Fix issue #4: give SHA256SUM files a date suffix

covertsh · web-flow · commit 50bdf6a4c945 · 2021-02-05T14:46:07.000Z
As described in issue #4, the SHA256SUM files are not removed after creating an ISO. This is intentional so they do not have to be downloaded more than once. However, this means that they can cause checksum verification to fail if the same files are used to validate the ISO from a different date. I have added a date suffix (DD-MM-YYYY) to the SHA256SUMS and SHA256SUMS.gpg files so that they are only used for the current day. There is still an issue if a user specifies an existing ISO image but does not disable automatic GPG verification (using the -k or --no-verify option), because if the specified image is not the current latest daily ISO, the verification will still fail. If users wish to use an existing ISO image other than the current latest one, they should disable GPG verification with the command line option and instead verify the ISO image themselves if desired.
diff --git a/ubuntu-autoinstall-generator.sh b/ubuntu-autoinstall-generator.sh
@@ -136,15 +136,20 @@ if [ ! -f "${source_iso}" ]; then
 	log "👍 Downloaded and saved to ${source_iso}"
 else
 	log "☑️ Using existing ${source_iso} file."
+	if [ ${gpg_verify} -eq 1 ]; then
+		if [ "${source_iso}" != "${script_dir}/ubuntu-original-$today.iso" ]; then
+			log "⚠️ Automatic GPG verification is enabled. If the source ISO file is not the latest daily image, verification will fail!"
+		fi
+	fi
 fi
 
 if [ ${gpg_verify} -eq 1 ]; then
-	if [ ! -f "${script_dir}/SHA256SUMS" ]; then
+	if [ ! -f "${script_dir}/SHA256SUMS-${today}" ]; then
 		log "🌎 Downloading SHA256SUMS & SHA256SUMS.gpg files..."
-		/usr/bin/curl -NsSL "https://cdimage.ubuntu.com/ubuntu-server/focal/daily-live/current/SHA256SUMS" -o "${script_dir}/SHA256SUMS"
-		/usr/bin/curl -NsSL "https://cdimage.ubuntu.com/ubuntu-server/focal/daily-live/current/SHA256SUMS.gpg" -o "${script_dir}/SHA256SUMS.gpg"
+		/usr/bin/curl -NsSL "https://cdimage.ubuntu.com/ubuntu-server/focal/daily-live/current/SHA256SUMS" -o "${script_dir}/SHA256SUMS-${today}"
+		/usr/bin/curl -NsSL "https://cdimage.ubuntu.com/ubuntu-server/focal/daily-live/current/SHA256SUMS.gpg" -o "${script_dir}/SHA256SUMS-${today}.gpg"
 	else
-		log "☑️ Using existing SHA256SUMS & SHA256SUMS.gpg files."
+		log "☑️ Using existing SHA256SUMS-${today} & SHA256SUMS-${today}.gpg files."
 	fi
 
 	if [ ! -f "${script_dir}/${ubuntu_gpg_key_id}.keyring" ]; then
@@ -156,7 +161,7 @@ if [ ${gpg_verify} -eq 1 ]; then
 	fi
 
 	log "🔐 Verifying ${source_iso} integrity and authenticity..."
-	/usr/bin/gpg -q --keyring "${script_dir}/${ubuntu_gpg_key_id}.keyring" --verify "${script_dir}/SHA256SUMS.gpg" "${script_dir}/SHA256SUMS" 2>/dev/null
+	/usr/bin/gpg -q --keyring "${script_dir}/${ubuntu_gpg_key_id}.keyring" --verify "${script_dir}/SHA256SUMS-${today}.gpg" "${script_dir}/SHA256SUMS-${today}" 2>/dev/null
 	if [ $? -ne 0 ]; then
 		rm -f "${script_dir}/${ubuntu_gpg_key_id}.keyring~"
 		die "👿 Verification of SHA256SUMS signature failed."
@@ -165,7 +170,7 @@ if [ ${gpg_verify} -eq 1 ]; then
 	rm -f "${script_dir}/${ubuntu_gpg_key_id}.keyring~"
 	digest=$(sha256sum "${source_iso}" | cut -f1 -d ' ')
 	set +e
-	/usr/bin/grep -Fq "$digest" "${script_dir}/SHA256SUMS"
+	/usr/bin/grep -Fq "$digest" "${script_dir}/SHA256SUMS-${today}"
 	if [ $? -eq 0 ]; then
 		log "👍 Verification succeeded."
 		set -e
