-202010180826-amd64.iso Trying to fetch ISO file from http://foo.com/vyos-1.3-rolling-202010180826-amd64.iso % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 309M 100 309M 0 0 25.8M 0 0:00:11 0:00:11 --:--:-- 25.8M ISO download succeeded. Checking SHA256 (256-bit) checksum... % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 106 100 106 0 0 9636 0 --:--:-- --:--:-- --:--:-- 9636 Found it. Verifying checksum... vyos-1.3-rolling-202010180826-amd64.iso: FAILED sha256sum: WARNING: 1 computed checksum did NOT match Signature check FAILED. Installation will not be performed. Exiting... ``` I'm wondering why downloading an invalid ISO file was not cought by the integrated MD5 check `Checking MD5 checksums of files on the ISO image...OK.`? PR: https://github.com/vyos/vyatta-cfg-system/pull/131 We probably also want to switch from MD5 to SHA256 inside the ISO image