Pass both portage-latest.tar.xz and its detached signature
(.gpgsig) to VerifyFile for proper GPG verification.
Signed-off-by: Chaosoffire <81634128+chaosoffire@users.noreply.github.com>
CentOS Stream 10, similar to Stream 9, uses a `SHA256SUM` file for checksums rather than the `sha256sum.txt.asc` pattern used by older releases.
This commit updates the logic to correctly identify and use `SHA256SUM` for CentOS Stream 10, resolving build failures where the downloader would incorrectly return a 404 for the non-existent `.asc` file.
Signed-off-by: Chaosoffire <81634128+chaosoffire@users.noreply.github.com>
Rocky 8/9 only provides plain CHECKSUM files without GPG signatures,
so verification must be skipped.
Rocky 10 provides a detached CHECKSUM.asc signature. This is now
downloaded separately to perform verification against the CHECKSUM file.
Signed-off-by: Chaosoffire <81634128+chaosoffire@users.noreply.github.com>
Since .DIGESTS is a clearsigned file that needs GPG verification,
download it separately to persist on disk.
Signed-off-by: Chaosoffire <81634128+chaosoffire@users.noreply.github.com>
This commit introduces a centralized GPG verification requirement logic
in `sources/common.go` via the `validateGPGRequirements` method.
It ensures consistent security constraints across multiple supported distributions.
Specific security fixes included:
- Rocky Linux: Fixed an issue where the `CHECKSUM` file was downloaded but not GPG verified.
- CentOS: Fixed an issue where 'SHA256SUM' and 'CHECKSUM' files were downloaded but not GPG verified.
- Gentoo: Added GPG requirement validation for the portage snapshot download URL.
Fixes: https://github.com/lxc/distrobuilder/issues/963
Signed-off-by: Chaosoffire <81634128+chaosoffire@users.noreply.github.com>
Replace chained `strings.HasPrefix` calls with a `switch` statement on the existing `majorVersion` variable for improved readability and maintainability.
Signed-off-by: Chaosoffire <81634128+chaosoffire@users.noreply.github.com>
AlmaLinux 9 and 10 use a `CHECKSUM` file similar to version 8, rather than `sha256sum.txt.asc`.
This change updates the logic to use the correct checksum file for versions 9 and 10.
It also fixes a security issue where `CHECKSUM` files were not being GPG verified because the check was restricted to files ending in `.asc`.
Signed-off-by: Chaosoffire <81634128+chaosoffire@users.noreply.github.com>
* fixes issues with extracting to wrong directory
* allows pulling from other oci registries (will still pull from docker if unspecified)
* allows to specify digest (can't specify both digest and tag at the same time)
Signed-off-by: timbretimber <105982513+timbretimber@users.noreply.github.com>
This reverts commit 8a6088f94a.
The Alma Linux 10 support came with forcing a change of package manager
which then broke all existing image builds.
Instead the approach taken for Rocky is much simpler and should avoid
regressions coming from the switch from yum to dnf for all existing
images.
Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
Need to remove `gpgDir` after the test so that no gpg-agent processes
are left behind loitering.
Signed-off-by: Valery Ushakov <valery.ushakov@bell-sw.com>
The image.variant is an arbitrary user choice (e.g. an image that
includes cloud-init), while possible source.variant values are
predefined by the distro (e.g. libc, as is the case with Alpaquita).
Unfortunately parts of distrobuilder code base are confused about
this, so I followed the wrong example when I first wrote this code.
Signed-off-by: Valery Ushakov <valery.ushakov@bell-sw.com>
According to https://status.opensuse.org, mirrorcache-us.opensuse.org has been down for maintenance for 15 days. mirrorcache-eu.opensuse.org is still up, so switch temporarily to fix distrobuilder downloads.
Signed-off-by: Danny Lin <danny@kdrag0n.dev>
This logic is confusing/outdated and newer debootstrap should be able to
cope out of the box. So let's remove it for now and we'll add back
specific exceptions if needed.
Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
