main/openrc: add modloop signature verification

2 files changed, 23 insertions, 3 deletions

diff --git a/main/openrc/APKBUILD b/main/openrc/APKBUILD
index 62c804979e..ad15f6767f 100644
--- a/main/openrc/APKBUILD
+++ b/main/openrc/APKBUILD
@@ -2,7 +2,7 @@
 pkgname=openrc
 pkgver=0.39.2
 _ver=${pkgver/_git*/}
-pkgrel=2
+pkgrel=3
 pkgdesc="OpenRC manages the services, startup and shutdown of a host"
 url="https://gitweb.gentoo.org/proj/openrc.git"
 arch="all"
@@ -96,7 +96,7 @@ e56ea82dbf8bf6b4cff4fa48db8e4f06589094ba99aad930fc498e2fe235db6ce2afe96e2bc047dd
 259552165ee5e9ca973bbe18d1d9ec5cc67526cb26a9e0ac717076ef4913bb7ff4055d6ccb9f77996ed9c00b67f46edba552e1a21b836068a112dda2428502b3  hostname.initd
 c06eac7264f6cc6888563feeae5ca745aae538323077903de1b19102e4f16baa34c18b8c27af5dd5423e7670834e2261e9aa55f2b1ec8d8fdc2be105fe894d55  hwdrivers.initd
 b04058ec630e19de0bafefe06198dc1bff8c8d5d2c89e4660dd83dda8bb82a76cdb1d8661cce88e4a406aa6b4152e17efff52d3eb18ffaec0751d0b6cdbcc48a  modules.initd
-27c036a2c07f658f7fb1e066c59dc494674ba0d81bcb85fea9caffec28ee537eb11e863e20aa4b1c88607f12496ac66d5b092c787c86ff8b8a80e423a8d99440  modloop.initd
+595098085d5a1204e3c5af59bb4a3b3d1fb2980db77925995aa1ec43ef5ae378cef736ddc7924191a99d39c93891d59274fbba08127b15d584c2f82b067ef683  modloop.initd
 55df0ac13dac1f215f0c573ac07b150d31232a5204eccfc8941d5af73f91b4535a85d79b7f6514217038ecbe6bffa28cb83fd8d46fd4c596e07103deb8bc8a57  networking.initd
 80e43ded522e2d48b876131c7c9997debd43f3790e0985801a8c1dd60bc6e09f625b35a127bf225eb45a65eec7808a50d1c08a5e8abceafc61726211e061e0a2  modloop.confd
 d76c75c58e6f4b0801edac4e081b725ef3d50a9a8c9bbb5692bf4d0f804af7d383bf71a73d5d03ed348a89741ef0b2427eb6a7cbf5a9b9ff60a240639fa6ec88  sysfsconf.initd
diff --git a/main/openrc/modloop.initd b/main/openrc/modloop.initd
index dcc43448b1..a815d66f5a 100644..100755
--- a/main/openrc/modloop.initd
+++ b/main/openrc/modloop.initd
@@ -31,6 +31,7 @@ find_modloop() {
         IFS="$oifs"
         for line; do
                 img=${line%%:*}
+                verify_modloop "$img" || eerror "Failed to verify signature of $img!"
                 mount "$img" -o loop,ro /.modloop || continue
                 if [ -d /.modloop/modules/$kver ]; then
                         return 0
@@ -40,6 +41,22 @@ find_modloop() {
         return 1
 }
 
+verify_modloop() {
+        local modloop=$1 key=
+        for key in /etc/apk/keys/*.pub; do
+                local sig=/var/cache/misc/${modloop##*/}.SIGN.RSA.${key##*/}
+                if [ -f "$sig" ]; then
+                        if ! command -v openssl > /dev/null; then
+                                ewarn "Missing openssl. Modloop verification disabled!"
+                                return 0
+                        fi
+                        einfo "Verifying modloop"
+                        openssl dgst -sha1 -verify "$key" -signature "$sig" "$modloop" \
+                                >/dev/null 2>&1 || return 1
+                fi
+        done
+}
+
 find_backing_file() {
         local dir="$1"
         local dev=$(df -P "$dir" | tail -1 | awk '{print $1}')
@@ -54,7 +71,9 @@ start() {
         case "$KOPT_modloop" in
                 http://*|https://*|ftp://*)
                         modloop=$modloop_dldir/${KOPT_modloop##*/}
-                        [ ! -f "$modloop" ] && wget -P "$modloop_dldir" "$KOPT_modloop"
+                        if [ ! -f "$modloop" ]; then
+                                wget -P "$modloop_dldir" "$KOPT_modloop" || eend 1
+                        fi
                         ;;
                 *)
                         for dir in $(mountdirs); do
@@ -69,6 +88,7 @@ start() {
 
         ebegin "Mounting modloop $modloop"
         if [ -n "$modloop" ]; then
+                verify_modloop "$modloop" || eerror "Failed to verify signature of $img!"
                 mount -o loop,ro $modloop /.modloop
                 eend $? || return 1
         else