diff --git a/security/trustedkeys.gpg b/security/trustedkeys.gpg new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/server/scripts/update_runner.sh b/server/scripts/update_runner.sh index f3eb684328875efb4fc03ee0cdd45bc16afc885d..2036f2cffeedde89749f75114b2776c4747a5543 100644 --- a/server/scripts/update_runner.sh +++ b/server/scripts/update_runner.sh @@ -1,7 +1,5 @@ #!/bin/bash -_UPD=1 - # padding handles script being overwritten during updates # see https://git.ispconfig.org/ispconfig/ispconfig3/issues/4227 @@ -18,61 +16,66 @@ _UPD=1 ################################################## ################################################## -SOURCE=$1 -URL="" +{ + + SOURCE=$1 + URL="" + SIG="" -if [[ "$SOURCE" == "stable" ]] ; then - URL="https://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz" -elif [[ "$SOURCE" == "nightly" ]] ; then - URL="https://www.ispconfig.org/downloads/ISPConfig-3-nightly.tar.gz" -elif [[ "$SOURCE" == "git-develop" ]] ; then - URL="https://git.ispconfig.org/ispconfig/ispconfig3/-/archive/develop/ispconfig3-develop.tar.gz" -else - echo "Please choose an installation source (stable, nightly, git-develop)" - exit 1 -fi + if [[ "$SOURCE" == "stable" ]]; then + URL="https://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz" + SIG="https://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz.sig" + elif [[ "$SOURCE" == "nightly" ]]; then + URL="https://www.ispconfig.org/downloads/ISPConfig-3-nightly.tar.gz" + elif [[ "$SOURCE" == "git-develop" ]]; then + URL="https://git.ispconfig.org/ispconfig/ispconfig3/-/archive/develop/ispconfig3-develop.tar.gz" + else + echo "Please choose an installation source (stable, nightly, git-develop)" + exit 1 + fi -CURDIR=$PWD + GPGV=$(command -pv gpgv) + KEYRING="/usr/local/ispconfig/security/trustedkeys.gpg" -cd /tmp + CURDIR=$PWD -{ -if [ -n "${_UPD}" ] -then - { - save_umask=`umask` - umask 0077 \ - && tmpdir=`mktemp -dt "$(basename $0).XXXXXXXXXX"` \ - && test -d "${tmpdir}" \ - && cd "${tmpdir}" - umask $save_umask - } || { - echo 'mktemp failed' - exit 1 - } + die() { + echo "$1" + # shellcheck disable=SC2164 + cd "$CURDIR" + exit 1 + } - echo "Downloading ISPConfig update." - wget -q -O ISPConfig-3.tar.gz "${URL}" - if [ -f ISPConfig-3.tar.gz ] - then - echo "Unpacking ISPConfig update." - tar xzf ISPConfig-3.tar.gz --strip-components=1 - cd install/ - php -q \ - -d disable_classes= \ - -d disable_functions= \ - -d open_basedir= \ - update.php - cd /tmp - rm -rf "${tmpdir}" + save_umask=$(umask) + umask 0077 + tmpdir=$(mktemp -dt "ISPConfig-update.XXXXXXXXXX") + test $? -eq 0 || die 'mktemp failed' + cd "$tmpdir" || die 'could not chdir into temporary working directory' + umask "$save_umask" + + # shellcheck disable=SC2064 + trap "rm -rf \"$tmpdir\"" EXIT + + echo "Downloading ISPConfig update." + wget -q -O ISPConfig-3.tar.gz "$URL" || die "Unable to download the update." + if [ -n "$SIG" ] && [ -n "$GPGV" ] && [ -f "$KEYRING" ]; then + wget -q -O ISPConfig-3.tar.gz.sig "$SIG" || die "could not download signature file" + if "$GPGV" --quiet --keyring "$KEYRING" ISPConfig-3.tar.gz.sig ISPConfig-3.tar.gz; then + echo "Verified the integrity of the ISPConfig update file" else - echo "Unable to download the update." - cd "$CURDIR" - exit 1 + die "Could not verify the integrity of the ISPConfig update file." fi + fi + echo "Unpacking ISPConfig update." + tar xzf ISPConfig-3.tar.gz --strip-components=1 + cd install/ || die "could not chdir into install directory" + php -q \ + -d disable_classes= \ + -d disable_functions= \ + -d open_basedir= \ + update.php -fi - -cd "$CURDIR" -exit 0 + # shellcheck disable=SC2164 + cd "$CURDIR" + exit 0 }