Mercurial > infra / scripts/get-linux.sh

 #!/usr/bin/env bash
 # get-linux
 
 # from https://git.kernel.org/pub/scm/linux/kernel/git/mricon/korg-helpers.git/tree/get-verified-tarball
 
 # there are minimal modifications to this script - be careful, it
 # pulls from the upstream kernel source archives.
 
 # --------------------
 # Get Linux kernel tarball and cryptographically verify it,
 # retrieving the PGP keys using the Web Key Directory (WKD)
 # protocol if they are not already in the keyring.
 #
 # Pass the kernel version as the only parameter, or
 # we'll grab the latest stable kernel.
 #
 # Example: ./get-linux 4.4.145
 #
 # Configurable parameters
 # -----------------------
 # What kernel version do you want?
 HOST_VER=$(uname -r | cut -d- -f1)
 VER="${1:-$HOST_VER}"
 
 # Where to download the tarball and verification data.
 TARGETDIR=${2:-.stash/src/linux-$VER}
 
 # For CI and other automated infrastructure, you may want to
 # create a keyring containing the keys belonging to:
 #  - autosigner@kernel.org
 #  - torvalds@kernel.org
 #  - gregkh@kernel.org
 #
 # To generate the keyring with these keys, do:
 #   gpg --export autosigner@ torvalds@ gregkh@ > keyring.gpg
 #   (or use full keyids for maximum certainty)
 #
 # Once you have keyring.gpg, install it on your CI system and set
 # USEKEYRING to the full path to it. If unset, we generate our own
 # from GNUPGHOME.
 # need to run make linux-keys first
 USEKEYRING=${3}
 
 # If you set this to empty value, we'll make a temporary
 # directory and fetch the verification keys from the
 # Web Key Directory each time. Also, see the USEKEYRING=
 # configuration option for an alternative that doesn't
 # rely on WKD.
 GNUPGHOME="$HOME/.gnupg"
 
 # Point this at your GnuPG binary version 2.1.11 or above.
 # If you are using USEKEYRING, GnuPG-1 will work, too.
 GPGBIN="/usr/bin/gpg2"
 GPGVBIN="/usr/bin/gpgv2"
 # We need a compatible version of sha256sum, too
 SHA256SUMBIN="/usr/bin/sha256sum"
 # And curl
 CURLBIN="/usr/bin/curl"
 # And we need the xz binary
 XZBIN="/usr/bin/xz"
 
 # You shouldn't need to modify this, unless someone
 # other than Linus or Greg start releasing kernels.
 DEVKEYS="torvalds@kernel.org gregkh@kernel.org"
 # Don't add this to DEVKEYS, as it plays a wholly
 # different role and is NOT a key that should be used
 # to verify kernel tarball signatures (just the checksums).
 SHAKEYS="autosigner@kernel.org"
 
 if [[ -z ${VER} ]]; then
     # Assume you want the latest stable
     VER=$(${CURLBIN} -sL https://www.kernel.org/finger_banner \
           | grep 'latest stable version' \
           | awk -F: '{gsub(/ /,"", $0); print $2}')
 fi
 if [[ -z ${VER} ]]; then
     echo "Could not figure out the latest stable version."
     exit 1
 fi
 
 MAJOR="$(echo ${VER} | cut -d. -f1)"
 if [[ ${MAJOR} -lt 3 ]]; then
     echo "This script only supports kernel v3.x.x and above"
     exit 1
 fi
 
 if [[ ! -d ${TARGETDIR} ]]; then
     echo "${TARGETDIR} does not exist"
     exit 1
 fi
 
 TARGET="${TARGETDIR}/linux-${VER}.tar.xz"
 # Do we already have this file?
 if [[ -f ${TARGET} ]]; then
     echo "File ${TARGETDIR}/linux-${VER}.tar.xz already exists."
     exit 0
 fi
 
 # Start by making sure our GnuPG environment is sane
 if [[ ! -x ${GPGBIN} ]]; then
     echo "Could not find gpg in ${GPGBIN}"
     exit 1
 fi
 if [[ ! -x ${GPGVBIN} ]]; then
     echo "Could not find gpgv in ${GPGVBIN}"
     exit 1
 fi
 
 # NOTE 2023-11-19: we make a folder in /tmp/ due to a strange bug
 # encountered when using the TARGETDIR. Need to test on 
 TMPDIR=$(mktemp -d)
 echo "Using TMPDIR=${TMPDIR}"
 # Are we using a keyring?
 if [[ -z ${USEKEYRING} ]]; then
     if [[ -z ${GNUPGHOME} ]]; then
         GNUPGHOME="${TMPDIR}/gnupg"
     elif [[ ! -d ${GNUPGHOME} ]]; then
         echo "GNUPGHOME directory ${GNUPGHOME} does not exist"
         echo -n "Create it? [Y/n]"
         read YN
         if [[ ${YN} == 'n' ]]; then
             echo "Exiting"
             rm -rf ${TMPDIR}
             exit 1
         fi
     fi
     mkdir -p -m 0700 ${GNUPGHOME}
     echo "Making sure we have all the necessary keys"
     ${GPGBIN} --batch --quiet \
         --homedir ${GNUPGHOME} \
         --auto-key-locate wkd \
         --locate-keys ${DEVKEYS} ${SHAKEYS}
     # If this returned non-0, we bail
     if [[ $? != "0" ]]; then
         echo "Something went wrong fetching keys"
         rm -rf ${TMPDIR}
         exit 1
     fi
     # Make a temporary keyring and set USEKEYRING to it
     USEKEYRING=${TMPDIR}/keyring.gpg
     ${GPGBIN} --batch --export ${DEVKEYS} ${SHAKEYS} > ${USEKEYRING}
 fi
 # Now we make two keyrings -- one for the autosigner, and
 # the other for kernel developers. We do this in order to
 # make sure that we never verify kernel tarballs using the
 # autosigner keys, only using developer keys.
 SHAKEYRING=${TMPDIR}/shakeyring.gpg
 ${GPGBIN} --batch \
     --no-default-keyring --keyring ${USEKEYRING} \
     --export ${SHAKEYS} > ${SHAKEYRING}
 DEVKEYRING=${TMPDIR}/devkeyring.gpg
 ${GPGBIN} --batch \
     --no-default-keyring --keyring ${USEKEYRING} \
     --export ${DEVKEYS} > ${DEVKEYRING}
 
 # Now that we know we can verify them, grab the contents
 TXZ="https://cdn.kernel.org/pub/linux/kernel/v${MAJOR}.x/linux-${VER}.tar.xz"
 SIG="https://cdn.kernel.org/pub/linux/kernel/v${MAJOR}.x/linux-${VER}.tar.sign"
 SHA="https://www.kernel.org/pub/linux/kernel/v${MAJOR}.x/sha256sums.asc"
 
 # Before we verify the developer signature, we make sure that the
 # tarball matches what is on the kernel.org master. This avoids
 # CDN cache poisoning that could, in theory, use vulnerabilities in
 # the XZ binary to alter the verification process or compromise the
 # system performing the verification.
 SHAFILE=${TMPDIR}/sha256sums.asc
 echo "Downloading the checksums file for linux-${VER}"
 if ! ${CURLBIN} -sL -o ${SHAFILE} ${SHA}; then
     echo "Failed to download the checksums file"
     rm -rf ${TMPDIR}
     exit 1
 fi
 echo "Verifying the checksums file"
 COUNT=$(${GPGVBIN} --keyring=${SHAKEYRING} --status-fd=1 ${SHAFILE} \
         | grep -c -E '^\[GNUPG:\] (GOODSIG|VALIDSIG)')
 if [[ ${COUNT} -lt 2 ]]; then
     echo "FAILED to verify the sha256sums.asc file."
     rm -rf ${TMPDIR}
     exit 1
 fi
 # Grab only the tarball we want from the full list
 SHACHECK=${TMPDIR}/sha256sums.txt
 grep "linux-${VER}.tar.xz" ${SHAFILE} > ${SHACHECK}
 
 echo
 echo "Downloading the signature file for linux-${VER}"
 SIGFILE=${TMPDIR}/linux-${VER}.tar.asc
 if ! ${CURLBIN} -sL -o ${SIGFILE} ${SIG}; then
     echo "Failed to download the signature file"
     rm -rf ${TMPDIR}
     exit 1
 fi
 echo "Downloading the XZ tarball for linux-${VER}"
 TXZFILE=${TMPDIR}/linux-${VER}.tar.xz
 if ! ${CURLBIN} -L -o ${TXZFILE} ${TXZ}; then
     echo "Failed to download the tarball"
     rm -rf ${TMPDIR}
     exit 1
 fi
 
 pushd ${TMPDIR} >/dev/null
 echo "Verifying checksum on linux-${VER}.tar.xz"
 if ! ${SHA256SUMBIN} -c ${SHACHECK}; then
     echo "FAILED to verify the downloaded tarball checksum"
     popd >/dev/null
     rm -rf ${TMPDIR}
     exit 1
 fi
 popd >/dev/null
 
 echo
 echo "Verifying developer signature on the tarball"
 COUNT=$(${XZBIN} -cd ${TXZFILE} \
         | ${GPGVBIN} --keyring=${DEVKEYRING} --status-fd=1 ${SIGFILE} - \
         | grep -c -E '^\[GNUPG:\] (GOODSIG|VALIDSIG)')
 if [[ ${COUNT} -lt 2 ]]; then
     echo "FAILED to verify the tarball!"
     rm -rf ${TMPDIR}
     exit 1
 fi
 mv -f ${TXZFILE} ${TARGET}
 rm -rf ${TMPDIR}
 echo
 echo "Successfully downloaded and verified ${TARGET}"