Merge pull request #2068 from mscribe/master

Verify kernel with GPG and sha256 checksum
2025-07-20 09:39:08 +00:00 · 2017-06-20 09:50:47 -07:00 · 2017-06-20 09:50:47 -07:00 · 324605c48c
commit 324605c48c
parent 7258e09b1f 1e1afd77d2
2 changed files with 1365 additions and 2 deletions
--- a/kernel/Dockerfile
+++ b/kernel/Dockerfile
@ -13,6 +13,7 @@ RUN apk add \
    flex \
    git \
    gmp-dev \
+    gnupg \
    installkernel \
    kmod \
    libelf-dev \
@ -33,10 +34,23 @@ ARG KERNEL_SERIES
 ARG DEBUG

 ENV KERNEL_SOURCE=https://www.kernel.org/pub/linux/kernel/v4.x/linux-${KERNEL_VERSION}.tar.xz
+ENV KERNEL_SHA256_SUMS=https://www.kernel.org/pub/linux/kernel/v4.x/sha256sums.asc
+ENV KERNEL_PGP2_SIGN=https://www.kernel.org/pub/linux/kernel/v4.x/linux-${KERNEL_VERSION}.tar.sign

-RUN curl -fsSL -o linux-${KERNEL_VERSION}.tar.xz ${KERNEL_SOURCE}
+# PGP keys: 589DA6B1 (greg@kroah.com) & 6092693E (autosigner@kernel.org)
+COPY keys.asc keys.asc

-RUN cat linux-${KERNEL_VERSION}.tar.xz | tar --absolute-names -xJ &&  mv /linux-${KERNEL_VERSION} /linux
+# Download and verify kernel
+RUN curl -fsSLO ${KERNEL_SHA256_SUMS} && \
+    gpg2 -q --import keys.asc && \
+    gpg2 --verify sha256sums.asc && \
+    KERNEL_SHA256=$(grep linux-${KERNEL_VERSION}.tar.xz sha256sums.asc | cut -d ' ' -f 1) && \
+    curl -fsSLO ${KERNEL_SOURCE} && \
+    echo "${KERNEL_SHA256}  linux-${KERNEL_VERSION}.tar.xz" | sha256sum -c - && \
+    xz -d linux-${KERNEL_VERSION}.tar.xz && \
+    curl -fsSLO ${KERNEL_PGP2_SIGN} && \
+    gpg2 --verify linux-${KERNEL_VERSION}.tar.sign linux-${KERNEL_VERSION}.tar && \
+    cat linux-${KERNEL_VERSION}.tar | tar --absolute-names -x && mv /linux-${KERNEL_VERSION} /linux

 COPY kernel_config-${KERNEL_SERIES} /linux/arch/x86/configs/x86_64_defconfig
 COPY kernel_config.debug /linux/debug_config
--- a/kernel/keys.asc
+++ b/kernel/keys.asc