diff options
author | Florian Obser <florian@cvs.openbsd.org> | 2024-06-08 06:05:41 +0000 |
---|---|---|
committer | Florian Obser <florian@cvs.openbsd.org> | 2024-06-08 06:05:41 +0000 |
commit | 6b07114e7a231ea70272266e67accb77e3351023 (patch) | |
tree | ecdd108f20ac688333d4190cb8cb052047fab572 | |
parent | b3dbcc03047bec6008968664cb4f3c9fd7c3e2cc (diff) |
Do not enforce the next version key if installing a snapshot.
Developers sometimes have dev machines with an older snapshot that
already has the correct signify key but sysupgrade(8) refuses to do an
upgrade because it thinks it's a version jump. That's just silly.
tb pointed out that signify(1) can just work out the correct key all
by itself.
problem reported, same diff & OK deraadt
-rw-r--r-- | usr.sbin/sysupgrade/sysupgrade.sh | 23 |
1 files changed, 14 insertions, 9 deletions
diff --git a/usr.sbin/sysupgrade/sysupgrade.sh b/usr.sbin/sysupgrade/sysupgrade.sh index 21094819592..a30d13fad2f 100644 --- a/usr.sbin/sysupgrade/sysupgrade.sh +++ b/usr.sbin/sysupgrade/sysupgrade.sh @@ -1,6 +1,6 @@ #!/bin/ksh # -# $OpenBSD: sysupgrade.sh,v 1.49 2023/10/12 12:31:15 kn Exp $ +# $OpenBSD: sysupgrade.sh,v 1.50 2024/06/08 06:05:40 florian Exp $ # # Copyright (c) 1997-2015 Todd Miller, Theo de Raadt, Ken Westerback # Copyright (c) 2015 Robert Peichaer <rpe@openbsd.org> @@ -139,16 +139,21 @@ unpriv -f SHA256.sig ftp -N sysupgrade -Vmo SHA256.sig ${URL}SHA256.sig _KEY=openbsd-${_KERNV[0]%.*}${_KERNV[0]#*.}-base.pub _NEXTKEY=openbsd-${NEXT_VERSION%.*}${NEXT_VERSION#*.}-base.pub -read _LINE <SHA256.sig -case ${_LINE} in -*\ ${_KEY}) SIGNIFY_KEY=/etc/signify/${_KEY} ;; -*\ ${_NEXTKEY}) SIGNIFY_KEY=/etc/signify/${_NEXTKEY} ;; -*) err "invalid signing key" ;; -esac +if $SNAP; then + unpriv -f SHA256 signify -Ve -x SHA256.sig -m SHA256 +else + read _LINE <SHA256.sig + case ${_LINE} in + *\ ${_KEY}) SIGNIFY_KEY=/etc/signify/${_KEY} ;; + *\ ${_NEXTKEY}) SIGNIFY_KEY=/etc/signify/${_NEXTKEY} ;; + *) err "invalid signing key" ;; + esac + + [[ -f ${SIGNIFY_KEY} ]] || err "cannot find ${SIGNIFY_KEY}" -[[ -f ${SIGNIFY_KEY} ]] || err "cannot find ${SIGNIFY_KEY}" + unpriv -f SHA256 signify -Ve -p "${SIGNIFY_KEY}" -x SHA256.sig -m SHA256 +fi -unpriv -f SHA256 signify -Ve -p "${SIGNIFY_KEY}" -x SHA256.sig -m SHA256 rm SHA256.sig if cmp -s /var/db/installed.SHA256 SHA256 && ! $FORCE; then |