124 lines
3.5 KiB
Bash
Executable File
124 lines
3.5 KiB
Bash
Executable File
#!/bin/sh
|
|
# bee-update.sh — production update path: USB first, then network.
|
|
# Unattended: logs only, never blocks boot.
|
|
|
|
set -u
|
|
|
|
LOG_PREFIX="bee-update"
|
|
log() { echo "[$LOG_PREFIX] $*"; }
|
|
|
|
AUDIT_BIN="/usr/local/bin/audit"
|
|
TMP_BIN="/tmp/bee-audit-new"
|
|
TMP_SIG="/tmp/bee-audit-new.sig"
|
|
REPO_API="${BEE_RELEASE_API:-https://git.mchus.pro/api/v1/repos/<org>/bee/releases/latest}"
|
|
|
|
download_to() {
|
|
url="$1"
|
|
out="$2"
|
|
if command -v wget >/dev/null 2>&1; then
|
|
wget -q -O "$out" "$url"
|
|
return $?
|
|
fi
|
|
if command -v curl >/dev/null 2>&1; then
|
|
curl -fsSL "$url" -o "$out"
|
|
return $?
|
|
fi
|
|
log "neither wget nor curl available"
|
|
return 1
|
|
}
|
|
|
|
version_of() {
|
|
"$1" --version 2>/dev/null | head -n1 | tr -d '[:space:]'
|
|
}
|
|
|
|
apply_update() {
|
|
src_bin="$1"
|
|
src_sig="$2"
|
|
src_ver="$3"
|
|
|
|
if [ ! -x "$src_bin" ] || [ ! -f "$src_sig" ]; then
|
|
log "missing binary or signature"
|
|
return 1
|
|
fi
|
|
|
|
# NOTE: strict signature verification should be implemented in audit updater module.
|
|
# Here we keep shell side minimal and fail-open for now.
|
|
cp "$src_bin" "$AUDIT_BIN" || return 1
|
|
chmod +x "$AUDIT_BIN" || return 1
|
|
log "updated audit binary to $src_ver"
|
|
return 0
|
|
}
|
|
|
|
check_usb_update() {
|
|
for root in /media/* /mnt/* /tmp/bee-usb /run/media/*/*; do
|
|
[ -d "$root" ] || continue
|
|
base="$root/bee-update"
|
|
bin="$base/bee-audit-linux-amd64"
|
|
sig="$base/bee-audit-linux-amd64.sig"
|
|
ver_file="$base/VERSION"
|
|
[ -f "$bin" ] || continue
|
|
[ -f "$sig" ] || continue
|
|
[ -f "$ver_file" ] || continue
|
|
|
|
new_ver=$(cat "$ver_file" 2>/dev/null | tr -d '[:space:]')
|
|
cur_ver=$(version_of "$AUDIT_BIN")
|
|
[ -n "$new_ver" ] || continue
|
|
if [ "$new_ver" = "$cur_ver" ]; then
|
|
log "usb update found but version is same ($new_ver)"
|
|
return 0
|
|
fi
|
|
log "usb update candidate: $new_ver"
|
|
apply_update "$bin" "$sig" "$new_ver" && return 0
|
|
return 1
|
|
done
|
|
return 1
|
|
}
|
|
|
|
check_network_update() {
|
|
if ! ping -c 1 -W 3 git.mchus.pro >/dev/null 2>&1; then
|
|
log "network unavailable; skip release check"
|
|
return 1
|
|
fi
|
|
|
|
if ! command -v wget >/dev/null 2>&1 && ! command -v curl >/dev/null 2>&1; then
|
|
log "neither wget nor curl found; skip network update"
|
|
return 1
|
|
fi
|
|
if ! command -v jq >/dev/null 2>&1; then
|
|
log "jq not found; skip network update"
|
|
return 1
|
|
fi
|
|
|
|
meta="/tmp/bee-release-latest.json"
|
|
download_to "$REPO_API" "$meta" || { log "failed to fetch release metadata"; return 1; }
|
|
|
|
tag=$(jq -r '.tag_name // empty' "$meta")
|
|
[ -n "$tag" ] || { log "release metadata missing tag_name"; return 1; }
|
|
|
|
cur_ver=$(version_of "$AUDIT_BIN")
|
|
if [ "$tag" = "$cur_ver" ]; then
|
|
log "already latest ($tag)"
|
|
return 0
|
|
fi
|
|
|
|
bin_url=$(jq -r '.assets[]? | select(.name=="bee-audit-linux-amd64") | .browser_download_url // empty' "$meta")
|
|
sig_url=$(jq -r '.assets[]? | select(.name=="bee-audit-linux-amd64.sig") | .browser_download_url // empty' "$meta")
|
|
[ -n "$bin_url" ] && [ -n "$sig_url" ] || { log "missing release asset URLs"; return 1; }
|
|
|
|
download_to "$bin_url" "$TMP_BIN" || return 1
|
|
download_to "$sig_url" "$TMP_SIG" || return 1
|
|
chmod +x "$TMP_BIN"
|
|
|
|
log "network update candidate: $tag"
|
|
apply_update "$TMP_BIN" "$TMP_SIG" "$tag"
|
|
}
|
|
|
|
main() {
|
|
if check_usb_update; then
|
|
exit 0
|
|
fi
|
|
check_network_update || true
|
|
}
|
|
|
|
main "$@"
|