-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathupdate.sh
74 lines (59 loc) · 2.07 KB
/
update.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
# if run with -f flag — force update
# otherwise check if it's 4AM and execute only 1 in 5 times
if [[ "$1" == "-f" ]] ||
{ [[ "$(date +%H%M)" == "0401" ]] && [[ $(( RANDOM % 5 + 1 )) -eq 1 ]]; }; then
echo "Checking for updates..."
else
exit 1
fi
# configuration and common code
source config.env
source common.sh
# URLs and headers
UPDATE_URL="${BASE_API}/update/${UPDATES_BRANCH}"
METRICS_ENDPOINT=${BASE_API}/metrics
AUTH="Authorization: Basic $BASIC_AUTH"
# Filenames
TAR_FILE="update.tar"
SIG_FILE="update.tar.sig"
VERSION_FILE="version"
TMP_DIR="tmp"
# Function to remove downloaded files on script exit
cleanup() {
rm -rf $TMP_DIR
}
# Trap any form of script exit
trap cleanup EXIT
# Check for updates
UPDATE_VERSION=$(curl -H "$AUTH" -s $UPDATE_URL/$VERSION_FILE)
CURRENT_VERSION=$(cat $VERSION_FILE)
if (( UPDATE_VERSION > CURRENT_VERSION )); then
echo "New version ${UPDATE_VERSION} available. Starting update."
# Create a tmp directory for downloads if it doesn't exist
mkdir -p $TMP_DIR
# Download the tarball and the signature file
curl -H "$AUTH" -s -o $TMP_DIR/$TAR_FILE $UPDATE_URL/$TAR_FILE
curl -H "$AUTH" -s -o $TMP_DIR/$SIG_FILE $UPDATE_URL/$SIG_FILE
# Check files exist and are not empty
if [[ ! -s $TMP_DIR/$TAR_FILE ]] || [[ ! -s $TMP_DIR/$SIG_FILE ]]; then
exit 1
fi
# Verify the signature
if openssl dgst -sha256 -verify update.pub.pem -signature $TMP_DIR/$SIG_FILE $TMP_DIR/$TAR_FILE; then
echo "Signature is valid. Replacing files."
# Extract the new files from the tarball
tar -xvf $TMP_DIR/$TAR_FILE -C .
# Update the version file
echo $UPDATE_VERSION > $VERSION_FILE
# Make the scripts executable
chmod +x *.sh
# Send the new version to the metrics endpoint
curl $CURL_OPTS \
-H "Content-Type: application/json" \
-H "Authorization: Basic $BASIC_AUTH" \
-d "{\"version\": $UPDATE_VERSION}" \
$METRICS_ENDPOINT
else
echo "Signature is not valid. Update aborted."
fi
fi