sync with OpenBSD -current
This commit is contained in:
parent
4544ef4a2e
commit
06882d626f
GPG key ID:
F42C07F07E2E35B7
49 changed files with 1832 additions and 835 deletions
|
|
@ -1,6 +1,6 @@
|
|||
#!/bin/ksh
|
||||
#
|
||||
# $OpenBSD: sysupgrade.sh,v 1.54 2024/09/25 13:55:23 sthen Exp $
|
||||
# $OpenBSD: sysupgrade.sh,v 1.55 2024/10/07 13:21:53 deraadt Exp $
|
||||
#
|
||||
# Copyright (c) 1997-2015 Todd Miller, Theo de Raadt, Ken Westerback
|
||||
# Copyright (c) 2015 Robert Peichaer <rpe@openbsd.org>
|
||||
|
|
@ -140,13 +140,25 @@ if ! unpriv -f SHA256.sig ftp -N sysupgrade -Vmo SHA256.sig ${URL}SHA256.sig; th
|
|||
fi
|
||||
fi
|
||||
|
||||
SHORT_VERSION=${NEXT_VERSION%.*}${NEXT_VERSION#*.}
|
||||
if ! [[ -r /etc/signify/secbsd-${SHORT_VERSION}-base.pub ]]; then
|
||||
echo "${0##*/}: signify key not found; download into /etc/signify from" 1>&2
|
||||
echo "https://ftp.secbsd.org/pub/SecBSD/signify/secbsd-${SHORT_VERSION}-base.pub" 1>&2
|
||||
# The key extracted from SHA256.sig must precisely match a pattern
|
||||
KEY=$(head -1 < SHA256.sig | cut -d' ' -f5 | \
|
||||
egrep '^secbsd-[[:digit:]]{2,3}-base.pub$' || true)
|
||||
if [[ -z $KEY ]]; then
|
||||
echo "Invalid SHA256.sig file"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# If required key is not in the system, get it from a signed bundle
|
||||
if ! [[ -r /etc/signify/$KEY ]]; then
|
||||
HAVEKEY=$(cd /etc/signify && ls -1 secbsd-*-base.pub | \
|
||||
tail -2 | head -1 | cut -d- -f2)
|
||||
BUNDLE=sigbundle-${HAVEKEY}.tgz
|
||||
echo "Adding additional key $KEY from bundle $BUNDLE"
|
||||
unpriv -f ${BUNDLE} ftp -N sysupgrade -Vmo $BUNDLE https://ftp.secbsd.org/pub/SecBSD/signify/$BUNDLE
|
||||
signify -Vzq -m - -x $BUNDLE | (cd /etc/signify && tar xfz - $KEY)
|
||||
rm $BUNDLE
|
||||
fi
|
||||
|
||||
unpriv -f SHA256 signify -Ve -x SHA256.sig -m SHA256
|
||||
rm SHA256.sig
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue