Add helper to get signature verified hash of the default bundle

this adds getVerifiedDefaultBundleHash() which downloads the signed sha256sum.txt file from mirror.openshift.com and verifies that it's signed with the redhat release key2, then from the verified hashes it returns the hash for the default bundle
crc-org · Apr 18, 2023 · a647747 · a647747
1 parent a3dbd4c
commit a647747
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 0 deletions.
diff --git a/pkg/crc/constants/constants.go b/pkg/crc/constants/constants.go
@@ -27,6 +27,7 @@ const (
 	DefaultAdminHelperURLBase = "https://github.com/crc-org/admin-helper/releases/download/v%s/%s"
 	CRCMacTrayDownloadURL     = "https://github.com/crc-org/tray-electron/releases/download/%s/crc-tray-macos.tar.gz"
 	CRCWindowsTrayDownloadURL = "https://github.com/crc-org/tray-electron/releases/download/%s/crc-tray-windows.zip"
+	DefaultBundleURLBase      = "https://mirror.openshift.com/pub/openshift-v4/clients/crc/bundles/%s/%s/%s"
 	DefaultContext            = "admin"
 	DaemonHTTPEndpoint        = "http://unix/api"
 	DaemonVsockPort           = 1024
@@ -115,6 +116,14 @@ func GetDefaultBundlePath(preset crcpreset.Preset) string {
 	return filepath.Join(MachineCacheDir, GetDefaultBundle(preset))
 }
 
+func GetDefaultBundleSignedHashURL(preset crcpreset.Preset) string {
+	return fmt.Sprintf(DefaultBundleURLBase,
+		preset.String(),
+		version.GetBundleVersion(preset),
+		"sha256sum.txt.sig",
+	)
+}
+
 func ResolveHelperPath(executableName string) string {
 	if version.IsInstaller() {
 		return filepath.Join(version.InstallPath(), executableName)

diff --git a/pkg/crc/machine/bundle/metadata.go b/pkg/crc/machine/bundle/metadata.go
@@ -1,7 +1,10 @@
 package bundle
 
 import (
+	"errors"
 	"fmt"
+	"io"
+	"net/http"
 	"os"
 	"path"
 	"path/filepath"
@@ -13,7 +16,10 @@ import (
 
 	"github.com/Masterminds/semver/v3"
 	"github.com/crc-org/crc/pkg/crc/constants"
+	"github.com/crc-org/crc/pkg/crc/gpg"
 	"github.com/crc-org/crc/pkg/crc/image"
+	"github.com/crc-org/crc/pkg/crc/logging"
+	"github.com/crc-org/crc/pkg/crc/network"
 	crcPreset "github.com/crc-org/crc/pkg/crc/preset"
 	"github.com/crc-org/crc/pkg/download"
 )
@@ -305,6 +311,43 @@ func getBundleDownloadInfo(preset crcPreset.Preset) (*download.RemoteFile, error
 	return downloadInfo, nil
 }
 
+func getDefaultBundleVerifiedHash(preset crcPreset.Preset) (string, error) {
+	client := &http.Client{
+		Timeout:   5 * time.Second,
+		Transport: network.HTTPTransport(),
+	}
+	res, err := client.Get(constants.GetDefaultBundleSignedHashURL(preset))
+	if err != nil {
+		return "", err
+	}
+	signedHashes, err := io.ReadAll(res.Body)
+	if err != nil {
+		return "", err
+	}
+	if err := res.Body.Close(); err != nil {
+		logging.Debug(err)
+	}
+
+	verifiedHashes, err := gpg.GetVerifiedClearsignedMsgV3(constants.RedHatReleaseKey, string(signedHashes))
+	if err != nil {
+		return "", fmt.Errorf("Invalid signature: %w", err)
+	}
+
+	logging.Debugf("Verified bundle hashes:\n%s", verifiedHashes)
+
+	lines := strings.Split(verifiedHashes, "\n")
+	for _, line := range lines {
+		if strings.Contains(line, constants.GetDefaultBundle(preset)) {
+			l := strings.Split(line, "  ")
+			if len(l) != 2 {
+				return "", errors.New("unable to find hash for default bundle")
+			}
+			return l[0], nil
+		}
+	}
+	return "", errors.New("default bundle's hash is missing or shasums are maformed")
+}
+
 func DownloadDefault(preset crcPreset.Preset) (string, error) {
 	downloadInfo, err := getBundleDownloadInfo(preset)
 	if err != nil {