Removes external image signature checking

Cleans up code and removes external OS signature checking code as it's not very reliable and not currently being used. Source signature checking will remain in place.
2026-01-23 02:34:26 +00:00 · 2020-01-12 16:12:52 -06:00 · 2020-01-12 16:12:52 -06:00 · bcbc90d51b
commit bcbc90d51b
parent bd936fe36a
16 changed files with 12 additions and 120 deletions
--- a/roles/netbootxyz/defaults/main.yml
+++ b/roles/netbootxyz/defaults/main.yml
@ -10,7 +10,6 @@ time_server: "0.pool.ntp.org"
 # signature checking
 sigs_menu: false
 sigs_enabled: false
-img_sigs_enabled: false

 # helper app locations
 memdisk_location: "http://${boot_domain}/memdisk"
--- a/roles/netbootxyz/templates/menu/alpinelinux.ipxe.j2
+++ b/roles/netbootxyz/templates/menu/alpinelinux.ipxe.j2
@ -11,7 +11,7 @@ goto ${menu}
 clear alpine_version
 set os {{ releases.alpinelinux.name }}
 iseq ${arch} x86_64 && set bootarch x86_64 || set bootarch x86
-menu ${os} [${bootarch}] - Image Sig Checks: [${img_sigs_enabled}]
+menu ${os} [${bootarch}]
 item --gap Releases
 {% for item in releases.alpinelinux.versions %}
 item {{ item.code_name }} ${space} ${os} {{ item.name }}
@ -29,15 +29,6 @@ initrd ${base-url}/${dir}/initramfs-lts
 echo
 echo MD5sums:
 md5sum vmlinuz-lts initramfs-lts
-iseq ${img_sigs_enabled} true && goto verify_sigs || goto skip_sigs
-:verify_sigs
-echo
-echo Checking signatures...
-imgverify vmlinuz-lts ${sigs}${dir}/vmlinuz-lts.sig || goto error
-imgverify initramfs-lts ${sigs}${dir}/initramfs-lts.sig || goto error
-echo Signatures verified!
-echo
-:skip_sigs
 boot

 :alpine_exit
--- a/roles/netbootxyz/templates/menu/archlinux.ipxe.j2
+++ b/roles/netbootxyz/templates/menu/archlinux.ipxe.j2
@ -43,4 +43,4 @@ goto archlinux_exit

 :archlinux_exit
 clear menu
-exit 0
+exit 0
--- a/roles/netbootxyz/templates/menu/boot.cfg.j2
+++ b/roles/netbootxyz/templates/menu/boot.cfg.j2
@ -16,9 +16,6 @@ set live_endpoint {{ live_endpoint }}
 # signature check enabled?
 set sigs_enabled {{ sigs_enabled | default(false) | bool | lower }}

-# image signatures check enabled?
-set img_sigs_enabled {{ img_sigs_enabled | default(false) | bool | lower }}
-
 # set location of signatures for sources
 set sigs {{ sigs_location }}

--- a/roles/netbootxyz/templates/menu/centos.ipxe.j2
+++ b/roles/netbootxyz/templates/menu/centos.ipxe.j2
@ -11,7 +11,7 @@ goto ${menu} ||
 :centos
 clear osversion
 set os {{ releases.centos.name }}
-menu ${os} - ${arch} - Image Sig Checks: [${img_sigs_enabled}]
+menu ${os} - ${arch}
 {% for item in releases.centos.versions %}
 item {{ item.code_name }} ${space} ${os} {{ item.name }}
 {% endfor %}
@ -65,16 +65,6 @@ initrd ${centos_mirror}/${dir}/images/pxeboot/initrd.img
 echo
 echo MD5sums:
 md5sum vmlinuz initrd.img
-iseq ${osversion} 8-stream && echo Rolling release, skipping sig checks && goto skip_sigs ||
-iseq ${img_sigs_enabled} true && goto verify_sigs || goto skip_sigs
-:verify_sigs
-echo
-echo Checking signatures...
-imgverify vmlinuz ${sigs}${dir}/images/pxeboot/vmlinuz.sig || goto error
-imgverify initrd.img ${sigs}${dir}/images/pxeboot/initrd.img.sig || goto error
-echo Signatures verified!
-echo
-:skip_sigs
 boot
 goto linux_menu

--- a/roles/netbootxyz/templates/menu/debian.ipxe.j2
+++ b/roles/netbootxyz/templates/menu/debian.ipxe.j2
@ -9,7 +9,7 @@ goto ${menu}
 set os Debian
 clear debian_version
 clear older_release
-menu ${os} - ${arch_a} - Image Sig Checks: [${img_sigs_enabled}]
+menu ${os} - ${arch_a}
 item --gap Latest Releases
 {% for item in releases.debian.versions.stable %}
 item {{ item.code_name }} ${space} ${os} {{ item.name }}
@ -82,16 +82,6 @@ initrd ${debian_mirror}/${dir}/initrd.gz
 echo
 echo MD5sums:
 md5sum linux initrd.gz
-iseq ${img_sigs_enabled} true && iseq ${older_release} true && goto skip_sigs ||
-iseq ${img_sigs_enabled} true && goto verify_sigs || goto skip_sigs
-:verify_sigs
-echo
-echo Checking signatures...
-imgverify linux ${sigs}${dir}/linux.sig || goto error
-imgverify initrd.gz ${sigs}${dir}/initrd.gz.sig || goto error
-echo Signatures verified!
-echo
-:skip_sigs
 boot

 :debian_exit
--- a/roles/netbootxyz/templates/menu/devuan.ipxe.j2
+++ b/roles/netbootxyz/templates/menu/devuan.ipxe.j2
@ -9,7 +9,7 @@ goto ${menu}
 set os Devuan
 clear devuan_version
 clear older_release
-menu ${os} - ${arch_a} - Image Sig Checks: [${img_sigs_enabled}]
+menu ${os} - ${arch_a}
 item --gap Latest Releases
 {% for item in releases.devuan.versions.stable %}
 item {{ item.code_name }} ${space} ${os} {{ item.name }}
@ -69,16 +69,6 @@ initrd ${devuan_mirror}/${dir}/initrd.gz
 echo
 echo MD5sums:
 md5sum linux initrd.gz
-iseq ${img_sigs_enabled} true && iseq ${older_release} true && goto skip_sigs ||
-iseq ${img_sigs_enabled} true && goto verify_sigs || goto skip_sigs
-:verify_sigs
-echo
-echo Checking signatures...
-imgverify linux ${sigs}${dir}/linux.sig || goto error
-imgverify initrd.gz ${sigs}${dir}/initrd.gz.sig || goto error
-echo Signatures verified!
-echo
-:skip_sigs
 boot

 :devuan_exit
--- a/roles/netbootxyz/templates/menu/fedora.ipxe.j2
+++ b/roles/netbootxyz/templates/menu/fedora.ipxe.j2
@ -13,7 +13,7 @@ clear osversion
 clear sku_type
 clear ova
 set os {{ releases.fedora.name }}
-menu ${os} - ${arch} - Image Sig Checks: [${img_sigs_enabled}]
+menu ${os} - ${arch}
 item --gap Latest Releases
 {% for item in releases.fedora.versions %}
 item {{ item.code_name }} ${space} ${os} {{ item.name }}
@ -67,16 +67,6 @@ initrd ${fedora_mirror}/${dir}/images/pxeboot/initrd.img
 echo
 echo MD5sums:
 md5sum vmlinuz initrd.img
-iseq ${osversion} rawhide && goto skip_sigs ||
-iseq ${img_sigs_enabled} true && goto verify_sigs || goto skip_sigs
-:verify_sigs
-echo
-echo Checking signatures...
-imgverify vmlinuz ${sigs}${dir}/images/pxeboot/vmlinuz.sig || goto error
-imgverify initrd.img ${sigs}${dir}/images/pxeboot/initrd.img.sig || goto error
-echo Signatures verified!
-echo
-:skip_sigs
 boot
 goto linux_menu

--- a/roles/netbootxyz/templates/menu/ipfire.ipxe.j2
+++ b/roles/netbootxyz/templates/menu/ipfire.ipxe.j2
@ -8,7 +8,7 @@ goto ${menu} ||
 :ipfire
 clear osversion
 set os {{ releases.ipfire.name }}
-menu ${os} - Image Sig Checks: [${img_sigs_enabled}]
+menu ${os}
 {% for item in releases.ipfire.versions %}
 item {{ item.code_name }} ${space} ${os} {{ item.name }}
 {% endfor %}
@ -24,15 +24,6 @@ initrd ${ipfire_mirror}/${dir}/instroot
 echo
 echo MD5sums:
 md5sum vmlinuz instroot
-iseq ${img_sigs_enabled} true && goto verify_sigs || goto skip_sigs
-:verify_sigs
-echo
-echo Checking signatures...
-imgverify vmlinuz ${sigs}ipfire/${dir}/vmlinuz.sig || goto error
-imgverify instroot ${sigs}ipfire/${dir}/instroot.sig || goto error
-echo Signatures verified!
-echo
-:skip_sigs
 boot

 :ipfire_exit
--- a/roles/netbootxyz/templates/menu/mageia.ipxe.j2
+++ b/roles/netbootxyz/templates/menu/mageia.ipxe.j2
@ -10,7 +10,7 @@ goto ${menu} ||

 :mageia
 set os {{ releases.mageia.name }}
-menu ${os} - ${arch} - Image Sig Checks: [${img_sigs_enabled}]
+menu ${os} - ${arch}
 {% for item in releases.mageia.versions %}
 item {{ item.code_name }} ${space} ${os} {{ item.name }}
 {% endfor %}
@ -28,15 +28,6 @@ imgargs vmlinuz automatic=${automatic} vga=788 splash=silent ${console} initrd=a
 echo
 echo MD5sums:
 md5sum vmlinuz all.rdz
-iseq ${img_sigs_enabled} true && goto verify_sigs || goto skip_sigs
-:verify_sigs
-echo
-echo Checking signatures...
-imgverify vmlinuz ${sigs}${dir}/${dir2}/vmlinuz.sig || goto error
-imgverify all.rdz ${sigs}${dir}/${dir2}/all.rdz.sig || goto error
-echo Signatures verified!
-echo
-:skip_sigs
 boot || goto mageia

 :mageia_exit
--- a/roles/netbootxyz/templates/menu/menu.ipxe.j2
+++ b/roles/netbootxyz/templates/menu/menu.ipxe.j2
@ -64,9 +64,6 @@ item --gap Signature Checks:
 {% if sigs_enabled | bool %}
 item sig_check ${space} {{ site_name }} [ enabled: ${sigs_enabled} ]
 {% endif %}
-{% if img_sigs_enabled | bool %}
-item img_sigs_check ${space} Images [ enabled: ${img_sigs_enabled} ]
-{% endif %}
 {% endif %}
 {% if custom_github_menus | bool %}
 isset ${github_user} && item --gap Custom Github Menu: ||
@ -113,10 +110,6 @@ goto main_menu
 iseq ${sigs_enabled} true && set sigs_enabled false || set sigs_enabled true
 goto main_menu

-:img_sigs_check
-iseq ${img_sigs_enabled} true && set img_sigs_enabled false || set img_sigs_enabled true
-goto main_menu
-
 :about
 chain https://boot.netboot.xyz/about.ipxe || chain about.ipxe 
 goto main_menu
--- a/roles/netbootxyz/templates/menu/opensuse.ipxe.j2
+++ b/roles/netbootxyz/templates/menu/opensuse.ipxe.j2
@ -57,7 +57,7 @@ set netsetup netsetup=hostip,gateway,nameserver hostip=${ip}/${prefix} gateway=$
 set netsetup ${netsetup} BOOTIF=${netX/mac}

 set distro opensuse
-menu openSUSE - ${arch} - Image Sig Checks: [${img_sigs_enabled}]
+menu openSUSE - ${arch}
 {% for item in releases.opensuse.versions %}
 item {{ item.code_name }} ${space} ${os} {{ item.name }}
 {% endfor %}
@ -72,16 +72,6 @@ imgargs linux ${netsetup} install=${opensuse_mirror}/${dir} ${params} ${console}
 echo
 echo MD5sums:
 md5sum linux initrd
-iseq ${img_sigs_enabled} true && iseq ${version} tumbleweed && goto skip_sigs ||
-iseq ${img_sigs_enabled} true && goto verify_sigs || goto skip_sigs
-:verify_sigs
-echo
-echo Checking signatures...
-imgverify linux ${sigs}${distro}/${dir}/boot/x86_64/loader/linux.sig || goto error
-imgverify initrd ${sigs}${distro}/${dir}/boot/x86_64/loader/initrd.sig || goto error
-echo Signatures verified!
-echo
-:skip_sigs
 boot

 :opensuse_exit
--- a/roles/netbootxyz/templates/menu/ubuntu.ipxe.j2
+++ b/roles/netbootxyz/templates/menu/ubuntu.ipxe.j2
@ -8,7 +8,7 @@ goto ${menu}
 :ubuntu
 set os Ubuntu
 clear ubuntu_version
-menu ${os} - ${arch_a} - Image Sig Checks: [${img_sigs_enabled}]
+menu ${os} - ${arch_a}
 item --gap Latest Releases
 {% for item in releases.ubuntu.versions %}
 item {{ item.code_name }} ${space} ${os} {{ item.name }}
@ -66,16 +66,6 @@ initrd ${ubuntu_mirror}/${dir}/initrd.gz
 echo
 echo MD5sums:
 md5sum linux initrd.gz
-iseq ${img_sigs_enabled} true && iseq ${older_release} true && goto skip_sigs ||
-iseq ${img_sigs_enabled} true && goto verify_sigs || goto skip_sigs
-:verify_sigs
-echo
-echo Checking signatures...
-imgverify linux ${sigs}${dir}/linux.sig || goto error
-imgverify initrd.gz ${sigs}${dir}/initrd.gz.sig || goto error
-echo Signatures verified!
-echo
-:skip_sigs
 boot

 :ubuntu_exit
--- a/roles/netbootxyz/templates/menu/utils-efi.ipxe.j2
+++ b/roles/netbootxyz/templates/menu/utils-efi.ipxe.j2
@ -1,6 +1,6 @@
 #!ipxe

-menu Utilities - Image Sig Checks: [${img_sigs_enabled}]
+menu Utilities
 item --gap Utilities:
 {% for key, value in utilitiesefi.items() | sort(attribute='1.name') %}
 {% if value.enabled %}
--- a/roles/netbootxyz/templates/menu/utils-pcbios.ipxe.j2
+++ b/roles/netbootxyz/templates/menu/utils-pcbios.ipxe.j2
@ -1,6 +1,6 @@
 #!ipxe

-menu Utilities - Image Sig Checks: [${img_sigs_enabled}]
+menu Utilities
 item --gap Utilities:
 {% for key, value in utilitiespcbios.items() | sort(attribute='1.name') %}
 {% if value.enabled %}
@ -46,15 +46,6 @@ initrd --name ${util_file} ${util_path}
 echo
 echo MD5sums:
 md5sum memdisk ${util_file}
-iseq ${img_sigs_enabled} true && goto verify_sigs || goto skip_sigs
-:verify_sigs
-echo
-echo Checking signatures...
-imgverify memdisk ${sigs}memdisk.sig || goto error
-imgverify ${util_file} ${sigs}${menu}/${util_file}.sig || goto error
-echo Signatures verified!
-echo
-:skip_sigs
 boot
 goto utils_exit

--- a/script/netbootxyz-overrides.yml
+++ b/script/netbootxyz-overrides.yml
@ -1,7 +1,6 @@
 ---
 sigs_menu: true
 sigs_enabled: true
-img_sigs_enabled: false
 generate_disks_arm: true
 generate_version_file: true
 bootloader_multiple: true