@@ -190,56 +190,123 @@ function get_updater_url() {
190190 echo "This operation system ${UNAME} is not supported by updater."
191191 exit 1
192192 fi
193+
193194 # the updater will auto-update itself to the latest version, this means that the version of updater that is downloaded
194195 # can be arbitrary as long as the self-updating functionality is working, hence the hard-coded version
196+ UPDATER_URL="http://algorand-dev-deb-repo.s3 -website-us-east-1 .amazonaws.com/releases/stable/f9 d842778 _3 .6 .2 /install_stable_${OS} - ${ARCH} _3 .6 .2 .tar.gz"
195197 UPDATER_FILENAME="install_stable_${OS} - ${ARCH} _3 .6 .2 .tar.gz"
196- UPDATER_URL="https://github.com/algorand/go-algorand/releases/download/v3 .6 .2 -stable/install_stable_${OS} - ${ARCH} _3 .6 .2 .tar.gz"
198+
199+ # if on linux, also set variables for signature and checksum validation
200+ if [ "$OS " = "linux" ]; then
201+ UPDATER_PUBKEYURL="https://releases.algorand.com/key.pub"
202+ UPDATER_SIGURL="http://algorand-dev-deb-repo.s3 -website-us-east-1 .amazonaws.com/releases/stable/f9 d842778 _3 .6 .2 /install_stable_${OS} - ${ARCH} _3 .6 .2 .tar.gz.sig"
203+ UPDATER_CHECKSUMURL="https://algorand-releases.s3 .amazonaws.com/channel/stable/hashes_stable_${OS} _${ARCH} _3 .6 .2 "
204+ fi
197205}
198206
199207# check to see if the binary updater exists. if not, it will automatically the correct updater binary for the current platform
200208function check_for_updater() {
209+ local UNAME
210+ UNAME="$(uname)"
211+
201212 # check if the updater binary exist and is not empty.
202213 if [[ -s "${SCRIPTPATH} / updater" && - f "${SCRIPTPATH} / updater" ]]; then
203214 return 0
204215 fi
216+
217+ # set UPDATER_URL and UPDATER_ARCHIVE as a global that can be referenced here
218+ # if linux, UPDATER_PUBKEYURL, UPDATER_SIGURL, UPDATER_CHECKSUMURL will be set to try verification
205219 get_updater_url
206220
207- # check the curl is available.
208- CURL_VER=$(curl -V 2 >/dev/null || true)
209- if [ "${CURL_VER} " = "" ]; then
221+ # check if curl is available
222+ if ! type curl &>/dev/null; then
210223 # no curl is installed.
211224 echo "updater binary is missing and cannot be downloaded since curl is missing."
212- if [[ "$(uname) " = "Linux" ] ]; then
225+ if [ "$UNAME " = "Linux" ]; then
213226 echo "To install curl, run the following command:"
214227 echo "apt-get update; apt-get install -y curl"
215228 fi
216229 exit 1
217230 fi
218231
219232 # create temporary directory for updater archive
220- local UPDATER_TEMPDIR=""
233+ local UPDATER_TEMPDIR="" UPDATER_ARCHIVE=""
221234 UPDATER_TEMPDIR="$(mktemp -d 2 >/dev/null || mktemp -d -t "tmp")"
235+ UPDATER_ARCHIVE="${UPDATER_TEMPDIR} / ${UPDATER_FILENAME} "
222236
223- local UPDATER_ARCHIVE="${UPDATER_TEMPDIR} / ${UPDATER_FILENAME} "
224-
225- CURL_OUT=$(curl -sSL ${UPDATER_URL} - o "$UPDATER_ARCHIVE ")
226- if [ "$? " != "0 " ]; then
227- echo "failed to download updater binary from ${UPDATER_URL} using curl."
228- echo "${CURL_OUT} "
237+ # download updater archive
238+ if ! curl -sSL "$UPDATER_URL " -o "$UPDATER_ARCHIVE "; then
239+ echo "failed to download updater archive from ${UPDATER_URL} using curl."
229240 exit 1
230241 fi
231242
232- if [ ! -f "${ UPDATER_ARCHIVE} " ]; then
243+ if [ ! -f "$UPDATER_ARCHIVE " ]; then
233244 echo "downloaded file ${UPDATER_ARCHIVE} is missing."
234245 exit
235246 fi
236247
248+ # if linux, check for checksum and signature validation dependencies
249+ local GPG_VERIFY="0 " CHECKSUM_VERIFY="0 "
250+ if [ "$UNAME " = "Linux" ]; then
251+ if type gpg >&/dev/null; then
252+ GPG_VERIFY="1 "
253+ else
254+ echo "gpg is not available to perform signature validation."
255+ fi
256+
257+ if type sha256 sum &>/dev/null; then
258+ CHECKSUM_VERIFY="1 "
259+ else
260+ echo "sha256 sum is not available to perform checksum validation."
261+ fi
262+ fi
263+
264+ # try signature validation
265+ if [ "$GPG_VERIFY " = "1 " ]; then
266+ local UPDATER_SIGFILE="$UPDATER_TEMPDIR /updater.sig" UPDATER_PUBKEYFILE="key.pub"
267+ # try downloading public key
268+ if curl -sSL "$UPDATER_PUBKEYURL " -o "$UPDATER_PUBKEYFILE "; then
269+ if gpg --import "$UPDATER_PUBKEYFILE "; then
270+ if curl -sSL "$UPDATER_SIGURL " -o "$UPDATER_SIGFILE "; then
271+ if ! gpg --verify "$UPDATER_SIGFILE " "$UPDATER_ARCHIVE "; then
272+ echo "failed to verify signature of updater archive."
273+ exit 1
274+ fi
275+ else
276+ echo "failed download signature file, cannot perform signature validation."
277+ fi
278+ else
279+ echo "failed importing GPG public key, cannot perform signature validation."
280+ fi
281+ else
282+ echo "failed downloading GPG public key, cannot perform signature validation."
283+ fi
284+ fi
285+
286+ # try checksum validation
287+ if [ "$CHECKSUM_VERIFY " = "1 " ]; then
288+ local UPDATER_CHECKSUMFILE="$UPDATER_TEMPDIR /updater.checksum"
289+ # try downloading checksum file
290+ if curl -sSL "$UPDATER_CHECKSUMURL " -o "$UPDATER_CHECKSUMFILE "; then
291+ # have to be in same directory as archive
292+ pushd "$UPDATER_TEMPDIR "
293+ if ! sha256 sum --quiet --ignore-missing -c "$UPDATER_CHECKSUMFILE "; then
294+ echo "failed to verify checksum of updater archive."
295+ popd
296+ exit 1
297+ fi
298+ popd
299+ else
300+ echo "failed downloading checksum file, cannot perform checksum validation."
301+ fi
302+ fi
303+
237304 # extract and install updater
238- tar -zxf "$UPDATER_ARCHIVE " -C "$UPDATER_TEMPDIR " updater
239- mv "${UPDATER_TEMPDIR} / updater" "${SCRIPTPATH} "
240- if [ "$? " != "0 " ]; then
305+ if ! tar -zxf "$UPDATER_ARCHIVE " -C "$UPDATER_TEMPDIR " updater; then
241306 echo "failed to extract updater binary from ${UPDATER_ARCHIVE} "
242307 exit 1
308+ else
309+ mv "${UPDATER_TEMPDIR} / updater" "$SCRIPTPATH "
243310 fi
244311
245312 # clean up temp directory
0 commit comments