Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Embed checksum in ISO so its integrity can be checked #3026

Closed
NicolasT opened this issue Jan 12, 2021 · 1 comment
Closed

Embed checksum in ISO so its integrity can be checked #3026

NicolasT opened this issue Jan 12, 2021 · 1 comment
Assignees

Comments

@NicolasT
Copy link
Contributor

We currently ship a SHA256SUM file with the ISO build artifact, which is a well-understood way to check the integrity of files, e.g., after downloading.

RedHat/Fedora install media, which are also ISOs (as software files or on burnt media) have an embedded checksum for the data segments in an otherwise unused sector of the ISO. This allows for the integrity of the (data on the) ISO to be validated without requiring an 'external' source of information (e.g., such SHA256SUM file). The implantisomd5 and checkisomd5 tools (from isomd5sum) can be used to achieve this.

Once we embed this in our ISOs, the import-iso.sh script could be extended to validate the integrity of a MetalK8s (or solution) ISO before continuing the import process.

@NicolasT NicolasT self-assigned this Jan 12, 2021
NicolasT added a commit that referenced this issue Jan 13, 2021
The `isomd5sum` tools allow to embed a hash of data sectors found in an
ISO file in an otherwise unused section, hence allowing the integrity of
(the data sectors of) an ISO image to be checked. This is, e.g., also
done for RHEL/CentOS/Fedora ISOs (their integrity can be checked at boot
time).

This commit adds a call to `implantisomd5` at the end of the buildchain,
right after the ISO is created and before its SHA256 is calculated.

Given this, one can run `checkisomd5` on a resulting ISO file after
download to ensure it's not corrupted.

Fixes: #3026
See: #3026
See: https://github.com/rhinstaller/isomd5sum
NicolasT added a commit that referenced this issue Jan 13, 2021
The `isomd5sum` tools allow to embed a hash of data sectors found in an
ISO file in an otherwise unused section, hence allowing the integrity of
(the data sectors of) an ISO image to be checked. This is, e.g., also
done for RHEL/CentOS/Fedora ISOs (their integrity can be checked at boot
time).

This commit adds a call to `implantisomd5` at the end of the buildchain,
right after the ISO is created and before its SHA256 is calculated.

Given this, one can run `checkisomd5` on a resulting ISO file after
download to ensure it's not corrupted.

Fixes: #3026
See: #3026
See: https://github.com/rhinstaller/isomd5sum
NicolasT added a commit that referenced this issue Jan 13, 2021
The `isomd5sum` tools allow to embed a hash of data sectors found in an
ISO file in an otherwise unused section, hence allowing the integrity of
(the data sectors of) an ISO image to be checked. This is, e.g., also
done for RHEL/CentOS/Fedora ISOs (their integrity can be checked at boot
time).

This commit adds a call to `implantisomd5` at the end of the buildchain,
right after the ISO is created and before its SHA256 is calculated.

Given this, one can run `checkisomd5` on a resulting ISO file after
download to ensure it's not corrupted.

Fixes: #3026
See: #3026
See: https://github.com/rhinstaller/isomd5sum
NicolasT added a commit that referenced this issue Jan 14, 2021
The `isomd5sum` tools allow to embed a hash of data sectors found in an
ISO file in an otherwise unused section, hence allowing the integrity of
(the data sectors of) an ISO image to be checked. This is, e.g., also
done for RHEL/CentOS/Fedora ISOs (their integrity can be checked at boot
time).

This commit adds a call to `implantisomd5` at the end of the buildchain,
right after the ISO is created and before its SHA256 is calculated.

Given this, one can run `checkisomd5` on a resulting ISO file after
download to ensure it's not corrupted.

Also mention the check in the docs, the `implantisomd5` requirement in
the developer docs, and add some code in the CI scripts to validate the
ISO using the embedded MD5 if present, next to the `SHA256SUM`.

Fixes: #3026
See: #3026
See: https://github.com/rhinstaller/isomd5sum
NicolasT added a commit that referenced this issue Jan 14, 2021
The `isomd5sum` tools allow to embed a hash of data sectors found in an
ISO file in an otherwise unused section, hence allowing the integrity of
(the data sectors of) an ISO image to be checked. This is, e.g., also
done for RHEL/CentOS/Fedora ISOs (their integrity can be checked at boot
time).

This commit adds a call to `implantisomd5` at the end of the buildchain,
right after the ISO is created and before its SHA256 is calculated.

Given this, one can run `checkisomd5` on a resulting ISO file after
download to ensure it's not corrupted.

Also mention the check in the docs, the `implantisomd5` requirement in
the developer docs, and add some code in the CI scripts to validate the
ISO using the embedded MD5 if present, next to the `SHA256SUM`.

Fixes: #3026
See: #3026
See: https://github.com/rhinstaller/isomd5sum
NicolasT added a commit that referenced this issue Jan 14, 2021
The `isomd5sum` tools allow to embed a hash of data sectors found in an
ISO file in an otherwise unused section, hence allowing the integrity of
(the data sectors of) an ISO image to be checked. This is, e.g., also
done for RHEL/CentOS/Fedora ISOs (their integrity can be checked at boot
time).

This commit adds a call to `implantisomd5` at the end of the buildchain,
right after the ISO is created and before its SHA256 is calculated.

Given this, one can run `checkisomd5` on a resulting ISO file after
download to ensure it's not corrupted.

Also mention the check in the docs, the `implantisomd5` requirement in
the developer docs, and add some code in the CI scripts to validate the
ISO using the embedded MD5 if present, next to the `SHA256SUM`.

Fixes: #3026
See: #3026
See: https://github.com/rhinstaller/isomd5sum
NicolasT added a commit that referenced this issue Jan 14, 2021
The `isomd5sum` tools allow to embed a hash of data sectors found in an
ISO file in an otherwise unused section, hence allowing the integrity of
(the data sectors of) an ISO image to be checked. This is, e.g., also
done for RHEL/CentOS/Fedora ISOs (their integrity can be checked at boot
time).

This commit adds a call to `implantisomd5` at the end of the buildchain,
right after the ISO is created and before its SHA256 is calculated.

Given this, one can run `checkisomd5` on a resulting ISO file after
download to ensure it's not corrupted.

Also mention the check in the docs, the `implantisomd5` requirement in
the developer docs, and add some code in the CI scripts to validate the
ISO using the embedded MD5 if present, next to the `SHA256SUM`.

Fixes: #3026
See: #3026
See: https://github.com/rhinstaller/isomd5sum
@NicolasT
Copy link
Contributor Author

#3032

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant