From 3568b05ed80804398833036713797fb594e7ad3a Mon Sep 17 00:00:00 2001
From: "Elijah C. Voigt" <elijah.caine@coreos.com>
Date: Tue, 2 May 2017 16:15:23 -0700
Subject: [PATCH 1/2] os: secure url and verify isos.
---
os/booting-with-ipxe.md | 8 ++++----
os/booting-with-iso.md | 6 +++---
os/kernel-modules.md | 2 +-
3 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/os/booting-with-ipxe.md b/os/booting-with-ipxe.md
index 833b06374..be28faca6 100644
--- a/os/booting-with-ipxe.md
+++ b/os/booting-with-ipxe.md
@@ -43,7 +43,7 @@ Container Linux is designed to be [updated automatically](https://coreos.com/why
<pre>
#!ipxe
-set base-url http://alpha.release.core-os.net/amd64-usr/current
+set base-url https://alpha.release.core-os.net/amd64-usr/current
kernel ${base-url}/coreos_production_pxe.vmlinuz coreos.config.url=https://example.com/pxe-config.ign
initrd ${base-url}/coreos_production_pxe_image.cpio.gz
boot</pre>
@@ -54,7 +54,7 @@ boot</pre>
<pre>
#!ipxe
-set base-url http://beta.release.core-os.net/amd64-usr/current
+set base-url https://beta.release.core-os.net/amd64-usr/current
kernel ${base-url}/coreos_production_pxe.vmlinuz coreos.config.url=https://example.com/pxe-config.ign
initrd ${base-url}/coreos_production_pxe_image.cpio.gz
boot</pre>
@@ -65,7 +65,7 @@ boot</pre>
<pre>
#!ipxe
-set base-url http://stable.release.core-os.net/amd64-usr/current
+set base-url https://stable.release.core-os.net/amd64-usr/current
kernel ${base-url}/coreos_production_pxe.vmlinuz coreos.config.url=https://example.com/pxe-config.ign
initrd ${base-url}/coreos_production_pxe_image.cpio.gz
boot</pre>
@@ -97,7 +97,7 @@ Immediately iPXE should download your boot script URL and start grabbing the ima
```sh
${YOUR_BOOT_URL}... ok
-http://alpha.release.core-os.net/amd64-usr/current/coreos_production_pxe.vmlinuz... 98%
+https://alpha.release.core-os.net/amd64-usr/current/coreos_production_pxe.vmlinuz... 98%
```
After a few moments of downloading Container Linux should boot normally.
diff --git a/os/booting-with-iso.md b/os/booting-with-iso.md
index ce948bdb8..8a088eb93 100644
--- a/os/booting-with-iso.md
+++ b/os/booting-with-iso.md
@@ -16,7 +16,7 @@ The latest Container Linux ISOs can be downloaded from the image storage site:
<a href="https://alpha.release.core-os.net/amd64-usr/current/coreos_production_iso_image.iso" class="btn btn-primary">Download Alpha ISO</a>
<a href="https://alpha.release.core-os.net/amd64-usr/current/" class="btn btn-default">Browse Storage Site</a>
<br/><br/>
- <p>All of the files necessary to verify the image can be found on the storage site.</p>
+ <p>Before you go further, <a href="https://coreos.com/os/docs/latest/verify-images.html">verify your download</a>.</p>
</div>
<div class="tab-pane" id="beta">
<div class="channel-info">
@@ -25,7 +25,7 @@ The latest Container Linux ISOs can be downloaded from the image storage site:
<a href="https://beta.release.core-os.net/amd64-usr/current/coreos_production_iso_image.iso" class="btn btn-primary">Download Beta ISO</a>
<a href="https://beta.release.core-os.net/amd64-usr/current/" class="btn btn-default">Browse Storage Site</a>
<br/><br/>
- <p>All of the files necessary to verify the image can be found on the storage site.</p>
+ <p>Before you go further, <a href="https://coreos.com/os/docs/latest/verify-images.html">verify your download</a>.</p>
</div>
<div class="tab-pane active" id="stable">
<div class="channel-info">
@@ -34,7 +34,7 @@ The latest Container Linux ISOs can be downloaded from the image storage site:
<a href="https://stable.release.core-os.net/amd64-usr/current/coreos_production_iso_image.iso" class="btn btn-primary">Download Stable ISO</a>
<a href="https://stable.release.core-os.net/amd64-usr/current/" class="btn btn-default">Browse Storage Site</a>
<br/><br/>
- <p>All of the files necessary to verify the image can be found on the storage site.</p>
+ <p>Before you go further, <a href="https://coreos.com/os/docs/latest/verify-images.html">verify your download</a>.</p>
</div>
</div>
</div>
diff --git a/os/kernel-modules.md b/os/kernel-modules.md
index e38bd65e4..e041c4606 100644
--- a/os/kernel-modules.md
+++ b/os/kernel-modules.md
@@ -44,7 +44,7 @@ Read system configuration files to determine the URL of the development containe
. /usr/share/coreos/release
. /usr/share/coreos/update.conf
. /etc/coreos/update.conf # This might not exist.
-url="http://${GROUP:-stable}.release.core-os.net/$COREOS_RELEASE_BOARD/$COREOS_RELEASE_VERSION/coreos_developer_container.bin.bz2"
+url="https://${GROUP:-stable}.release.core-os.net/$COREOS_RELEASE_BOARD/$COREOS_RELEASE_VERSION/coreos_developer_container.bin.bz2"
```
Download, decompress, and verify the development container image.
From 9d9d7b77a9d434e89190473b9f41275cbfefa192 Mon Sep 17 00:00:00 2001
From: "Elijah C. Voigt" <elijah.caine@coreos.com>
Date: Wed, 3 May 2017 11:31:58 -0700
Subject: [PATCH 2/2] os/booting: Add note about securing download.
---
os/booting-on-eucalyptus.md | 21 +++++++++++++++++++++
os/booting-on-openstack.md | 21 +++++++++++++++++++++
os/booting-on-vmware.md | 21 +++++++++++++++++++++
os/booting-with-iso.md | 24 +++++++++++++++++++++---
4 files changed, 84 insertions(+), 3 deletions(-)
diff --git a/os/booting-on-eucalyptus.md b/os/booting-on-eucalyptus.md
index 93fc478b7..88b3bb376 100644
--- a/os/booting-on-eucalyptus.md
+++ b/os/booting-on-eucalyptus.md
@@ -31,6 +31,13 @@ Uploaded coreos-production/coreos_production_openstack_image.raw.manifest.xml
$ euca-register coreos-production/coreos_production_openstack_image.raw.manifest.xml --virtualization-type hvm --name "Container Linux-Production"
emi-E4A33D45
</pre>
+ <p>Before you go further, <a href="https://coreos.com/os/docs/latest/verify-images.html">verify your download</a>.</p>
+ <pre>
+$ curl -O https://coreos.com/security/image-signing-key/CoreOS_Image_Signing_Key.asc
+$ gpg --import --keyid-format LONG CoreOS_Image_Signing_Key.asc
+$ wget -q https://alpha.release.core-os.net/amd64-usr/current/coreos_production_openstack_image.img.bz2.sig
+$ gpg --verify coreos_production_openstack_image.img.bz2.sig
+ </pre>
</div>
<div class="tab-pane" id="beta-create">
<p>The Beta channel consists of promoted Alpha releases. The current version is Container Linux {{site.beta-channel}}.</p>
@@ -46,6 +53,13 @@ Uploaded coreos-production/coreos_production_openstack_image.raw.manifest.xml
$ euca-register coreos-production/coreos_production_openstack_image.raw.manifest.xml --virtualization-type hvm --name "Container Linux-Production"
emi-E4A33D45
</pre>
+ <p>Before you go further, <a href="https://coreos.com/os/docs/latest/verify-images.html">verify your download</a>.</p>
+ <pre>
+$ curl -O https://coreos.com/security/image-signing-key/CoreOS_Image_Signing_Key.asc
+$ gpg --import --keyid-format LONG CoreOS_Image_Signing_Key.asc
+$ wget -q https://beta.release.core-os.net/amd64-usr/current/coreos_production_openstack_image.img.bz2.sig
+$ gpg --verify coreos_production_openstack_image.img.bz2.sig
+ </pre>
</div>
<div class="tab-pane active" id="stable-create">
<p>The Stable channel should be used by production clusters. Versions of Container Linux are battle-tested within the Beta and Alpha channels before being promoted. The current version is Container Linux {{site.stable-channel}}.</p>
@@ -61,6 +75,13 @@ Uploaded coreos-production/coreos_production_openstack_image.raw.manifest.xml
$ euca-register coreos-production/coreos_production_openstack_image.raw.manifest.xml --virtualization-type hvm --name "Container Linux-Production"
emi-E4A33D45
</pre>
+ <p>Before you go further, <a href="https://coreos.com/os/docs/latest/verify-images.html">verify your download</a>.</p>
+ <pre>
+$ curl -O https://coreos.com/security/image-signing-key/CoreOS_Image_Signing_Key.asc
+$ gpg --import --keyid-format LONG CoreOS_Image_Signing_Key.asc
+$ wget -q https://stable.release.core-os.net/amd64-usr/current/coreos_production_openstack_image.img.bz2.sig
+$ gpg --verify coreos_production_openstack_image.img.bz2.sig
+ </pre>
</div>
</div>
</div>
diff --git a/os/booting-on-openstack.md b/os/booting-on-openstack.md
index a0e7454c2..d219ce25b 100644
--- a/os/booting-on-openstack.md
+++ b/os/booting-on-openstack.md
@@ -22,6 +22,13 @@ Container Linux is designed to be [updated automatically](https://coreos.com/why
<pre>
$ wget https://alpha.release.core-os.net/amd64-usr/current/coreos_production_openstack_image.img.bz2
$ bunzip2 coreos_production_openstack_image.img.bz2
+</pre>
+<p>Before you continue, <a href="https://coreos.com/os/docs/latest/verify-images.html">verify your download</a>.</p>
+<pre>
+$ curl -O https://coreos.com/security/image-signing-key/CoreOS_Image_Signing_Key.asc
+$ gpg --import --keyid-format LONG CoreOS_Image_Signing_Key.asc
+$ wget -q https://alpha.release.core-os.net/amd64-usr/current/coreos_production_openstack_image.img.bz2.sig
+$ gpg --verify coreos_production_openstack_image.img.bz2.sig
</pre>
</div>
<div class="tab-pane" id="beta-create">
@@ -29,6 +36,13 @@ $ bunzip2 coreos_production_openstack_image.img.bz2
<pre>
$ wget https://beta.release.core-os.net/amd64-usr/current/coreos_production_openstack_image.img.bz2
$ bunzip2 coreos_production_openstack_image.img.bz2
+</pre>
+<p>Before you continue, <a href="https://coreos.com/os/docs/latest/verify-images.html">verify your download</a>.</p>
+<pre>
+$ curl -O https://coreos.com/security/image-signing-key/CoreOS_Image_Signing_Key.asc
+$ gpg --import --keyid-format LONG CoreOS_Image_Signing_Key.asc
+$ wget -q https://beta.release.core-os.net/amd64-usr/current/coreos_production_openstack_image.img.bz2.sig
+$ gpg --verify coreos_production_openstack_image.img.bz2.sig
</pre>
</div>
<div class="tab-pane active" id="stable-create">
@@ -36,6 +50,13 @@ $ bunzip2 coreos_production_openstack_image.img.bz2
<pre>
$ wget https://stable.release.core-os.net/amd64-usr/current/coreos_production_openstack_image.img.bz2
$ bunzip2 coreos_production_openstack_image.img.bz2
+</pre>
+<p>Before you continue, <a href="https://coreos.com/os/docs/latest/verify-images.html">verify your download</a>.</p>
+<pre>
+$ curl -O https://coreos.com/security/image-signing-key/CoreOS_Image_Signing_Key.asc
+$ gpg --import --keyid-format LONG CoreOS_Image_Signing_Key.asc
+$ wget -q https://stable.release.core-os.net/amd64-usr/current/coreos_production_openstack_image.img.bz2.sig
+$ gpg --verify coreos_production_openstack_image.img.bz2.sig
</pre>
</div>
</div>
diff --git a/os/booting-on-vmware.md b/os/booting-on-vmware.md
index be868db28..fca5777dc 100644
--- a/os/booting-on-vmware.md
+++ b/os/booting-on-vmware.md
@@ -20,18 +20,39 @@ Container Linux is designed to be [updated automatically](https://coreos.com/why
<p>The Stable channel should be used by production clusters. Versions of Container Linux are battle-tested within the Beta and Alpha channels before being promoted. The current version is Container Linux {{site.stable-channel}}.</p>
</div>
<pre>curl -LO https://stable.release.core-os.net/amd64-usr/current/coreos_production_vmware_ova.ova</pre>
+ <p>Before you continue, <a href="https://coreos.com/os/docs/latest/verify-images.html">verify your download</a>.</p>
+ <pre>
+$ curl -O https://coreos.com/security/image-signing-key/CoreOS_Image_Signing_Key.asc
+$ gpg --import --keyid-format LONG CoreOS_Image_Signing_Key.asc
+$ wget -q https://stable.release.core-os.net/amd64-usr/current/coreos_production_vmware_ova.ova.sig
+$ gpg --verify coreos_production_vmware_ova.ova.sig
+ </pre>
</div>
<div class="tab-pane" id="alpha">
<div class="channel-info">
<p>The Alpha channel closely tracks master and is released frequently. The newest versions of system libraries and utilities will be available for testing. The current version is Container Linux {{site.alpha-channel}}.</p>
</div>
<pre>curl -LO https://alpha.release.core-os.net/amd64-usr/current/coreos_production_vmware_ova.ova</pre>
+ <p>Before you continue, <a href="https://coreos.com/os/docs/latest/verify-images.html">verify your download</a>.</p>
+ <pre>
+$ curl -O https://coreos.com/security/image-signing-key/CoreOS_Image_Signing_Key.asc
+$ gpg --import --keyid-format LONG CoreOS_Image_Signing_Key.asc
+$ wget -q https://alpha.release.core-os.net/amd64-usr/current/coreos_production_vmware_ova.ova.sig
+$ gpg --verify coreos_production_vmware_ova.ova.sig
+ </pre>
</div>
<div class="tab-pane" id="beta">
<div class="channel-info">
<p>The Beta channel consists of promoted Alpha releases. The current version is Container Linux {{site.beta-channel}}.</p>
</div>
<pre>curl -LO https://beta.release.core-os.net/amd64-usr/current/coreos_production_vmware_ova.ova</pre>
+ <p>Before you continue, <a href="https://coreos.com/os/docs/latest/verify-images.html">verify your download</a>.</p>
+ <pre>
+$ curl -O https://coreos.com/security/image-signing-key/CoreOS_Image_Signing_Key.asc
+$ gpg --import --keyid-format LONG CoreOS_Image_Signing_Key.asc
+$ wget -q https://beta.release.core-os.net/amd64-usr/current/coreos_production_vmware_ova.ova.sig
+$ gpg --verify coreos_production_vmware_ova.ova.sig
+ </pre>
</div>
</div>
</div>
diff --git a/os/booting-with-iso.md b/os/booting-with-iso.md
index 8a088eb93..e752d54be 100644
--- a/os/booting-with-iso.md
+++ b/os/booting-with-iso.md
@@ -16,7 +16,13 @@ The latest Container Linux ISOs can be downloaded from the image storage site:
<a href="https://alpha.release.core-os.net/amd64-usr/current/coreos_production_iso_image.iso" class="btn btn-primary">Download Alpha ISO</a>
<a href="https://alpha.release.core-os.net/amd64-usr/current/" class="btn btn-default">Browse Storage Site</a>
<br/><br/>
- <p>Before you go further, <a href="https://coreos.com/os/docs/latest/verify-images.html">verify your download</a>.</p>
+ <p>Before you continue, <a href="https://coreos.com/os/docs/latest/verify-images.html">verify your download</a>.</p>
+ <pre>
+$ curl -O https://coreos.com/security/image-signing-key/CoreOS_Image_Signing_Key.asc
+$ gpg --import --keyid-format LONG CoreOS_Image_Signing_Key.asc
+$ wget -q https://alpha.release.core-os.net/amd64-usr/current/coreos_production_iso_image.iso.sig
+$ gpg --verify coreos_production_iso_image.iso.sig
+ </pre>
</div>
<div class="tab-pane" id="beta">
<div class="channel-info">
@@ -25,7 +31,13 @@ The latest Container Linux ISOs can be downloaded from the image storage site:
<a href="https://beta.release.core-os.net/amd64-usr/current/coreos_production_iso_image.iso" class="btn btn-primary">Download Beta ISO</a>
<a href="https://beta.release.core-os.net/amd64-usr/current/" class="btn btn-default">Browse Storage Site</a>
<br/><br/>
- <p>Before you go further, <a href="https://coreos.com/os/docs/latest/verify-images.html">verify your download</a>.</p>
+ <p>Before you continue, <a href="https://coreos.com/os/docs/latest/verify-images.html">verify your download</a>.</p>
+ <pre>
+$ curl -O https://coreos.com/security/image-signing-key/CoreOS_Image_Signing_Key.asc
+$ gpg --import --keyid-format LONG CoreOS_Image_Signing_Key.asc
+$ wget -q https://beta.release.core-os.net/amd64-usr/current/coreos_production_iso_image.iso.sig
+$ gpg --verify coreos_production_iso_image.iso.sig
+ </pre>
</div>
<div class="tab-pane active" id="stable">
<div class="channel-info">
@@ -34,7 +46,13 @@ The latest Container Linux ISOs can be downloaded from the image storage site:
<a href="https://stable.release.core-os.net/amd64-usr/current/coreos_production_iso_image.iso" class="btn btn-primary">Download Stable ISO</a>
<a href="https://stable.release.core-os.net/amd64-usr/current/" class="btn btn-default">Browse Storage Site</a>
<br/><br/>
- <p>Before you go further, <a href="https://coreos.com/os/docs/latest/verify-images.html">verify your download</a>.</p>
+ <p>Before you continue, <a href="https://coreos.com/os/docs/latest/verify-images.html">verify your download</a>.</p>
+ <pre>
+$ curl -O https://coreos.com/security/image-signing-key/CoreOS_Image_Signing_Key.asc
+$ gpg --import --keyid-format LONG CoreOS_Image_Signing_Key.asc
+$ wget -q https://stable.release.core-os.net/amd64-usr/current/coreos_production_iso_image.iso.sig
+$ gpg --verify coreos_production_iso_image.iso.sig
+ </pre>
</div>
</div>
</div>