-.\" $OpenBSD: sysupgrade.8,v 1.18 2024/09/25 16:26:37 florian Exp $
+.\" $OpenBSD: sysupgrade.8,v 1.19 2024/10/07 13:21:53 deraadt Exp $
.\"
.\" Copyright (c) 2019 Florian Obser <florian@openbsd.org>
.\"
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd $Mdocdate: September 25 2024 $
+.Dd $Mdocdate: October 7 2024 $
.Dt SYSUPGRADE 8
.Os
.Sh NAME
The default is to upgrade to the next release.
.El
.Pp
+When updating to a release or snapshot which lacks the required signify
+key in
+.Pa /etc/signify ,
+the missing key will be downloaded in a secure way.
+In the usual case, the key will already be present because OpenBSD
+releases ship with the current key, the next key, and a collection of
+older keys.
+.Pp
See
.Xr upgrade.site 5
for how to customize the upgrade process.
#!/bin/ksh
#
-# $OpenBSD: sysupgrade.sh,v 1.54 2024/09/25 13:55:23 sthen Exp $
+# $OpenBSD: sysupgrade.sh,v 1.55 2024/10/07 13:21:53 deraadt Exp $
#
# Copyright (c) 1997-2015 Todd Miller, Theo de Raadt, Ken Westerback
# Copyright (c) 2015 Robert Peichaer <rpe@openbsd.org>
fi
fi
-SHORT_VERSION=${NEXT_VERSION%.*}${NEXT_VERSION#*.}
-if ! [[ -r /etc/signify/openbsd-${SHORT_VERSION}-base.pub ]]; then
- echo "${0##*/}: signify key not found; download into /etc/signify from" 1>&2
- echo "https://ftp.openbsd.org/pub/OpenBSD/signify/openbsd-${SHORT_VERSION}-base.pub" 1>&2
+# The key extracted from SHA256.sig must precisely match a pattern
+KEY=$(head -1 < SHA256.sig | cut -d' ' -f5 | \
+ egrep '^openbsd-[[:digit:]]{2,3}-base.pub$' || true)
+if [[ -z $KEY ]]; then
+ echo "Invalid SHA256.sig file"
exit 1
fi
+# If required key is not in the system, get it from a signed bundle
+if ! [[ -r /etc/signify/$KEY ]]; then
+ HAVEKEY=$(cd /etc/signify && ls -1 openbsd-*-base.pub | \
+ tail -2 | head -1 | cut -d- -f2)
+ BUNDLE=sigbundle-${HAVEKEY}.tgz
+ echo "Adding additional key $KEY from bundle $BUNDLE"
+ unpriv -f ${BUNDLE} ftp -N sysupgrade -Vmo $BUNDLE https://ftp.openbsd.org/pub/OpenBSD/signify/$BUNDLE
+ signify -Vzq -m - -x $BUNDLE | (cd /etc/signify && tar xfz - $KEY)
+ rm $BUNDLE
+fi
+
unpriv -f SHA256 signify -Ve -x SHA256.sig -m SHA256
rm SHA256.sig