[BACK]Return to fw_install.sh CVS log [TXT][DIR] Up to [local] / openbsd / fw_update

Diff for /openbsd/fw_update/fw_install.sh between version 1.7 and 1.8

version 1.7, 2021/10/14 03:00:02 version 1.8, 2021/10/16 19:31:13
Line 13 
Line 13 
         done          done
 }  }
   
 # do_as, unpriv, and unpriv2 are from install.sub  # tmpdir, do_as, unpriv, and unpriv2 are from install.sub
   
   # Create a temporary directory based on the supplied directory name prefix.
   tmpdir() {
           local _i=1 _dir
   
           until _dir="${1?}.$_i.$RANDOM" && mkdir -- "$_dir" 2>/dev/null; do
                   ((++_i < 10000)) || return 1
           done
           echo "$_dir"
   }
   
 # Run a command ($2+) as unprivileged user ($1).  # Run a command ($2+) as unprivileged user ($1).
 # Take extra care that after "cmd" no "user" processes exist.  # Take extra care that after "cmd" no "user" processes exist.
 #  #
Line 60 
Line 70 
         do_as _file "$@"          do_as _file "$@"
 }  }
   
   _issue=
   fail() {
           echo $_issue >&2
           exit 1
   }
   
 VNAME=$(sysctl -n kern.osrelease)  VNAME=$(sysctl -n kern.osrelease)
 VERSION="${VNAME%.*}${VNAME#*.}"  VERSION="${VNAME%.*}${VNAME#*.}"
 FWDIR="$VNAME"  FWDIR="$VNAME"
Line 92 
Line 108 
         exit 0          exit 0
 fi  fi
   
 tmpdir=${DESTDIR}/tmp/fw_update  _src=$FWURL
 [ -e "$tmpdir" ] && rm -rf "$tmpdir"  if _tmpsrc=$( tmpdir "${DESTDIR}/tmp/fw_update" ); then
 mkdir -p "$tmpdir"          (
 cd "$tmpdir"          >$_tmpsrc/t &&
           $_unpriv cat $_tmpsrc/t
           ) >/dev/null 2>&1 ||
               rm -r $_tmpsrc
   fi
   
 # TODO: Drop privs during fetch and verify  [[ ! -d $_tmpsrc ]] &&
 ftp -D Get -Vm "$FWURL/SHA256.sig"          _issue="Cannot create prefetch area" && fail
   
 # Probably should bundle the firmware sigfile on the installer,  cd "$_tmpsrc"
 # although we can just get it from the recently installed system.  
 if [ "$DESTDIR" ]; then  
         sigfile=$( sed -n '/^untrusted comment: verify with \(.*\)$/ { s//\1/p; q; }' SHA256.sig )  
         if [ ! -e "/etc/signify/$sigfile" ] \  
           && [ -e "${DESTDIR}/etc/signify/$sigfile" ]; then  
                 cp -a "${DESTDIR}/etc/signify/$sigfile" "/etc/signify/$sigfile"  
         fi  
 fi  
   
 signify -Ve -x SHA256.sig -m - < SHA256.sig > SHA256  _t=Get
   _cfile="$_tmpsrc/SHA256"
   _srclocal=false
   
   ! $_unpriv ftp -D "$_t" -Vmo - "$_src/SHA256.sig" >"$_cfile.sig" &&
       _issue="Cannot fetch SHA256.sig" && fail
   
   # Verify signature file with public keys.
   ! unpriv -f "$_cfile" \
       signify -Vep $FWPUB_KEY -x "$_cfile.sig" -m "$_cfile" &&
       _issue="Signature check of SHA256.sig failed" && fail
   
 for d in $drivers; do  for d in $drivers; do
         firmware=$( sed -n "s/.*(\($d-firmware-.*\.tgz\)).*/\1/p" SHA256 )          _f=$( sed -n "s/.*(\($d-firmware-.*\.tgz\)).*/\1/p" "$_cfile" )
         installed=$( installed_firmware $d )          installed=$( installed_firmware "$d" )
   
         for i in $installed; do          for i in $installed; do
                 if [ "$firmware" = "$i.tgz" ]; then                  if [ "$_f" = "$i.tgz" ]; then
                         echo "Firmware for $d already installed ($installed)"                          echo "Firmware for $d already installed ($installed)"
                         continue 2                          continue 2
                 fi                  fi
         done          done
   
         mkdir $d          rm -f /tmp/h /tmp/fail
   
         # TODO: Drop privs during fetch and verify          _t=Get/Verify
         ftp -D "Get/Verify" -Vmo- "$FWURL/$firmware" | sha256 -bph "$d/h" > "$firmware"          # Fetch firmware file and create a checksum by piping through
         fgrep -qx "SHA256 ($firmware) = $(<$d/h)" SHA256          # sha256. Create a flag file in case ftp failed. Firmware
           # from net is written to the prefetch area.
           ( $_unpriv ftp -D "$_t" -Vmo - "$_src/$_f" || >/tmp/fail ) |
           ( $_srclocal && unpriv2 sha256 -b >/tmp/h ||
               unpriv2 -f /tmp/h sha256 -bph /tmp/h >"$_tmpsrc/$_f" )
   
           # Handle failed transfer.
           if [[ -f /tmp/fail ]]; then
                   rm -f "$_tmpsrc/$_f"
                   _issue="Fetching of $_f failed!"
                   fail
           fi
   
           # Verify firmware by comparing its checksum with SHA256.
           if fgrep -qx "SHA256 ($_f) = $(</tmp/h)" "$_cfile"; then
                   #_unver=$(rmel $_f $_unver)
                   true
           else
                   [[ -d "$_tmpsrc" ]] && rm -rf "$_tmpsrc"
                   _issue="Checksum test for $_f failed."
                   fail
           fi
   
         # TODO: Check hash for files before deleting          # TODO: Check hash for files before deleting
         if [ "$installed" ] && [ -e "${PKGDIR}/$installed/+CONTENTS" ]; then          if [ "$installed" ] && [ -e "${PKGDIR}/$installed/+CONTENTS" ]; then
                 echo "Uninstalling $installed"                  echo "Uninstalling $installed"
Line 160 
Line 203 
   
         # TODO: Add some details about the install to +CONTENTS like pkg_add          # TODO: Add some details about the install to +CONTENTS like pkg_add
         # TODO: Or, maybe we save the firmware someplace and make pkg_add reinstall          # TODO: Or, maybe we save the firmware someplace and make pkg_add reinstall
         echo "Installing $firmware"          echo "Installing $_f"
         tar -zxphf "$firmware" -C /etc "firmware/*"          tar -zxphf "$_f" -C /etc "firmware/*"
         mkdir -p ${PKGDIR}/${firmware%.tgz}/          mkdir -p ${PKGDIR}/${firmware%.tgz}/
         tar -zxphf "$firmware" -C "${PKGDIR}/${firmware%.tgz}" "+*"          tar -zxphf "$_f" -C "${PKGDIR}/${firmware%.tgz}" "+*"
         ed -s "${PKGDIR}/${firmware%.tgz}/+CONTENTS" <<EOL          ed -s "${PKGDIR}/${firmware%.tgz}/+CONTENTS" <<EOL
 /^@comment pkgpath/ -1a  /^@comment pkgpath/ -1a
 @option manual-installation  @option manual-installation
Legend:
Removed from v.1.7  
changed lines
  Added in v.1.8
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>