From cbca2d702f9aee9cf845104f63125485ad1dd89a Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 12 Nov 2020 11:53:30 -0500
Subject: [PATCH] Add Version back to sig files

---
 salt/common/tools/sbin/so-features-enable | 57 +++++++++++++++++++----
 salt/common/tools/sbin/so-image-common    |  8 ++--
 setup/so-functions                        |  8 ++--
 3 files changed, 56 insertions(+), 17 deletions(-)

diff --git a/salt/common/tools/sbin/so-features-enable b/salt/common/tools/sbin/so-features-enable
index 0f2d694fe..65e9bcec7 100755
--- a/salt/common/tools/sbin/so-features-enable
+++ b/salt/common/tools/sbin/so-features-enable
@@ -51,22 +51,61 @@ manager_check() {
 }
 
 manager_check
+
+# Let's make sure we have the public key
+curl -sSL https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS | gpg --import -
+  
+CONTAINER_REGISTRY=quay.io
+SIGNPATH=/root/sosigs
+rm -rf $SIGNPATH
+mkdir -p $SIGNPATH
+if [ -z "$BRANCH" ]; then
+  BRANCH="master"
+fi
+
 VERSION=$(lookup_pillar soversion) 
 # Modify global.sls to enable Features
-sed -i 's/features: False/features: True/' $local_salt_dir/pillar/global.sls
 SUFFIX="-features"
 TRUSTED_CONTAINERS=( \
-  "so-elasticsearch:$VERSION$SUFFIX" \
-  "so-filebeat:$VERSION$SUFFIX" \
-  "so-kibana:$VERSION$SUFFIX" \
-  "so-logstash:$VERSION$SUFFIX" )
+  "so-elasticsearch" \
+  "so-filebeat" \
+  "so-kibana" \
+  "so-logstash" )
 
 for i in "${TRUSTED_CONTAINERS[@]}"
 do
     # Pull down the trusted docker image
     echo "Downloading $i"
-    docker pull --disable-content-trust=false docker.io/$IMAGEREPO/$i
-    # Tag it with the new registry destination
-    docker tag $IMAGEREPO/$i $HOSTNAME:5000/$IMAGEREPO/$i
-    docker push $HOSTNAME:5000/$IMAGEREPO/$i
+    docker pull $CONTAINER_REGISTRY/$IMAGEREPO/$i:$VERSION$SUFFIX
+    
+    # Get signature
+    curl https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/$BRANCH/sigs/images/$VERSION/$i:$VERSION$SUFFIX.sig --output $SIGNPATH/$i:$VERSION$SUFFIX.sig
+    if [[ $? -ne 0 ]]; then
+      echo "Unable to pull signature file for $i:$VERSION$SUFFIX"
+      exit 1
+    fi
+    # Dump our hash values
+    DOCKERINSPECT=$(docker inspect $CONTAINER_REGISTRY/$IMAGEREPO/$i:$VERSION$SUFFIX)
+       
+    echo "$DOCKERINSPECT" | jq ".[0].RepoDigests[] | select(. | contains(\"$CONTAINER_REGISTRY\"))" > $SIGNPATH/$i:$VERSION$SUFFIX.txt
+    echo "$DOCKERINSPECT" | jq ".[0].Created, .[0].RootFS.Layers" >> $SIGNPATH/$i:$VERSION$SUFFIX.txt
+        
+    if [[ $? -ne 0 ]]; then
+      echo "Unable to inspect $i:$VERSION:$SUFFIX"
+      exit 1
+    fi
+    GPGTEST=$(gpg --verify $SIGNPATH/$i:$VERSION$SUFFIX.sig $SIGNPATH/$i:$VERSION$SUFFIX.txt 2>&1)
+    if [[ $? -eq 0 ]]; then
+      # Tag it with the new registry destination
+      docker tag $CONTAINER_REGISTRY/$IMAGEREPO/$i:$VERSION$SUFFIX $HOSTNAME:5000/$IMAGEREPO/$i:$VERSION$SUFFIX
+      docker push $HOSTNAME:5000/$IMAGEREPO/$i:$VERSION$SUFFIX
+    else
+      echo "There is a problem downloading the $i:$VERSION$SUFFIX image. Details: "
+      echo ""
+      echo $GPGTEST
+      exit 1
+    fi
+    
+
 done
+sed -i 's/features: False/features: True/' $local_salt_dir/pillar/global.sls
diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common
index b0c4e5bca..fe89a0c4a 100755
--- a/salt/common/tools/sbin/so-image-common
+++ b/salt/common/tools/sbin/so-image-common
@@ -106,7 +106,7 @@ update_docker_containers() {
     docker pull $CONTAINER_REGISTRY/$IMAGEREPO/$i:$VERSION
     
     # Get signature
-    curl https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/$BRANCH/sigs/images/$VERSION/$i.sig --output $SIGNPATH/$i.sig
+    curl https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/$BRANCH/sigs/images/$VERSION/$i:$VERSION.sig --output $SIGNPATH/$i:$VERSION.sig
     if [[ $? -ne 0 ]]; then
       echo "Unable to pull signature file for $i:$VERSION"
       exit 1
@@ -114,14 +114,14 @@ update_docker_containers() {
     # Dump our hash values
     DOCKERINSPECT=$(docker inspect $CONTAINER_REGISTRY/$IMAGEREPO/$i:$VERSION)
        
-    echo "$DOCKERINSPECT" | jq ".[0].RepoDigests[] | select(. | contains(\"$CONTAINER_REGISTRY\"))" > $SIGNPATH/$i.txt
-    echo "$DOCKERINSPECT" | jq ".[0].Created, .[0].RootFS.Layers" >> $SIGNPATH/$i.txt
+    echo "$DOCKERINSPECT" | jq ".[0].RepoDigests[] | select(. | contains(\"$CONTAINER_REGISTRY\"))" > $SIGNPATH/$i:$VERSION.txt
+    echo "$DOCKERINSPECT" | jq ".[0].Created, .[0].RootFS.Layers" >> $SIGNPATH/$i:$VERSION.txt
         
     if [[ $? -ne 0 ]]; then
       echo "Unable to inspect $i:$VERSION"
       exit 1
     fi
-    GPGTEST=$(gpg --verify $SIGNPATH/$i.sig $SIGNPATH/$i.txt 2>&1)
+    GPGTEST=$(gpg --verify $SIGNPATH/$i:$VERSION.sig $SIGNPATH/$i:$VERSION.txt 2>&1)
     if [[ $? -eq 0 ]]; then
       # Tag it with the new registry destination
       docker tag $CONTAINER_REGISTRY/$IMAGEREPO/$i:$VERSION $HOSTNAME:5000/$IMAGEREPO/$i:$VERSION
diff --git a/setup/so-functions b/setup/so-functions
index cd0baf205..86233b4de 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -952,7 +952,7 @@ docker_seed_registry() {
                         docker pull $CONTAINER_REGISTRY/$IMAGEREPO/$i:$VERSION
     
     			# Get signature
-    			curl https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/$BRANCH/sigs/images/$VERSION/$i.sig --output $SIGNPATH/$i.sig
+    			curl https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/$BRANCH/sigs/images/$VERSION/$i:$VERSION.sig --output $SIGNPATH/$i:$VERSION.sig
     			if [[ $? -ne 0 ]]; then
       				echo "Unable to pull signature file for $i:$VERSION"
       				exit 1
@@ -960,14 +960,14 @@ docker_seed_registry() {
     			# Dump our hash values
 			DOCKERINSPECT=$(docker inspect $CONTAINER_REGISTRY/$IMAGEREPO/$i:$VERSION)
     
-                        echo "$DOCKERINSPECT" | jq ".[0].RepoDigests[] | select(. | contains(\"$CONTAINER_REGISTRY\"))" > $SIGNPATH/$i.txt
-                        echo "$DOCKERINSPECT" | jq ".[0].Created, .[0].RootFS.Layers" >> $SIGNPATH/$i.txt
+                        echo "$DOCKERINSPECT" | jq ".[0].RepoDigests[] | select(. | contains(\"$CONTAINER_REGISTRY\"))" > $SIGNPATH/$i:$VERSION.txt
+                        echo "$DOCKERINSPECT" | jq ".[0].Created, .[0].RootFS.Layers" >> $SIGNPATH/$i:$VERSION.txt
 			
 			if [[ $? -ne 0 ]]; then
       				echo "Unable to inspect $i"
       				exit 1
     			fi
-    				GPGTEST=$(gpg --verify $SIGNPATH/$i.sig $SIGNPATH/$i.txt 2>&1)
+    				GPGTEST=$(gpg --verify $SIGNPATH/$i:$VERSION.sig $SIGNPATH/$i:$VERSION.txt 2>&1)
     			if [[ $? -eq 0 ]]; then
       			# Tag it with the new registry destination
       				docker tag $CONTAINER_REGISTRY/$IMAGEREPO/$i:$VERSION $HOSTNAME:5000/$IMAGEREPO/$i:$VERSION