|
|
Line 1: |
Line 1: |
− | {{public}}
| |
− | = Automagic fetch + execute trusted remote scripts =
| |
| | | |
− | Here is a script for fetching remote signed scripts from a public place, and executing.
| |
− | The script is not run when the signatures does not match.
| |
− |
| |
− | == GPG Signing ==
| |
− | === Key creation and handling ===
| |
− | ''Out of scope''
| |
− | === Script signing ===
| |
− | The following command will sign the 0.sh script with the 7B599096 key, creating the signed 0.sh.asc file.
| |
− | <source lang='bash'>
| |
− | gpg --clearsign -u 7B599096 0.sh
| |
− | </source>
| |
− |
| |
− | === Key sharing ===
| |
− | On the signing machine, export the key
| |
− | <source lang='bash'>
| |
− | gpg --output key.pub --armor --export 7B599096
| |
− | </source>
| |
− | On the 'client' machine, import the key :
| |
− | <source lang='bash'>
| |
− | gpg --import key.pub
| |
− | </source>
| |
− | === Script setup ===
| |
− | * Copy the script below into /root/heivs_updates.sh
| |
− | * Add the following line to the root's crontab : "@reboot /root/heivs_updates.sh &> /dev/null"
| |
− |
| |
− | == Script ==
| |
− | Update DEST and REMOTE_URL as necessary.
| |
− | <source lang='bash'>
| |
− | #!/bin/bash
| |
− | #
| |
− | # Update script
| |
− | #
| |
− | # * This script will fetch update scripts from REMOTE_URL
| |
− | # * Update scripts should be named 0.sh.asc, 1.sh.asc, ...
| |
− | # * The file LAST in DEST will hold the last script downloaded regardless of the success of execution
| |
− |
| |
− | DEST=/usr/share/heivs/heivsupdate
| |
− | REMOTE_URL='http://wiki.hevs.ch/uit/index.php5?title=Tools/ddrxupdates/'
| |
− | REMOTE_URL_END='&action=raw'
| |
− | mkdir -p $DEST
| |
− | cd $DEST
| |
− |
| |
− | # The file named LAST will hold the last update number
| |
− | # Create it if it does not exist
| |
− | #
| |
− | if [ ! -e LAST ]
| |
− | then
| |
− | CURRENT=0
| |
− | echo -n $CURRENT > LAST
| |
− | fi
| |
− | CURRENT=`cat LAST`
| |
− |
| |
− | while [ 1 ]
| |
− | do
| |
− | wget -q "$REMOTE_URL$CURRENT.sh.asc$REMOTE_URL_END" -O $CURRENT.sh.asc
| |
− | if [ ! -e $CURRENT.sh.asc ] || [ ! -s $CURRENT.sh.asc ]
| |
− | then
| |
− | echo nothing new
| |
− | exit 0
| |
− | fi
| |
− |
| |
− | gpg -q --decrypt --output $CURRENT.sh $CURRENT.sh.asc &> /dev/null
| |
− | if [ $? -ne 0 ]
| |
− | then
| |
− | echo $CURRENT.sh.asc:signature invalid
| |
− | echo signature invalid >> $CURRENT.log
| |
− | else
| |
− | echo $CURRENT.sh.asc:signature valid
| |
− | echo signature valid >> $CURRENT.log
| |
− | chmod +x $CURRENT.sh
| |
− | echo running ./$CURRENT.sh >> $CURRENT.log
| |
− | ./$CURRENT.sh >> $CURRENT.log
| |
− | fi
| |
− |
| |
− | rm $CURRENT.sh.asc $CURRENT.sh
| |
− |
| |
− | ((CURRENT++))
| |
− | echo -n $CURRENT > LAST
| |
− | done
| |
− |
| |
− | </source>
| |
− |
| |
− | [[Tools/ddrxupdates/0.sh.asc]]
| |
− | [[Tools/ddrxupdates/1.sh.asc]]
| |