|
|
| (One intermediate revision by one user not shown) |
| Line 1: |
Line 1: |
| − | {{public}}
| |
| − | = Automagic fetch + execute trusted remote scripts =
| |
| | | | |
| − | Here is a script for fetching remote signed scripts from a public place, and executing.
| |
| − | The script is not run when the signatures does not match.
| |
| − |
| |
| − | == GPG Signing ==
| |
| − | === Key creation and handling ===
| |
| − | ''Out of scope''
| |
| − | === Script signing ===
| |
| − | The following command will sign the 0.sh script with the 7B599096 key, creating the signed 0.sh.asc file.
| |
| − | <source lang='bash'>
| |
| − | gpg --clearsign -u 7B599096 0.sh
| |
| − | </source>
| |
| − |
| |
| − | === Key sharing ===
| |
| − | On the signing machine, export the key
| |
| − | <source lang='bash'>
| |
| − | gpg --output key.pub --armor --export 7B599096
| |
| − | </source>
| |
| − | On the 'client' machine, import the key :
| |
| − | <source lang='bash'>
| |
| − | gpg --import key.pub
| |
| − | </source>
| |
| − | === Script setup ===
| |
| − | * Copy the script below into /root/run_updates.sh
| |
| − | * Add the following line to the root's crontab : "@reboot /root/run_updates.sh &> /dev/null"
| |
| − | == Script ==
| |
| − | Update DEST and REMOTE_URL as necessary.
| |
| − | <source lang='bash'>
| |
| − | #!/bin/bash
| |
| − | #
| |
| − | # Update script
| |
| − | #
| |
| − | # * This script will fetch update scripts from REMOTE_URL
| |
| − | # * Update scripts should be named 0.sh.asc, 1.sh.asc, ...
| |
| − | # * The file LAST in DEST will hold the last script downloaded regardless of the success of execution
| |
| − |
| |
| − | DEST=/usr/share/heivs/heivsupdate
| |
| − | REMOTE_URL='http://wiki.hevs.ch/uit/index.php5?title=Tools/ddrxupdates/'
| |
| − | REMOTE_URL_END='&action=raw'
| |
| − | mkdir -p $DEST
| |
| − | cd $DEST
| |
| − |
| |
| − | # The file named LAST will hold the last update number
| |
| − | # Create it if it does not exist
| |
| − | #
| |
| − | if [ ! -e LAST ]
| |
| − | then
| |
| − | CURRENT=0
| |
| − | echo -n $CURRENT > LAST
| |
| − | fi
| |
| − | CURRENT=`cat LAST`
| |
| − |
| |
| − | while [ 1 ]
| |
| − | do
| |
| − | wget -q "$REMOTE_URL$CURRENT.sh.asc$REMOTE_URL_END" -O $CURRENT.sh.asc
| |
| − | if [ ! -e $CURRENT.sh.asc ] || [ ! -s $CURRENT.sh.asc ]
| |
| − | then
| |
| − | echo nothing new
| |
| − | exit 0
| |
| − | fi
| |
| − |
| |
| − | gpg -q --decrypt --output $CURRENT.sh $CURRENT.sh.asc &> /dev/null
| |
| − | if [ $? -ne 0 ]
| |
| − | then
| |
| − | echo $CURRENT.sh.asc:signature invalid
| |
| − | echo signature invalid >> $CURRENT.log
| |
| − | else
| |
| − | echo $CURRENT.sh.asc:signature valid
| |
| − | echo signature valid >> $CURRENT.log
| |
| − | chmod +x $CURRENT.sh
| |
| − | echo running ./$CURRENT.sh >> $CURRENT.log
| |
| − | ./$CURRENT.sh >> $CURRENT.log
| |
| − | fi
| |
| − |
| |
| − | rm $CURRENT.sh.asc $CURRENT.sh
| |
| − |
| |
| − | ((CURRENT++))
| |
| − | echo -n $CURRENT > LAST
| |
| − | done
| |
| − |
| |
| − | </source>
| |
| − |
| |
| − | [[Tools/ddrxupdates/0.sh.asc]]
| |
| − | [[Tools/ddrxupdates/1.sh.asc]]
| |
