Created
January 20, 2019 23:13
-
-
Save Diagonactic/f9f3ad2bb41948be6f9a8aecf4d58be7 to your computer and use it in GitHub Desktop.
ZShell script to check/correct Keybase RPM Repository and code signing keys for reliable updates
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env zsh | |
| # | |
| # Copyright (C) 2019 Matthew S. Dippel | |
| # under the terms of the MIt License at https://opensource.org/licenses/MIT | |
| # | |
| # Description: Checks an openSUSE Tumbleweed (and probably others) installation for the proper | |
| # configuration of keybase's repository and gpg/pgp keys | |
| # Author: | |
| # Matthew S. Dippel :: https://github.com/Diagonactic :: https://keybase.io/mdip | |
| die() { print -- "ERROR: $1"; exit 1 } | |
| get-sha256() { print -n -- "${$(sha256sum "$1")%% *}" } | |
| get-sha256-scalar() { get-sha256 =(print -n -- "$1") } | |
| repo-expected-matches() { [[ -f '/etc/zypp/repos.d/keybase.repo' && "$(get-sha256 /etc/zypp/repos.d/keybase.repo)" == "$EXPECTED_SUM" ]] } | |
| has-rpm-gpg-key() { rpm -qi gpg-pubkey-656d16c7-528b8ba7 > /dev/null 2>&1 } | |
| success() { | |
| print -- 'Everything looks correct. You should be able to:' | |
| print -- ' sudo zypper refresh --repo keybase --force && sudo zypper up keybase' | |
| exit 0 | |
| } | |
| local KEYBASE_REPOFILE='[keybase] | |
| name=keybase | |
| enabled=1 | |
| autorefresh=1 | |
| baseurl=http://prerelease.keybase.io/rpm/x86_64 | |
| type=rpm-md | |
| priority=50 | |
| gpgkey=https://keybase.io/docs/server_security/code_signing_key.asc | |
| keeppackages=0' | |
| local EXPECTED_SUM="$(get-sha256-scalar "$KEYBASE_REPOFILE")" | |
| # Keybase Repository File for openSuSE Tumbleweed | |
| repo-expected-matches \ | |
| && local -ir needs_repodef=0 \ | |
| || local -ir needs_repodef=1 | |
| has-rpm-gpg-key \ | |
| && local -ir needs_gpg_key=0 \ | |
| || local -ir needs_gpg_key=1 | |
| (( needs_repodef + needs_gpg_key > 0 )) || success | |
| if (( $EUID == 0 )); then | |
| (( needs_repodef == 0 )) || { | |
| print -n -- "$KEYBASE_REPOFILE" > /etc/zypp/repos.d/keybase.repo | |
| repo-expected-matches || die "keybase.repo could did not pass signature check or could not be installed to /etc/zypp/repos.d/keybase.repo" | |
| } | |
| (( needs_gpg_key == 0 )) || { | |
| rpm --import =(curl -sL https://keybase.io/docs/server_security/code_signing_key.asc) || die "Failed to import code signing key" | |
| has-rpm-gpg-key || die "Import reported success, however, cannot find Keybase.io GPG key" | |
| } | |
| success | |
| else | |
| print -- "Keybase update apepars to be broken. To fix it, I need root privileges, so you may get a sudo prompt, next" | |
| sudo "$0" "$@" | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment