sign bootstrap.tar content
This commit is contained in:
Mikaël Cluseau
@ -2,6 +2,8 @@ package main
|
||||
|
||||
import (
|
||||
"archive/tar"
|
||||
"bytes"
|
||||
"crypto"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"io"
|
||||
@ -93,13 +95,47 @@ func buildBootstrap(out io.Writer, ctx *renderContext) (err error) {
|
||||
arch := tar.NewWriter(out)
|
||||
defer arch.Close()
|
||||
|
||||
ca, err := getUsableClusterCA(ctx.Host.ClusterName, "boot-signer")
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
signer, err := ca.ParseKey()
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
hash := crypto.SHA512
|
||||
|
||||
sign := func(name string, digest []byte) (err error) {
|
||||
sigBytes, err := signer.Sign(nil, digest, hash)
|
||||
if err != nil {
|
||||
err = fmt.Errorf("signing to %s failed: %w", name, err)
|
||||
return err
|
||||
}
|
||||
|
||||
if err = arch.WriteHeader(&tar.Header{
|
||||
Name: name,
|
||||
Size: int64(len(sigBytes)),
|
||||
Mode: 0o644,
|
||||
}); err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
_, err = io.Copy(arch, bytes.NewReader(sigBytes))
|
||||
return
|
||||
}
|
||||
|
||||
// config
|
||||
cfgBytes, cfg, err := ctx.Config()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
err = arch.WriteHeader(&tar.Header{Name: "config.yaml", Size: int64(len(cfgBytes))})
|
||||
err = arch.WriteHeader(&tar.Header{
|
||||
Name: "config.yaml",
|
||||
Size: int64(len(cfgBytes)),
|
||||
Mode: 0o600,
|
||||
})
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
@ -109,10 +145,19 @@ func buildBootstrap(out io.Writer, ctx *renderContext) (err error) {
|
||||
return
|
||||
}
|
||||
|
||||
{
|
||||
h := hash.New()
|
||||
h.Write(cfgBytes)
|
||||
err = sign("config.yaml.sig", h.Sum(nil))
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
// layers
|
||||
for _, layer := range cfg.Layers {
|
||||
if layer == "modules" {
|
||||
continue // modules are with the kernel in boot v2
|
||||
continue // modules are in the initrd with boot v2
|
||||
}
|
||||
|
||||
layerVersion := ctx.Host.Versions[layer]
|
||||
@ -137,14 +182,24 @@ func buildBootstrap(out io.Writer, ctx *renderContext) (err error) {
|
||||
return err
|
||||
}
|
||||
|
||||
h := hash.New()
|
||||
reader := io.TeeReader(f, h)
|
||||
|
||||
if err = arch.WriteHeader(&tar.Header{
|
||||
Name: layer + ".fs",
|
||||
Size: stat.Size(),
|
||||
Mode: 0o600,
|
||||
}); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
_, err = io.Copy(arch, f)
|
||||
_, err = io.Copy(arch, reader)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
digest := h.Sum(nil)
|
||||
err = sign(layer+".fs.sig", digest)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user