From 14b389dfbe5833b95e1b9dd813f0108cca5eef5b Mon Sep 17 00:00:00 2001 From: Jonas 'Sortie' Termansen Date: Sun, 16 Jul 2023 21:19:46 +0200 Subject: [PATCH] fixup! Add tix-upgrade(8). --- tix/tix-fetch | 48 ++++++++++++++++++++++++++++++++------------- tix/tix-upgrade | 52 ++++++++++++++++++++++++++++++++++++------------- 2 files changed, 73 insertions(+), 27 deletions(-) diff --git a/tix/tix-fetch b/tix/tix-fetch index 7fab6f9e..4e800d35 100755 --- a/tix/tix-fetch +++ b/tix/tix-fetch @@ -52,6 +52,7 @@ url_mirror=false url_mirror_release=false url_release_sig=false url_sha256sum=false +upgrade=false # TODO: Option to select this default: # TODO: This hides errors. Fix wget so it has a quiet, but errors, mode. wget_options="-q --show-progress" @@ -112,6 +113,8 @@ for argument do --output-release-sig-file) previous_option=output_release_sig_file ;; --output-sha256sum=*) output_sha256sum=$parameter ;; --output-sha256sum) previous_option=output_sha256sum ;; + --output-upgrade-file=*) output_upgrade_file=$parameter ;; + --output-upgrade-file) previous_option=output_upgrade_file ;; --patch) patch=true ;; --port) port=true ;; --porttix) porttix=true ;; @@ -124,6 +127,7 @@ for argument do --sysroot) previous_option=sysroot ;; --sysroot=*) sysroot=$parameter ;; --toolchain) toolchain=true ;; + --upgrade) upgrade=true ;; --url) url=true ;; --url-main) url_main=true ;; --url-mirror) url_mirror=true ;; @@ -158,6 +162,7 @@ tmpdir=$(mktemp -dt tix-fetch-port.XXXXXX) trap 'rm -rf -- "$tmpdir"' EXIT HUP INT QUIT TERM upgrade_conf="${collection%/}/etc/upgrade.conf" +CHANNEL=$(conf -d '' "$upgrade_conf" CHANNEL) RELEASE_KEY=$(conf -d '' "$upgrade_conf" RELEASE_KEY) RELEASE_SIG_URL=$(conf -d '' "$upgrade_conf" RELEASE_SIG_URL) PREFERRED_MIRROR=$(conf -d '' "$upgrade_conf" PREFERRED_MIRROR) @@ -203,17 +208,32 @@ do_wget() { } # Fetch signed release description. -if [ -z "$input_release_file" ]; then - if [ -z "$input_release_sig_file" ]; then - (cd "$tmpdir" && - do_wget -U "$USER_AGENT" $wget_options -O release.sh.sig \ - -- "$RELEASE_SIG_URL") - else - cp -T -- "$input_release_sig_file" "$tmpdir/release.sh.sig" - fi +download_release_sh() { + (cd "$tmpdir" && + do_wget -U "$USER_AGENT" $wget_options -O release.sh.sig \ + -- "$RELEASE_SIG_URL") signify -Vq -p "$RELEASE_KEY" -em "$tmpdir/release.sh" -else +} + +true > "$tmpdir/upgrade.sh" + +if [ -z "$input_release_file" -a -z "$input_release_sig_file" ]; then + download_release_sh + tix-vars "$tmpdir/release.sh" | \ + grep -E '^UPGRADE_=' | \ + cat > "$tmpdir/upgrade.sh" + UPGRADE_SIG_URL=$(tix-vars -d '' "$tmpdir/upgrade.sh" UPGRADE_SIG_URL) + if $upgrade && [ -n "$UPGRADE_SIG_URL" ]; then + RELEASE_SIG_URL="$UPGRADE_SIG_URL" + RELEASE_KEY=$(tix-vars "$tmpdir/upgrade.sh" UPGRADE_KEY) + download_release_sh + fi +fi + +if [ -n "$input_release_file" ]; then cp -T -- "$input_release_file" "$tmpdir/release.sh" +elif [ -n "$input_release_sig_file" ]; then + signify -Vq -p "$RELEASE_KEY" -em "$tmpdir/release.sh" fi # Store the signed release file if requested. @@ -226,6 +246,11 @@ if [ -n "$output_release_file" ]; then cp -T -- "$tmpdir/release.sh" "$output_release_file" fi +# Store the upgrade file if requested. +if [ -n "$output_upgrade_file" ]; then + cp -T -- "$tmpdir/upgrade.sh" "$output_upgrade_file" +fi + # Load the release description. # TODO: SECURITY: Protect against responding with older release.sh. @@ -306,11 +331,6 @@ escape_extended_regex() { printf "%s\n" "$1" | sed -E -e 's/[[$()*?\+.^{|}]/\\\0/g' } -# TODO: Remove: -#escape_extended_regex_test_self() { -# printf "%s\n" "$1" | grep -E "^$(escape_extended_regex "$1")\$" -#} - request() { REQUEST="$1" REQUESTDIR="$2" diff --git a/tix/tix-upgrade b/tix/tix-upgrade index d13e3c74..e3d77d4c 100755 --- a/tix/tix-upgrade +++ b/tix/tix-upgrade @@ -26,6 +26,7 @@ download_only=false fetch_options= ports_only=false sysroot="" +upgrade=--upgrade upgrade_ports=false upgrade_system=false wait="" @@ -60,6 +61,7 @@ for argument do --fetch-options) previous_option=fetch_options ;; --insecure-downgrade-to-http) fetch_options="$fetch_options $argument" ;; --insecure-no-check-certificate) fetch_options="$fetch_options $argument" ;; + --no-upgrade) upgrade= ;; --ports) upgrade_ports=true ;; --system) upgrade_system=true ;; --sysroot) previous_option=sysroot ;; @@ -122,37 +124,49 @@ fi mkdir -p -- "$cachedir" mkdir -p -- "$cachedir/new" -# Fetch the latest official release.sig.sh and its matching sha256sum file. +# Fetch the latest official signed release.sh and its matching sha256sum file. tix-fetch $fetch_options \ --collection="$collection" \ --output-release-file="$cachedir/new/release.sh" \ - --output-release-sig-file="$cachedir/new/release.sh.sig" \ - --output-sha256sum="$cachedir/new/sha256sum" + --output-sha256sum="$cachedir/new/sha256sum" \ + --output-upgrade-file="$cachedir/new/upgrade.sh" \ + $upgrade -# If release.sig.sh or sha256sum changed, clean the cache directory of downloads +# If release.sh or sha256sum changed, clean the cache directory of downloads # that were currently in progress as they might not have the right checksums. if [ ! -e "$cachedir/release.sh" ] || - [ ! -e "$cachedir/release.sh.sig" ] || [ ! -e "$cachedir/sha256sum" ] || - ! (cd "$cachedir/new" && sha256sum release.sh release.sh.sig sha256sum) | + [ ! -e "$cachedir/upgrade.sh" ] || + ! (cd "$cachedir/new" && sha256sum release.sh sha256sum upgrade.sh) | (cd "$cachedir" && sha256sum -cs); then rm -rf -- "$cachedir/boot" rm -rf -- "$cachedir/repository" rm -rf -- "$cachedir/sysroot" fi -# Store the new release.sig.sh and sha256sum files so we can resume the download +# Store the new release.sh and sha256sum files so we can resume the download # if cancelled and these files still match. mv -- "$cachedir/new/release.sh" "$cachedir/release.sh" -mv -- "$cachedir/new/release.sh.sig" "$cachedir/release.sh.sig" mv -- "$cachedir/new/sha256sum" "$cachedir/sha256sum" +mv -- "$cachedir/new/upgrade.sh" "$cachedir/upgrade.sh" rm -rf -- "$cachedir/new" +# Check if we're upgrading to a new release. +UPGRADE_SIG_URL=$(tix-vars -d '' "$cachedir/upgrade.sh" UPGRADE_SIG_URL) +if [ -n "$UPGRADE_SIG_URL" ]; then + UPGRADE_CHANNEL=$(tix-vars "$cachedir/upgrade.sh" UPGRADE_CHANNEL) + UPGRADE_KEY=$(tix-vars "$cachedir/upgrade.sh" UPGRADE_KEY) + UPGRADE_NAME=$(tix-vars "$cachedir/upgrade.sh" UPGRADE_NAME) + if [ -n "$upgrade" ]; then + echo "Upgrading to $UPGRADE_NAME." + else + echo "Ignoring available upgrade to $UPGRADE_NAME." + fi +fi + mkdir -p -- "$cachedir/boot" mkdir -p -- "$cachedir/repository" -# TODO: Support upgrading across releases, renamed channels, etc. - # TODO: DO NOT SUBMIT: Temporary -d system compatibility until builds roll. SYSTEM_INITRDS=$(tix-vars -d system "$cachedir/release.sh" SYSTEM_INITRDS) @@ -163,7 +177,7 @@ if $upgrade_system; then for initrd in $SYSTEM_INITRDS; do tix-fetch $fetch_options \ --collection="$collection" \ - --input-release-sig-file="$cachedir/release.sh.sig" \ + --input-release-file="$cachedir/release.sh" \ --input-sha256sum="$cachedir/sha256sum" \ -c --initrd -O "$cachedir/boot" -- "$initrd" done @@ -179,14 +193,14 @@ if $upgrade_ports; then # The port has a hash if if it exists upstream. sha256=$(tix-fetch $fetch_options \ --collection="$collection" \ - --input-release-sig-file="$cachedir/release.sh.sig" \ + --input-release-file="$cachedir/release.sh" \ --input-sha256sum="$cachedir/sha256sum" \ --sha256 --port -- $port) # If the port exists upstream, get the latest version. if [ -n "$sha256" ]; then tix-fetch $fetch_options \ --collection="$collection" \ - --input-release-sig-file="$cachedir/release.sh.sig" \ + --input-release-file="$cachedir/release.sh" \ --input-sha256sum="$cachedir/sha256sum" \ -c --port -O "$cachedir/repository" -- $port fi @@ -201,6 +215,18 @@ fi rm -rf -- "$cachedir/sysroot" mkdir -p -- "$cachedir/sysroot" +# Forward the upgrade metadata. +UPGRADE_SIG_URL=$(tix-vars -d '' "$cachedir/upgrade.sh" UPGRADE_SIG_URL) +if [ -n $upgrade ] && [ -n "$UPGRADE_SIG_URL" ]; then + mkdir -p -- "$cachedir/etc" + # TODO: More flexible and simple model. + cat > "$cachedir/etc/upgrade.conf" << EOF +channel = $UPGRADE_CHANNEL +release_key = $UPGRADE_KEY +release_sig_url = $UPGRADE_SIG_URL +EOF +fi + # Extract the base system into the sysroot. if $upgrade_system; then for initrd in $SYSTEM_INITRDS; do