Add decode_payload script to extract and verify update payloads #23
Conversation
|
The format is documented in https://github.com/flatcar/update_engine/blob/flatcar-master/src/update_engine/update_metadata.proto but I will add more comments about how offsets are calculated and the parsing of the output. |
| "data:"*) | ||
| SIGDATA=$(echo "${LINE}" | cut -d '"' -f 2- | head -c-2 | sed 's/%/%%/g') | ||
| # This is a workaround for the dev-key vs prod-key case: sed '/signatures {/d' | sed '/ version: 2/d' | ||
| SIGHEX=$(printf -- "${SIGDATA}" | sed '/signatures {/d' | sed '/ version: 2/d' | openssl rsautl -verify -pubin -inkey "${PUBKEY}" -raw | tail -c 32 | od -An -vtx1 -w1024 | tr -d ' ') |
There was a problem hiding this comment.
openssl rsautl is deprecated from OpenSSL 3.x (https://www.openssl.org/docs/man3.0/man1/openssl-rsautl.html):
This command has been deprecated. The openssl-pkeyutl(1) command should be used instead.
What about something like this:
| SIGHEX=$(printf -- "${SIGDATA}" | sed '/signatures {/d' | sed '/ version: 2/d' | openssl rsautl -verify -pubin -inkey "${PUBKEY}" -raw | tail -c 32 | od -An -vtx1 -w1024 | tr -d ' ') | |
| SIGHEX=$(printf -- "${SIGDATA}" | sed '/signatures {/d' | sed '/ version: 2/d' | openssl pkeyutl -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pkcs1 -verify -pubin -inkey "${PUBKEY}" | tail -c 32 | od -An -vtx1 -w1024 | tr -d ' ') |
(not tested)
There was a problem hiding this comment.
I hoped there was an easier way to get the hash but so far I couldn't find it.
pothos
force-pushed
the
kai/decode-helper
branch
from
8d6aa9a
to
197a1db
Compare
| # This is a workaround for the dev-key vs prod-key case: sed '/signatures {/d' | sed '/ version: 2/d' | ||
| SIGHEX=$(printf -- "${SIGDATA}" | sed '/signatures {/d' | sed '/ version: 2/d' | openssl rsautl -verify -pubin -inkey "${PUBKEY}" -raw | tail -c 32 | od -An -vtx1 -w1024 | tr -d ' ') |
There was a problem hiding this comment.
If there's signatures { then won't the closing } mess anything up?
There was a problem hiding this comment.
It's very strange, I don't know why this even appears for the dev-key case
pothos
force-pushed
the
kai/decode-helper
branch
from
1715bdf
to
f510d60
Compare
For payloads created with the delta_generator we have no tool to decode them again. Add a standalone bash script that relies on protoc to decode the update payloads, extract the payload and optionally the secondary kernel payload, and verify the signature.
pothos
force-pushed
the
kai/decode-helper
branch
from
f510d60
to
eac6138
Compare
|
I'll merge now, it's mainly for validation and testing, not used in the Flatcar image. |
For payloads created with the delta_generator we have no tool to decode them again.
Add a standalone bash script that relies on protoc to decode the update payloads, extract the payload and optionally the secondary kernel payload, and verify the signature.
How to use
Testing done
For prod:
Used https://update.release.flatcar-linux.net/amd64-usr/3510.2.2/flatcar_production_update.gz and compared to https://stable.release.flatcar-linux.net/amd64-usr/3510.2.2/flatcar_production_update.bin.bz2
For dev:
Also used Stable but the
flatcar_test_update.gzSysext case for dev (from bincache):
Used
flatcar_test_update-oem-azure.gzand compared tooem-azure.rawThe prod case wasn't tested!