From 111d62002787e59f190f71bc3b9bce60e286cd44 Mon Sep 17 00:00:00 2001 From: Andrew Phelps Date: Fri, 6 Dec 2024 14:01:08 -0800 Subject: [PATCH] [3.0] Documentation: Add references to ARM64 3.0 ISO (#11328) --- README.md | 2 +- .../docs/security/iso-image-verification.md | 27 +++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index dac96479232..f05c1487e13 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,7 @@ Instructions for building Azure Linux 3.0 may be found here: [Toolkit Documentat ### ISO -To try Azure Linux Download the ISO here: [Azure Linux 3.0 x86_64 ISO](https://aka.ms/azurelinux-3.0-x86_64.iso) +To try Azure Linux Download the ISO here: [Azure Linux 3.0 x86_64 ISO](https://aka.ms/azurelinux-3.0-x86_64.iso) / [Azure Linux 3.0 aarch64 ISO](https://aka.ms/azurelinux-3.0-aarch64.iso) Before using a downloaded ISO, [verify the checksum and signature of the image](toolkit/docs/security/iso-image-verification.md). diff --git a/toolkit/docs/security/iso-image-verification.md b/toolkit/docs/security/iso-image-verification.md index 4559da5e77f..4c7e4b37d97 100644 --- a/toolkit/docs/security/iso-image-verification.md +++ b/toolkit/docs/security/iso-image-verification.md @@ -2,6 +2,7 @@ It is strongly recommended that the integrity of the image is verified after downloading it. This is a two-step process. First, ensure that the checksum file has not been tampered with by verifying the signature against Azure Linux's RPM signing public key. Second, check that the ISO image was not corrupted during the download. The following bash script shows the commands necessary to download the iso image and check the signature: +# x86_64 ISO verification: ```bash # Download the necessary files wget https://aka.ms/AzureLinux-3.0-x86_64.iso @@ -26,3 +27,29 @@ gpg --verify "$SIGNATURE_FILE" "$CHECKSUM_FILE" dos2unix "$CHECKSUM_FILE" sha256sum --check "$CHECKSUM_FILE" ``` + +# aarch64 ISO verification: +```bash +# Download the necessary files +wget https://aka.ms/AzureLinux-3.0-aarch64.iso +wget https://aka.ms/azurelinux-3.0-aarch64-iso-checksum +wget https://aka.ms/azurelinux-3.0-aarch64-iso-checksum-signature +wget https://raw.githubusercontent.com/microsoft/azurelinux/3.0/SPECS/azurelinux-repos/MICROSOFT-RPM-GPG-KEY + +# Set Variables for the checksum and signature file names +CHECKSUM_FILE="azurelinux-3.0-aarch64-iso-checksum" +SIGNATURE_FILE="azurelinux-3.0-aarch64-iso-checksum-signature" + +# Import the RPM signing public key into the local GPG keystore +gpg --import MICROSOFT-RPM-GPG-KEY + +# Verify that the checksum file was produced by the Azure Linux team +# The output of this command should contain the following string: +# 'Good signature from "Azure Linux RPM Release Signing "' +gpg --verify "$SIGNATURE_FILE" "$CHECKSUM_FILE" + +# Verify that the ISO image checksum matches the expected checksum +# We need to fix the line endings on the signature file to get sha256sum to accept it +dos2unix "$CHECKSUM_FILE" +sha256sum --check "$CHECKSUM_FILE" +```