Last active
August 29, 2015 14:17
-
-
Save v6ak/d3452ab5854de3eef6e6 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Intended for installing the corresponding VirtualBox Extension Pack with secure verification. (A local network adversary can't forge the installed package.) | |
# This version uses a temporary directory. | |
# | |
# It is written to be as fail-safe and fail-secure as possible, but no warranty is provided. | |
# | |
# safety settings | |
set -u # Not strictly needed, but it is safer | |
set -e # NEEDED for safety and security! | |
set -o pipefail # Not strictly needed, but it is safer | |
# tmp dir | |
dir="$(mktemp -d)" | |
trap 'echo -n Cleaning up...; rm -r "$dir"; echo' EXIT | |
# gather info | |
version="$(VirtualBox --help | head -n1 | sed 's/Oracle VM VirtualBox Manager //')" | |
filename="Oracle_VM_VirtualBox_Extension_Pack-$version.vbox-extpack" | |
suffix=".$(uuidgen).wip" # adding an uuid to suffix prefents an accidental match of the filename; Moght be no longer needed since we use | |
url="http://dlc-cdn.sun.com/virtualbox/$version/$filename" | |
# download | |
wget -O "$dir/SHA256SUMS" "https://www.virtualbox.org/download/hashes/$version/SHA256SUMS" | |
wget -O "$dir/$filename$suffix" "$url" | |
# verify and rename | |
cat "$dir/SHA256SUMS" | sed 's/$/'"$suffix"'/' | grep -F -- " *$filename$suffix" | (cd "$dir" && sha256sum -c) # The `grep -F -- "$filename"` is a hack, but I am not aware of any better way in Bash without writing tons of code. But uuid in the suffix and special directory should make it safe enough, although it is a hack. | |
mv "$dir/$filename$suffix" "$dir/$filename" | |
# install | |
VBoxManage extpack install --replace "$dir/$filename" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment