diff --git a/.github/workflows/checksum.yml b/.github/workflows/checksum.yml new file mode 100644 index 000000000..74182f678 --- /dev/null +++ b/.github/workflows/checksum.yml @@ -0,0 +1,26 @@ +name: installer-checksum +on: + pull_request: + branches: + - live +jobs: + verify-installer-checksum: + name: Linkspector + runs-on: ubuntu-22.04 + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Verify checksum + shell: bash + env: + INSTALL_SCRIPT: files/system/usr/share/secureblue/install_secureblue.sh + EXAMPLE_BUTANE: docs/example.butane + run: | + INSTALLER_CHECKSUM=$(sha256sum $INSTALL_SCRIPT | awk '{ print $1 }') + BUTANE_CHECKSUM=$(grep -oP 'sha256-\K[a-f0-9]{64}' $EXAMPLE_BUTANE) + if [ "$INSTALLER_CHECKSUM" != "$BUTANE_CHECKSUM" ]; then + echo "Checksum mismatch." + echo "Installer checksum: $INSTALLER_CHECKSUM" + echo "Butane checksum: $BUTANE_CHECKSUM" + exit 1 + fi \ No newline at end of file diff --git a/docs/example.butane b/docs/example.butane index 97c85da27..8610d5ce4 100644 --- a/docs/example.butane +++ b/docs/example.butane @@ -14,7 +14,7 @@ storage: contents: source: https://raw.githubusercontent.com/secureblue/secureblue/refs/heads/live/files/system/usr/share/secureblue/install_secureblue.sh verification: - hash: sha256-d4ba5bfb556e9d1e3789a02fab2ab2f871033cc6b1712945cdfb9ce4375eafe5 + hash: sha256-1f2f8ac822614eb20c82547aabdd18fbded3906115db8ecd4efcf3a80e19bd7d mode: 0755 - path: /opt/run_install_secureblue.sh contents: @@ -40,4 +40,4 @@ storage: overwrite: false append: - inline: | - /opt/run_install_secureblue.sh \ No newline at end of file + /opt/run_install_secureblue.sh diff --git a/files/justfiles/hardening.just b/files/justfiles/hardening.just index fc8c3c28a..ba6ca5346 100644 --- a/files/justfiles/hardening.just +++ b/files/justfiles/hardening.just @@ -24,7 +24,7 @@ flatpak-permissions-lockdown: kFeaturePermissions=("per-app-dev-shm" "canbus" "bluetooth" "multiarch" "devel") kFilesystemPermissions=("home" "host-etc" "host") kDangerousFilesystemPermissions=("~/.bashrc" "~/.bash_profile" "/home" "/var/home" "/var" "/media" "/run/media" "/run" "/mnt") - kKnownSessionBusNames=("org.gnome.Settings" "org.gnome.SettingsDaemon.MediaKeys" "org.gnome.SessionManager" "org.kde.kiod5" "org.kde.JobViewServer" "org.gtk.vfs.*" "org.freedesktop.secrets" "org.kde.kconfig.notify" "org.kde.kpasswdserver" "org.kde.*" "org.kde.StatusNotifierWatcher" "org.kde.kded6" "org.kde.kpasswdserver6" "org.kde.kiod6" "com.canonical.Unity" "org.freedesktop.Notifications" "org.freedesktop.FileManager1" "org.freedesktop.impl.portal.PermissionStore" "org.freedesktop.Flatpak" "com.canonical.AppMenu.Registrar" "org.kde.KGlobalSettings" "org.kde.kded5" "com.canonical.Unity.LauncherEntry" "org.kde.kwalletd5" "org.gnome.SettingsDaemon" "org.a11y.Bus" "com.canonical.indicator.application" "org.freedesktop.ScreenSaver" "ca.desrt.dconf" "org.freedesktop.PowerManagement" "org.gnome.Software" "org.freedesktop.Tracker3.Writeback" "io.missioncenter.MissionCenter.Gatherer") + kKnownSessionBusNames=("org.gnome.Settings" "org.gnome.SettingsDaemon.MediaKeys" "org.gnome.SessionManager" "org.gnome.Shell.Screenshot" "org.kde.kiod5" "org.kde.kwin.Screenshot" "org.kde.JobViewServer" "org.gtk.vfs.*" "org.freedesktop.secrets" "org.kde.kconfig.notify" "org.kde.kpasswdserver" "org.kde.*" "org.kde.StatusNotifierWatcher" "org.kde.kded6" "org.kde.kpasswdserver6" "org.kde.kiod6" "com.canonical.Unity" "org.freedesktop.Notifications" "org.freedesktop.FileManager1" "org.freedesktop.impl.portal.PermissionStore" "org.freedesktop.Flatpak" "com.canonical.AppMenu.Registrar" "org.kde.KGlobalSettings" "org.kde.kded5" "com.canonical.Unity.LauncherEntry" "org.kde.kwalletd5" "org.gnome.SettingsDaemon" "org.a11y.Bus" "com.canonical.indicator.application" "org.freedesktop.ScreenSaver" "ca.desrt.dconf" "org.freedesktop.PowerManagement" "org.gnome.Software" "org.freedesktop.Tracker3.Writeback" "io.missioncenter.MissionCenter.Gatherer") kKnownSystemBusNames=("org.freedesktop.systemd1" "org.freedesktop.Avahi.*" "org.freedesktop.login1" "org.freedesktop.NetworkManager" "org.freedesktop.UPower" "org.freedesktop.UDisks2" "org.freedesktop.fwupd") kFlatsealNameAccess=("org.gnome.Software" "org.freedesktop.impl.portal.PermissionStore")