Page MenuHomeVyOS Platform
Create Task
Maniphest T2992

Automatically verify sha256 checksum on ISO download
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

By design only released versions will be signed by the GPG key to verify their authenticity. In order to also prevent transmission error on the Wire or your/our storage SHA256 hashes are calculated during the build process and published together with the ISO image.

Now that the sha256 hash is available, the add system image command should also fetch the hash and verify it before installing the ISO image - If there is no hash we will keep installing the image and just ignore it.

Good

vyos@vyos:~$ add system image http://foo.com/vyos-1.3-rolling-202010180826-amd64.iso
Trying to fetch ISO file from http://foo.com/vyos-1.3-rolling-202010180826-amd64.iso
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  309M  100  309M    0     0  25.1M      0  0:00:12  0:00:12 --:--:-- 25.2M
ISO download succeeded.
Checking SHA256 (256-bit) checksum...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   106  100   106    0     0  26500      0 --:--:-- --:--:-- --:--:-- 26500
Found it.  Verifying checksum...
SHA256 checksum valid.
Checking for digital signature file...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (22) The requested URL returned error: 404 Not Found
Unable to fetch digital signature file.
Do you want to continue without signature check? (yes/no) [yes]

Bad

vyos@vyos:~$ add system image http://foo.com/vyos-1.3-rolling-202010180826-amd64.iso
Trying to fetch ISO file from http://foo.com/vyos-1.3-rolling-202010180826-amd64.iso
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  309M  100  309M    0     0  25.8M      0  0:00:11  0:00:11 --:--:-- 25.8M
ISO download succeeded.
Checking SHA256 (256-bit) checksum...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   106  100   106    0     0   9636      0 --:--:-- --:--:-- --:--:--  9636
Found it.  Verifying checksum...
vyos-1.3-rolling-202010180826-amd64.iso: FAILED
sha256sum: WARNING: 1 computed checksum did NOT match
Signature check FAILED.
Installation will not be performed.
Exiting...

I'm wondering why downloading an invalid ISO file was not cought by the integrated MD5 check Checking MD5 checksums of files on the ISO image...OK.?

PR: https://github.com/vyos/vyatta-cfg-system/pull/131

We probably also want to switch from MD5 to SHA256 inside the ISO image

Details

Difficulty level
Normal (likely a few hours)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Event Timeline

c-po changed the task status from Open to In progress.Oct 18 2020, 12:53 PM
c-po claimed this task.
c-po triaged this task as Wishlist priority.
c-po created this task.
c-po changed Difficulty level from Unknown (require assessment) to Normal (likely a few hours).
c-po updated the task description. (Show Details)Oct 18 2020, 3:43 PM
c-po updated the task description. (Show Details)Oct 18 2020, 3:49 PM
c-po updated the task description. (Show Details)
c-po closed this task as Resolved.Oct 19 2020, 7:33 PM
Viacheslav added a subscriber: Viacheslav.Oct 26 2020, 10:40 AM

Update from VyOS 1.3-rolling-202010210152 to latest rolling vyos-1.3-rolling-202010260327-amd64.iso Failed.

vyos@r4-roll:~$ add system image https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso
Trying to fetch ISO file from https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  309M  100  309M    0     0  4664k      0  0:01:07  0:01:07 --:--:-- 2516k
ISO download succeeded.
Checking SHA256 (256-bit) checksum...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   106  100   106    0     0    197      0 --:--:-- --:--:-- --:--:--   197
Found it.  Verifying checksum...
sha256sum: vyos-1.3-rolling-202010260327-amd64.iso: No such file or directory
vyos-1.3-rolling-202010260327-amd64.iso: FAILED open or read
sha256sum: WARNING: 1 listed file could not be read
Signature check FAILED.
Installation will not be performed.
Exiting...
vyos@r4-roll:~$ 
vyos@r4-roll:~$ date
Mon 26 Oct 2020 12:32:50 PM EET
vyos@r4-roll:~$ 
vyos@r4-roll:~$ show version 

Version:          VyOS 1.3-rolling-202010210152
Release Train:    equuleus
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.Nov 23 2020, 4:01 PM
erkin set Issue type to Feature (new functionality).Aug 29 2021, 12:33 PM
erkin removed a subscriber: Active contributors.
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Aug 29 2022, 12:27 PM
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0) board.