flatcar-postinst: In addition to SHA1, also check SHA256 hash for OEMs

pothos · pothos · commit 381da58672dc · 2023-09-27T15:34:51.000+02:00
The newer Omaha 3.1 hash_sha256 attribute is now supported by Nebraska
and should be used for OEM payloads. Up to now we only checked the
regular "hash" attribute for download integrity. It's not really
security critical because the payload has its own signature but it's
good to migrate all hashsum usage away from SHA1.
Find the hash and hash_sha256 attributes and require at least one to be
set for the OEM packages. Check the found hash attributes.
diff --git a/flatcar-postinst b/flatcar-postinst
@@ -71,19 +71,28 @@ sysext_download() {
       entries=$(grep -m 1 -o "<package name=\"${name}\"[^>]*" "${from}")
       url="${base}/${name}"
       size=$(echo "${entries}" | grep -o 'size="[0-9]*' | cut -d '"' -f 2)
-      hash=$(echo "${entries}" | grep -o -P 'hash="[^"]*' | cut -d '"' -f 2) # openssl dgst -binary -sha1 < "$PAYLOAD" | base64
+      hash=$(echo "${entries}" | { grep -o -P 'hash="[^"]*' || true ; } | cut -d '"' -f 2) # openssl dgst -binary -sha1 < "$PAYLOAD" | base64
+      hash_sha256=$(echo "${entries}" | { grep -o -P 'hash_sha256="[^"]*' || true ; } | cut -d '"' -f 2) # sha256sum -b "$PAYLOAD" | cut -d " " -f 1
     fi
     rm -f "${target}.tmp"
     curl -fsSL --retry-delay 1 --retry 60 --retry-connrefused --retry-max-time 60 --connect-timeout 20 -o "${target}.tmp" "${url}"
-    if [ "${size}" != "" ] && [ "${hash}" != "" ]; then
+    if [ "${base}" != "" ]; then
       if [ "$(stat --printf='%s' "${target}.tmp")" != "${size}" ]; then
         echo "Size mismatch for ${name}" >&2
         return 1 # jump to ret=
       fi
-      if [ "$(openssl dgst -binary -sha1 < "${target}.tmp" | base64)" != "${hash}" ]; then
+      if [ "${hash}" = "" ] && [ "${hash_sha256}" = "" ]; then
+        echo "At least one hash is expected, found none in Omaha package for ${name}" >&2
+        return 1 # jump to ret=
+      fi
+      if [ "${hash}" != "" ] && [ "$(openssl dgst -binary -sha1 < "${target}.tmp" | base64)" != "${hash}" ]; then
         echo "Hash mismatch for ${name}" >&2
         return 1 # jump to ret=
       fi
+      if [ "${hash_sha256}" != "" ] && [ "$(sha256sum -b "${target}.tmp" | cut -d " " -f 1)" != "${hash_sha256}" ]; then
+        echo "Hash SHA256 mismatch for ${name}" >&2
+        return 1 # jump to ret=
+      fi
     fi
     # Using "${INSTALL_MNT}" here is ok because it was verified first by update-engine
     PROTOPATH="${INSTALL_MNT}"/share/update_engine/ "${INSTALL_MNT}"/share/update_engine/decode_payload /usr/share/update_engine/update-payload-key.pub.pem "${target}.tmp" "${target}"
