Tools/ddrxupdates
(Difference between revisions)
Line 1: | Line 1: | ||
{{public}} | {{public}} | ||
− | |||
= Automagic fetch + execute trusted remote scripts = | = Automagic fetch + execute trusted remote scripts = | ||
+ | |||
+ | Here is a script for fetching remote signed scripts from a public place, and executing. | ||
+ | The script is not run when the signatures does not match. | ||
+ | |||
+ | == GPG Signing == | ||
+ | === Key creation and handling === | ||
+ | ''Out of scope'' | ||
+ | === Script signing === | ||
+ | The following command will sign the 0.sh script with the 7B599096 key, creating the signed 0.sh.asc file. | ||
+ | <source lang='bash'> | ||
+ | gpg --clearsign -u 7B599096 0.sh | ||
+ | </source> | ||
+ | |||
+ | === Key sharing === | ||
+ | On the signing machine, export the key | ||
+ | <source lang='bash'> | ||
+ | gpg --output key.pub --armor --export 7B599096 | ||
+ | </source> | ||
+ | On the 'client' machine, import the key : | ||
+ | <source lang='bash'> | ||
+ | gpg --import key.pub | ||
+ | </source> | ||
+ | |||
== Script == | == Script == | ||
− | Update DEST and REMOTE_URL as necessary | + | Update DEST and REMOTE_URL as necessary. |
<source lang='bash'> | <source lang='bash'> | ||
#!/bin/bash | #!/bin/bash |
Revision as of 11:12, 28 August 2013
Contents |
Automagic fetch + execute trusted remote scripts
Here is a script for fetching remote signed scripts from a public place, and executing. The script is not run when the signatures does not match.
GPG Signing
Key creation and handling
Out of scope
Script signing
The following command will sign the 0.sh script with the 7B599096 key, creating the signed 0.sh.asc file.
gpg --clearsign -u 7B599096 0.sh
Key sharing
On the signing machine, export the key
gpg --output key.pub --armor --export 7B599096
On the 'client' machine, import the key :
gpg --import key.pub
Script
Update DEST and REMOTE_URL as necessary.
#!/bin/bash # # Update script # # * This script will fetch update scripts from REMOTE_URL # * Update scripts should be named 0.sh.asc, 1.sh.asc, ... # * The file LAST in DEST will hold the last script downloaded regardless of the success of execution DEST=/usr/share/heivs/heivsupdate REMOTE_URL='http://wiki.hevs.ch/uit/index.php5?title=Tools/ddrxupdates/' REMOTE_URL_END='&action=raw' mkdir -p $DEST cd $DEST # The file named LAST will hold the last update number # Create it if it does not exist # if [ ! -e LAST ] then CURRENT=0 echo -n $CURRENT > LAST fi CURRENT=`cat LAST` while [ 1 ] do wget -q "$REMOTE_URL$CURRENT.sh.asc$REMOTE_URL_END" -O $CURRENT.sh.asc if [ ! -e $CURRENT.sh.asc ] || [ ! -s $CURRENT.sh.asc ] then echo nothing new exit 0 fi gpg -q --decrypt --output $CURRENT.sh $CURRENT.sh.asc &> /dev/null if [ $? -ne 0 ] then echo signature invalid echo signature invalid >> $CURRENT.log else echo signature valid >> $CURRENT.log chmod +x $CURRENT.sh echo running ./$CURRENT.sh >> $CURRENT.log ./$CURRENT.sh >> $CURRENT.log fi rm $CURRENT.sh.asc $CURRENT.sh ((CURRENT++)) echo -n $CURRENT > LAST done