Linux Install/UpdateScript

From FSI
Jump to: navigation, search

Contents

Automagic fetch + execute trusted remote scripts

Here is a script for fetching remote signed scripts from a public place, and executing it. The script is not run when the signatures does not match.

GPG Signing

Key creation and handling

Out of scope

Script signing

The following command will sign the 0.sh script with the 30BB6F22 key, creating the signed 0.sh.asc file. 

gpg --clearsign -u 30BB6F22 0.sh

Key sharing

On the signing machine, export the key 

gpg --output key.pub  --armor --export 30BB6F22

On the 'client' machine, import the key : 

gpg --import key.pub

Script setup

  • Copy the script below into /root/heivs_updates.sh
  • Add the following line to the root's crontab : "@reboot /root/heivs_updates.sh &> /dev/null"

Script

Update DEST and REMOTE_URL as necessary. 

#!/bin/bash
#
# Update script
#
# * This script will fetch update scripts from REMOTE_URL
# * Update scripts should be named 0.sh.asc, 1.sh.asc, ...
# * The file LAST in DEST will hold the last script downloaded regardless of the success of execution
 
DEST=/usr/share/heivs/heivsupdate
#remote url written from \\ftpsion\FTP\Data\drxx
REMOTE_URL='ftp://drxx:mcuu31@ftpsion.hevs.ch/'
REMOTE_URL_END=''
mkdir -p $DEST
cd $DEST
 
# The file named LAST will hold the last update number
# Create it if it does not exist
#
if [ ! -e LAST ]
then
	CURRENT=0
	echo -n $CURRENT > LAST
fi
CURRENT=`cat LAST`
 
# Wait the network to be ready
# FIXME : find a better way for doing that, implement a service ?
sleep 60
 
while [ 1 ]
do
	wget -q "$REMOTE_URL$CURRENT.sh.asc$REMOTE_URL_END" -O $CURRENT.sh.asc
	if [ ! -e $CURRENT.sh.asc ] || [ ! -s  $CURRENT.sh.asc ]
	then
		rm -rf $CURRENT.sh.asc
		echo nothing new
		exit 0
	fi
 
	gpg -q --decrypt --output $CURRENT.sh $CURRENT.sh.asc  &> /dev/null
	if [ $? -ne 0 ]
	then
		echo $CURRENT.sh.asc:signature invalid
		echo signature invalid >> $CURRENT.log
	else
		echo $CURRENT.sh.asc:signature valid
 
		# Remove DOS line ending
		cat $CURRENT.sh | tr -d '\015' > $CURRENT.sh.unix
		mv $CURRENT.sh.unix $CURRENT.sh
 
		echo signature valid >> $CURRENT.log
		chmod +x $CURRENT.sh
		echo running ./$CURRENT.sh >> $CURRENT.log
		./$CURRENT.sh >> $CURRENT.log
	fi
 
	rm $CURRENT.sh.asc $CURRENT.sh
 
	((CURRENT++))
	echo -n $CURRENT > LAST
done
Retrieved from "https://wiki.hevs.ch/fsi/index.php5?title=Linux_Install/UpdateScript&oldid=2596"
Personal tools
Namespaces
Variants
Actions
Navigation
Modules / Projects
Browse
Toolbox