Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

flatcar-postinst: In addition to SHA1, also check SHA256 hash for OEMs #26

Merged
merged 2 commits into from
Sep 28, 2023
Merged

flatcar-postinst: In addition to SHA1, also check SHA256 hash for OEMs #26

merged 2 commits into from
Sep 28, 2023

Conversation

pothos
Copy link
Member

@pothos pothos commented Sep 27, 2023
edited
Loading

The newer Omaha 3.1 hash_sha256 attribute is now supported by Nebraska and should be used for OEM payloads. Up to now we only checked the regular "hash" attribute for download integrity. It's not really security critical because the payload has its own signature but it's good to migrate all hashsum usage away from SHA1.
Find the hash and hash_sha256 attributes and require at least one to be set for the OEM packages. Check the found hash attributes.

How to use

Testing done

Jenkins: cl.update.oem passed.
I've also checked that the flatcar-update invocation uses the XML dump.

@pothos
flatcar-postinst: In addition to SHA1, also check SHA256 hash for OEMs
381da58 
The newer Omaha 3.1 hash_sha256 attribute is now supported by Nebraska
and should be used for OEM payloads. Up to now we only checked the
regular "hash" attribute for download integrity. It's not really
security critical because the payload has its own signature but it's
good to migrate all hashsum usage away from SHA1.
Find the hash and hash_sha256 attributes and require at least one to be
set for the OEM packages. Check the found hash attributes.
@pothos pothos mentioned this pull request Sep 27, 2023
Merged
pothos added a commit to flatcar/scripts that referenced this pull request Sep 27, 2023
@pothos
update_engine/init: Use Omaha hash_sha256 attribute for OEM packages
b9500d7 
This pulls in
flatcar/update_engine#26
and
flatcar/init#108
to use the newer Omaha hash_sha256 attribute.
@pothos pothos mentioned this pull request Sep 27, 2023
Merged
2 tasks
@pothos pothos requested review from a team and removed request for a team September 28, 2023 09:32
@pothos
flatcar-postinst: Note for tweaking download logic later
d7d9d52 
Once update-engine can download OEM payloads we should use them as is
instead of overwriting them in the postinst hook.
@pothos pothos merged commit e3d47bf into flatcar-master Sep 28, 2023
1 check passed
@pothos pothos deleted the kai/oem-sha256 branch September 28, 2023 12:29
pothos added a commit to flatcar/scripts that referenced this pull request Sep 28, 2023
@pothos
update_engine/init: Use Omaha hash_sha256 attribute for OEM packages
64b9f3d 
This pulls in
flatcar/update_engine#26
and
flatcar/init#108
to use the newer Omaha hash_sha256 attribute.
pothos added a commit to flatcar/scripts that referenced this pull request Sep 28, 2023
@pothos
update_engine/init: Use Omaha hash_sha256 attribute for OEM packages
deb71ab 
This pulls in
flatcar/update_engine#26
and
flatcar/init#108
to use the newer Omaha hash_sha256 attribute.
@github-actions github-actions bot mentioned this pull request Nov 9, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@krnowak krnowak krnowak approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pothos @krnowak