From: deraadt Date: Mon, 7 Oct 2024 13:21:53 +0000 (+0000) Subject: The two usual use cases are sysupgrade and sysupgrade -s, jumping X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=0c49c08fbb63600201bd487f2e5f236fdff04262;p=openbsd The two usual use cases are sysupgrade and sysupgrade -s, jumping forward to the same key, or the key+.1. But sometimes you want to update an older machine far forward (either with -s, or with -R), and the required key might not exist on-disk. Since getting the key isn't automated, people make some poor decisions to get the key. Previous to 7.6 the situation was worse, (and obviously older releases will have the old sysupgrade script, though you can copy this one to those machines and it will work, but please do that securely..) Moving forward this improves the workflow: a new set of keybundles (signed by older keys) have been made available so that sysupgrade can securely and automatically download the required key. ok job tb beck sthen --- diff --git a/usr.sbin/sysupgrade/sysupgrade.8 b/usr.sbin/sysupgrade/sysupgrade.8 index 38ca0c98ecb..65ffb456fd8 100644 --- a/usr.sbin/sysupgrade/sysupgrade.8 +++ b/usr.sbin/sysupgrade/sysupgrade.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sysupgrade.8,v 1.18 2024/09/25 16:26:37 florian Exp $ +.\" $OpenBSD: sysupgrade.8,v 1.19 2024/10/07 13:21:53 deraadt Exp $ .\" .\" Copyright (c) 2019 Florian Obser .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: September 25 2024 $ +.Dd $Mdocdate: October 7 2024 $ .Dt SYSUPGRADE 8 .Os .Sh NAME @@ -75,6 +75,14 @@ Upgrade to a snapshot. The default is to upgrade to the next release. .El .Pp +When updating to a release or snapshot which lacks the required signify +key in +.Pa /etc/signify , +the missing key will be downloaded in a secure way. +In the usual case, the key will already be present because OpenBSD +releases ship with the current key, the next key, and a collection of +older keys. +.Pp See .Xr upgrade.site 5 for how to customize the upgrade process. diff --git a/usr.sbin/sysupgrade/sysupgrade.sh b/usr.sbin/sysupgrade/sysupgrade.sh index 6dfd412bdcf..75467536f78 100644 --- a/usr.sbin/sysupgrade/sysupgrade.sh +++ b/usr.sbin/sysupgrade/sysupgrade.sh @@ -1,6 +1,6 @@ #!/bin/ksh # -# $OpenBSD: sysupgrade.sh,v 1.54 2024/09/25 13:55:23 sthen Exp $ +# $OpenBSD: sysupgrade.sh,v 1.55 2024/10/07 13:21:53 deraadt Exp $ # # Copyright (c) 1997-2015 Todd Miller, Theo de Raadt, Ken Westerback # Copyright (c) 2015 Robert Peichaer @@ -140,13 +140,25 @@ if ! unpriv -f SHA256.sig ftp -N sysupgrade -Vmo SHA256.sig ${URL}SHA256.sig; th fi fi -SHORT_VERSION=${NEXT_VERSION%.*}${NEXT_VERSION#*.} -if ! [[ -r /etc/signify/openbsd-${SHORT_VERSION}-base.pub ]]; then - echo "${0##*/}: signify key not found; download into /etc/signify from" 1>&2 - echo "https://ftp.openbsd.org/pub/OpenBSD/signify/openbsd-${SHORT_VERSION}-base.pub" 1>&2 +# The key extracted from SHA256.sig must precisely match a pattern +KEY=$(head -1 < SHA256.sig | cut -d' ' -f5 | \ + egrep '^openbsd-[[:digit:]]{2,3}-base.pub$' || true) +if [[ -z $KEY ]]; then + echo "Invalid SHA256.sig file" exit 1 fi +# If required key is not in the system, get it from a signed bundle +if ! [[ -r /etc/signify/$KEY ]]; then + HAVEKEY=$(cd /etc/signify && ls -1 openbsd-*-base.pub | \ + tail -2 | head -1 | cut -d- -f2) + BUNDLE=sigbundle-${HAVEKEY}.tgz + echo "Adding additional key $KEY from bundle $BUNDLE" + unpriv -f ${BUNDLE} ftp -N sysupgrade -Vmo $BUNDLE https://ftp.openbsd.org/pub/OpenBSD/signify/$BUNDLE + signify -Vzq -m - -x $BUNDLE | (cd /etc/signify && tar xfz - $KEY) + rm $BUNDLE +fi + unpriv -f SHA256 signify -Ve -x SHA256.sig -m SHA256 rm SHA256.sig