v6ak/install-virtualbox-extpack.sh

## install-virtualbox-extpack.sh
#!/bin/bash
# Intended for installing the corresponding VirtualBox Extension Pack with secure verification. (A local network adversary can't forge the installed package.)
# This version uses a temporary directory.
#
# It is written to be as fail-safe and fail-secure as possible, but no warranty is provided.
#

# safety settings
set -u # Not strictly needed, but it is safer
set -e # NEEDED for safety and security!
set -o pipefail # Not strictly needed, but it is safer

# tmp dir
dir="$(mktemp -d)"
trap 'echo -n Cleaning up...; rm -r "$dir"; echo' EXIT

# gather info
version="$(VirtualBox --help | head -n1 | sed 's/Oracle VM VirtualBox Manager //')"
filename="Oracle_VM_VirtualBox_Extension_Pack-$version.vbox-extpack"
suffix=".$(uuidgen).wip" # adding an uuid to suffix prefents an accidental match of the filename; Moght be no longer needed since we use
url="http://dlc-cdn.sun.com/virtualbox/$version/$filename"

# download
wget -O "$dir/SHA256SUMS" "https://www.virtualbox.org/download/hashes/$version/SHA256SUMS"
wget -O "$dir/$filename$suffix" "$url"

# verify and rename
cat "$dir/SHA256SUMS" | sed 's/$/'"$suffix"'/' | grep -F -- " *$filename$suffix" | (cd "$dir" && sha256sum -c) # The `grep -F -- "$filename"` is a hack, but I am not aware of any better way in Bash without writing tons of code. But uuid in the suffix and special directory should make it safe enough, although it is a hack.
mv "$dir/$filename$suffix" "$dir/$filename"

# install
VBoxManage extpack install --replace "$dir/$filename"
	#!/bin/bash
	# Intended for installing the corresponding VirtualBox Extension Pack with secure verification. (A local network adversary can't forge the installed package.)
	# This version uses a temporary directory.
	#
	# It is written to be as fail-safe and fail-secure as possible, but no warranty is provided.
	#

	# safety settings
	set -u # Not strictly needed, but it is safer
	set -e # NEEDED for safety and security!
	set -o pipefail # Not strictly needed, but it is safer

	# tmp dir
	dir="$(mktemp -d)"
	trap 'echo -n Cleaning up...; rm -r "$dir"; echo' EXIT

	# gather info
	version="$(VirtualBox --help \| head -n1 \| sed 's/Oracle VM VirtualBox Manager //')"
	filename="Oracle_VM_VirtualBox_Extension_Pack-$version.vbox-extpack"
	suffix=".$(uuidgen).wip" # adding an uuid to suffix prefents an accidental match of the filename; Moght be no longer needed since we use
	url="http://dlc-cdn.sun.com/virtualbox/$version/$filename"

	# download
	wget -O "$dir/SHA256SUMS" "https://www.virtualbox.org/download/hashes/$version/SHA256SUMS"
	wget -O "$dir/$filename$suffix" "$url"

	# verify and rename
	cat "$dir/SHA256SUMS" \| sed 's/$/'"$suffix"'/' \| grep -F -- " *$filename$suffix" \| (cd "$dir" && sha256sum -c) # The `grep -F -- "$filename"` is a hack, but I am not aware of any better way in Bash without writing tons of code. But uuid in the suffix and special directory should make it safe enough, although it is a hack.
	mv "$dir/$filename$suffix" "$dir/$filename"

	# install
	VBoxManage extpack install --replace "$dir/$filename"