-.\" $OpenBSD: sysupgrade.8,v 1.20 2024/10/07 15:57:15 jmc Exp $
+.\" $OpenBSD: sysupgrade.8,v 1.21 2024/10/11 14:12:05 deraadt Exp $
.\"
.\" Copyright (c) 2019 Florian Obser <florian@openbsd.org>
.\"
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd $Mdocdate: October 7 2024 $
+.Dd $Mdocdate: October 11 2024 $
.Dt SYSUPGRADE 8
.Os
.Sh NAME
.El
.Pp
When updating to a release or snapshot which lacks the required signify
-key in
+keys in
.Pa /etc/signify ,
-the missing key will be downloaded in a secure way.
-In the usual case, the key will already be present because
+the missing keys will be downloaded in a secure way.
+In the usual case, the keys will already be present because
.Ox
releases ship with the current key, the next key, and a collection of
older keys.
#!/bin/ksh
#
-# $OpenBSD: sysupgrade.sh,v 1.55 2024/10/07 13:21:53 deraadt Exp $
+# $OpenBSD: sysupgrade.sh,v 1.56 2024/10/11 14:12:05 deraadt Exp $
#
# Copyright (c) 1997-2015 Todd Miller, Theo de Raadt, Ken Westerback
# Copyright (c) 2015 Robert Peichaer <rpe@openbsd.org>
HAVEKEY=$(cd /etc/signify && ls -1 openbsd-*-base.pub | \
tail -2 | head -1 | cut -d- -f2)
BUNDLE=sigbundle-${HAVEKEY}.tgz
- echo "Adding additional key $KEY from bundle $BUNDLE"
+ FWKEY=$(echo $KEY | sed -e 's/base/fw/')
+ echo "Adding missing keys from bundle $BUNDLE"
unpriv -f ${BUNDLE} ftp -N sysupgrade -Vmo $BUNDLE https://ftp.openbsd.org/pub/OpenBSD/signify/$BUNDLE
- signify -Vzq -m - -x $BUNDLE | (cd /etc/signify && tar xfz - $KEY)
+ signify -Vzq -m - -x $BUNDLE | (cd /etc/signify && tar xfz - $KEY $FWKEY)
rm $BUNDLE
fi