flatcar-postinst: In addition to SHA1, also check SHA256 hash for OEMs #26
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The newer Omaha 3.1 hash_sha256 attribute is now supported by Nebraska and should be used for OEM payloads. Up to now we only checked the regular "hash" attribute for download integrity. It's not really security critical because the payload has its own signature but it's good to migrate all hashsum usage away from SHA1.
Find the hash and hash_sha256 attributes and require at least one to be set for the OEM packages. Check the found hash attributes.
How to use
Testing done
Jenkins:
cl.update.oem
passed.I've also checked that the
flatcar-update
invocation uses the XML dump.