summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFlorian Obser <florian@cvs.openbsd.org>2024-06-08 06:05:41 +0000
committerFlorian Obser <florian@cvs.openbsd.org>2024-06-08 06:05:41 +0000
commit6b07114e7a231ea70272266e67accb77e3351023 (patch)
treeecdd108f20ac688333d4190cb8cb052047fab572
parentb3dbcc03047bec6008968664cb4f3c9fd7c3e2cc (diff)
Do not enforce the next version key if installing a snapshot.
Developers sometimes have dev machines with an older snapshot that already has the correct signify key but sysupgrade(8) refuses to do an upgrade because it thinks it's a version jump. That's just silly. tb pointed out that signify(1) can just work out the correct key all by itself. problem reported, same diff & OK deraadt
-rw-r--r--usr.sbin/sysupgrade/sysupgrade.sh23
1 files changed, 14 insertions, 9 deletions
diff --git a/usr.sbin/sysupgrade/sysupgrade.sh b/usr.sbin/sysupgrade/sysupgrade.sh
index 21094819592..a30d13fad2f 100644
--- a/usr.sbin/sysupgrade/sysupgrade.sh
+++ b/usr.sbin/sysupgrade/sysupgrade.sh
@@ -1,6 +1,6 @@
#!/bin/ksh
#
-# $OpenBSD: sysupgrade.sh,v 1.49 2023/10/12 12:31:15 kn Exp $
+# $OpenBSD: sysupgrade.sh,v 1.50 2024/06/08 06:05:40 florian Exp $
#
# Copyright (c) 1997-2015 Todd Miller, Theo de Raadt, Ken Westerback
# Copyright (c) 2015 Robert Peichaer <rpe@openbsd.org>
@@ -139,16 +139,21 @@ unpriv -f SHA256.sig ftp -N sysupgrade -Vmo SHA256.sig ${URL}SHA256.sig
_KEY=openbsd-${_KERNV[0]%.*}${_KERNV[0]#*.}-base.pub
_NEXTKEY=openbsd-${NEXT_VERSION%.*}${NEXT_VERSION#*.}-base.pub
-read _LINE <SHA256.sig
-case ${_LINE} in
-*\ ${_KEY}) SIGNIFY_KEY=/etc/signify/${_KEY} ;;
-*\ ${_NEXTKEY}) SIGNIFY_KEY=/etc/signify/${_NEXTKEY} ;;
-*) err "invalid signing key" ;;
-esac
+if $SNAP; then
+ unpriv -f SHA256 signify -Ve -x SHA256.sig -m SHA256
+else
+ read _LINE <SHA256.sig
+ case ${_LINE} in
+ *\ ${_KEY}) SIGNIFY_KEY=/etc/signify/${_KEY} ;;
+ *\ ${_NEXTKEY}) SIGNIFY_KEY=/etc/signify/${_NEXTKEY} ;;
+ *) err "invalid signing key" ;;
+ esac
+
+ [[ -f ${SIGNIFY_KEY} ]] || err "cannot find ${SIGNIFY_KEY}"
-[[ -f ${SIGNIFY_KEY} ]] || err "cannot find ${SIGNIFY_KEY}"
+ unpriv -f SHA256 signify -Ve -p "${SIGNIFY_KEY}" -x SHA256.sig -m SHA256
+fi
-unpriv -f SHA256 signify -Ve -p "${SIGNIFY_KEY}" -x SHA256.sig -m SHA256
rm SHA256.sig
if cmp -s /var/db/installed.SHA256 SHA256 && ! $FORCE; then