Pass both portage-latest.tar.xz and its detached signature
(.gpgsig) to VerifyFile for proper GPG verification.
Signed-off-by: Chaosoffire <81634128+chaosoffire@users.noreply.github.com>
CentOS Stream 10, similar to Stream 9, uses a `SHA256SUM` file for checksums rather than the `sha256sum.txt.asc` pattern used by older releases.
This commit updates the logic to correctly identify and use `SHA256SUM` for CentOS Stream 10, resolving build failures where the downloader would incorrectly return a 404 for the non-existent `.asc` file.
Signed-off-by: Chaosoffire <81634128+chaosoffire@users.noreply.github.com>
Rocky 8/9 only provides plain CHECKSUM files without GPG signatures,
so verification must be skipped.
Rocky 10 provides a detached CHECKSUM.asc signature. This is now
downloaded separately to perform verification against the CHECKSUM file.
Signed-off-by: Chaosoffire <81634128+chaosoffire@users.noreply.github.com>
Since .DIGESTS is a clearsigned file that needs GPG verification,
download it separately to persist on disk.
Signed-off-by: Chaosoffire <81634128+chaosoffire@users.noreply.github.com>
This commit introduces a centralized GPG verification requirement logic
in `sources/common.go` via the `validateGPGRequirements` method.
It ensures consistent security constraints across multiple supported distributions.
Specific security fixes included:
- Rocky Linux: Fixed an issue where the `CHECKSUM` file was downloaded but not GPG verified.
- CentOS: Fixed an issue where 'SHA256SUM' and 'CHECKSUM' files were downloaded but not GPG verified.
- Gentoo: Added GPG requirement validation for the portage snapshot download URL.
Fixes: https://github.com/lxc/distrobuilder/issues/963
Signed-off-by: Chaosoffire <81634128+chaosoffire@users.noreply.github.com>
Replace chained `strings.HasPrefix` calls with a `switch` statement on the existing `majorVersion` variable for improved readability and maintainability.
Signed-off-by: Chaosoffire <81634128+chaosoffire@users.noreply.github.com>
AlmaLinux 9 and 10 use a `CHECKSUM` file similar to version 8, rather than `sha256sum.txt.asc`.
This change updates the logic to use the correct checksum file for versions 9 and 10.
It also fixes a security issue where `CHECKSUM` files were not being GPG verified because the check was restricted to files ending in `.asc`.
Signed-off-by: Chaosoffire <81634128+chaosoffire@users.noreply.github.com>
* fixes issues with extracting to wrong directory
* allows pulling from other oci registries (will still pull from docker if unspecified)
* allows to specify digest (can't specify both digest and tag at the same time)
Signed-off-by: timbretimber <105982513+timbretimber@users.noreply.github.com>
This reverts commit 8a6088f94a.
The Alma Linux 10 support came with forcing a change of package manager
which then broke all existing image builds.
Instead the approach taken for Rocky is much simpler and should avoid
regressions coming from the switch from yum to dnf for all existing
images.
Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
