From 594bf47b77906c025a9fd7d1ff6a2f42497fc2eb Mon Sep 17 00:00:00 2001
From: "Gerd v. Egidy" <gerd@egidy.de>
Date: Wed, 23 Nov 2022 21:57:04 +0100
Subject: [PATCH] embed checksum into the .iso files created (isomd5sum)

These embedded checksums can help against accidental image corruption,
for example due to bad cache data, broken mirror servers or bad media.
They are not digital signatures and do *not* help against bad actors
manipulating the .iso image.

Images can be checked manually with the "checkisomd5" command. This
is done automatically when using the Fedora media writer or the upcoming
systemrescue-usbwriter.
---
 README.md                          | 2 +-
 build.sh                           | 3 +++
 docker/Dockerfile-build-iso-i686   | 2 +-
 docker/Dockerfile-build-iso-x86_64 | 2 +-
 4 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 99bbb7f..abd27ef 100644
--- a/README.md
+++ b/README.md
@@ -11,7 +11,7 @@ https://gitlab.archlinux.org/archlinux/archiso/
 SystemRescue can be built for x86_64 or i686 architectures. It must be built
 on archlinux if you want to build a 64bit edition, or archlinux32 if you want
 to create a 32bit edition. The following packages must be installed on the
-build system: archiso, grub, mtools, edk2-shell, hugo. 
+build system: archiso, grub, isomd5sum, mtools, edk2-shell, hugo. 
 
 You need to use a modified version of archiso for the build to work. This 
 version is provided in the custom `sysrescuerepo` repository. See the 
diff --git a/build.sh b/build.sh
index c8ab354..33cfc05 100755
--- a/build.sh
+++ b/build.sh
@@ -403,6 +403,9 @@ make_iso() {
     )
     # Create the ISO image
     setarch ${arch} mkarchiso ${verbose} -w "${work_dir}" -D "${install_dir}" -L "${iso_label}" -P "${iso_publisher}" -A "${iso_application}" -o "${out_dir}" iso "${iso_name}-${iso_version}-${arch/x86_64/amd64}.iso"
+
+    # embed checksum
+    implantisomd5 "${out_dir}/${iso_name}-${iso_version}-${arch/x86_64/amd64}.iso"
 }
 
 if [[ ${EUID} -ne 0 ]]; then
diff --git a/docker/Dockerfile-build-iso-i686 b/docker/Dockerfile-build-iso-i686
index a93fd1c..932585b 100644
--- a/docker/Dockerfile-build-iso-i686
+++ b/docker/Dockerfile-build-iso-i686
@@ -2,6 +2,6 @@ FROM fdupoux/archlinux32
 RUN mkdir -p /workspace
 COPY tmpfiles/pacman.conf /etc/pacman.conf
 RUN sed -i -e 's/^Architecture.*$/Architecture = i686/' /etc/pacman.conf
-RUN pacman -Syyu --noconfirm archiso binutils edk2-shell grub hugo mtools && rm -rf /var/cache/pacman/pkg/*
+RUN pacman -Syyu --noconfirm archiso binutils edk2-shell grub hugo isomd5sum mtools && rm -rf /var/cache/pacman/pkg/*
 CMD ["setarch","i686","/usr/bin/bash"]
 WORKDIR /workspace
diff --git a/docker/Dockerfile-build-iso-x86_64 b/docker/Dockerfile-build-iso-x86_64
index 37be4bc..8b6a43e 100644
--- a/docker/Dockerfile-build-iso-x86_64
+++ b/docker/Dockerfile-build-iso-x86_64
@@ -1,6 +1,6 @@
 FROM archlinux:latest
 RUN mkdir -p /workspace
 COPY tmpfiles/pacman.conf /etc/pacman.conf
-RUN pacman -Syyu --noconfirm archiso binutils edk2-shell grub hugo mtools && rm -rf /var/cache/pacman/pkg/*
+RUN pacman -Syyu --noconfirm archiso binutils edk2-shell grub hugo isomd5sum mtools && rm -rf /var/cache/pacman/pkg/*
 CMD ["setarch","x86_64","/usr/bin/bash"]
 WORKDIR /workspace