From be53cb2d9a889971dc5cede6b5957d0bf5ac9141 Mon Sep 17 00:00:00 2001 From: deraadt Date: Fri, 11 Oct 2024 14:12:05 +0000 Subject: [PATCH] The fw keys have been added to the signify key bundles. sysupgrade will now extract the fw key also, so that pre-upgrade fw_update can fetch the most uptodate firmware. ok sthen --- usr.sbin/sysupgrade/sysupgrade.8 | 10 +++++----- usr.sbin/sysupgrade/sysupgrade.sh | 7 ++++--- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/usr.sbin/sysupgrade/sysupgrade.8 b/usr.sbin/sysupgrade/sysupgrade.8 index b933e74a683..805432800c5 100644 --- a/usr.sbin/sysupgrade/sysupgrade.8 +++ b/usr.sbin/sysupgrade/sysupgrade.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sysupgrade.8,v 1.20 2024/10/07 15:57:15 jmc Exp $ +.\" $OpenBSD: sysupgrade.8,v 1.21 2024/10/11 14:12:05 deraadt Exp $ .\" .\" Copyright (c) 2019 Florian Obser .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: October 7 2024 $ +.Dd $Mdocdate: October 11 2024 $ .Dt SYSUPGRADE 8 .Os .Sh NAME @@ -76,10 +76,10 @@ The default is to upgrade to the next release. .El .Pp When updating to a release or snapshot which lacks the required signify -key in +keys in .Pa /etc/signify , -the missing key will be downloaded in a secure way. -In the usual case, the key will already be present because +the missing keys will be downloaded in a secure way. +In the usual case, the keys will already be present because .Ox releases ship with the current key, the next key, and a collection of older keys. diff --git a/usr.sbin/sysupgrade/sysupgrade.sh b/usr.sbin/sysupgrade/sysupgrade.sh index 75467536f78..9e5b304b31d 100644 --- a/usr.sbin/sysupgrade/sysupgrade.sh +++ b/usr.sbin/sysupgrade/sysupgrade.sh @@ -1,6 +1,6 @@ #!/bin/ksh # -# $OpenBSD: sysupgrade.sh,v 1.55 2024/10/07 13:21:53 deraadt Exp $ +# $OpenBSD: sysupgrade.sh,v 1.56 2024/10/11 14:12:05 deraadt Exp $ # # Copyright (c) 1997-2015 Todd Miller, Theo de Raadt, Ken Westerback # Copyright (c) 2015 Robert Peichaer @@ -153,9 +153,10 @@ if ! [[ -r /etc/signify/$KEY ]]; then HAVEKEY=$(cd /etc/signify && ls -1 openbsd-*-base.pub | \ tail -2 | head -1 | cut -d- -f2) BUNDLE=sigbundle-${HAVEKEY}.tgz - echo "Adding additional key $KEY from bundle $BUNDLE" + FWKEY=$(echo $KEY | sed -e 's/base/fw/') + echo "Adding missing keys from bundle $BUNDLE" unpriv -f ${BUNDLE} ftp -N sysupgrade -Vmo $BUNDLE https://ftp.openbsd.org/pub/OpenBSD/signify/$BUNDLE - signify -Vzq -m - -x $BUNDLE | (cd /etc/signify && tar xfz - $KEY) + signify -Vzq -m - -x $BUNDLE | (cd /etc/signify && tar xfz - $KEY $FWKEY) rm $BUNDLE fi -- 2.20.1