securely update to a newer version by verifying the signed git tag prior to checkout
This commit is contained in:
Joshua Tauberer
parent
cbb7f29f96
commit
dec117d03b
|
|
@ -0,0 +1,30 @@
|
|||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
Version: GnuPG v1
|
||||
|
||||
mQENBFN+hN4BCADARMfTK/kDWNz5tFVXXrLfY0QSF9CBO4+vor3MVUmq5ygMcyq4
|
||||
NX1FVDKoruzCo5hI/91o1QZuer5oZ716TACg46XivdgL66Y7rMZL5rVDmUKuDWit
|
||||
tpVrL0Gaw6xsu7/ZloFDyHI5yUvB1cdGe4HYZY1Xn/2CE0YJaXxO2JjkTNWSiutx
|
||||
LA0RV08nPeaiAt1KcCa2tO7RkG51uC0O3O67xr6xz6/q95Q2DBJpLYpoh+6yIoEY
|
||||
L736peHQKZfcFfCOPQKpxKW+SEsUTvJ8qzQipGYpugiGGhDHzXBYKJk1V77BbWAP
|
||||
3x4Ubj4UWFB54yhgPrBgvQajvoB08mzZEnopABEBAAG0IEpvc2h1YSBUYXViZXJl
|
||||
ciA8anRAb2NjYW1zLmluZm8+iQE5BBMBAgAjBQJTfoTeAhsDBwsJCAcDAgEGFQgC
|
||||
CQoLBBYCAwECHgECF4AACgkQuSBB9MEL3YFFOQgAkDfptbzC9Lq4zstIfUPl4by/
|
||||
NeoCpsYahaNwWLYiDpQEUZIOsJO1Qi2IFll4tXAyDTGAXYZCbf4+v1lzVyN49h5j
|
||||
70BuajISI6dcAb1IEZzIXx0vV1rMuu0iNYdwhFNi8KrP5iR3BHwZZ5Lql1UdkJNT
|
||||
xVrz4cmr5jPGdFRizD9MXrI4bvt+pSOeykJasuTeH7a3uHBMPyydAivtbNRbo+Zn
|
||||
IgV25FUADSFt6xD9AKfq6wLxN+P8P6PE/jZWDv9W4KtR5TqAhCq7D7Yvk8aJXubN
|
||||
P2xfjFl6TXa5bcuHuldkmx5lacpag2HSmivIT261W3pIVC3lrkxB8T6rdux8ErkB
|
||||
DQRTfoTeAQgAn5ijmVJtxPGvbdcaCsYD3+fCnAKNEdAJtJcy/e/lowKeEiIJZ9qV
|
||||
ATFIFmIG9VZunZ7nD5F/4KMj6ht0JTXuY458VjK9jO1bPU2YM7Xo7zjJi8bFI0B/
|
||||
2ya95M7polLUF/lhKHKUuxxANAW4guLahe5JotUnoRycxQkKWBhTF5VdayucSAZG
|
||||
XlmSBUjIGjHbmTI50dAMQZffNOIvDIkpeCEQjPVRObCvr18xKDHhBaEJhd+wfA2T
|
||||
6N4fMlwBgfeR1zdFrGt2SshVc28YvaoccWmP1xn6w/30J25swadeuDYZFckXjVv7
|
||||
HPLtvyzuNdf7pI0A9rnlGF5rNt6yKSqeiQARAQABiQEfBBgBAgAJBQJTfoTeAhsM
|
||||
AAoJELkgQfTBC92B0rAH/0hSoHcB5WIn4GLTz0D0wWQ6Y2wKDixOBGvH+S9aroSc
|
||||
0bKud7VphpFm/4CKWOZ0sphsnmRZ2Dsk/3996pXjLL5T1HWgAkltYmTdWEg9BiEj
|
||||
PlbcImF95tILJ7GC0QrXipUx+ktLayiT5LjcbZiYCGaWVdJM2hVdOLdHhh84dqNX
|
||||
xautvI8RDFI1lN0RdyFA5CQAvIWOSTLC1QdLAgkCf7+uQGwUo2ubgapPWptRJYk8
|
||||
rZuw6+Vi3NETYO0ExDxTFmVKRlMidsE0azMeY6JYpKb9jewKngfxa6oUSaygrhxQ
|
||||
9gESPA2XZUvx/3PWBAMskBZxjOH/Lhabls0AUxaOYf0=
|
||||
=SHsx
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
|
|
@ -1,11 +1,14 @@
|
|||
#!/bin/bash
|
||||
#########################################################
|
||||
# This script is intended to be run like this:
|
||||
################################################################
|
||||
#
|
||||
# This script is posted on HTTPS to make first-time installation
|
||||
# super simple. Download and pipe to bash, e.g.:
|
||||
#
|
||||
# curl https://.../bootstrap.sh | sudo bash
|
||||
#
|
||||
#########################################################
|
||||
################################################################
|
||||
|
||||
# What is the current version?
|
||||
if [ -z "$TAG" ]; then
|
||||
TAG=v0.08
|
||||
fi
|
||||
|
|
@ -35,17 +38,6 @@ fi
|
|||
# Change directory to it.
|
||||
cd $HOME/mailinabox
|
||||
|
||||
# Update it.
|
||||
if [ "$TAG" != `git describe` ]; then
|
||||
echo Updating Mail-in-a-Box to $TAG . . .
|
||||
git fetch --depth 1 --force --prune origin tag $TAG
|
||||
if ! git checkout -q $TAG; then
|
||||
echo "Update failed. Did you modify something in `pwd`?"
|
||||
exit
|
||||
fi
|
||||
echo
|
||||
fi
|
||||
|
||||
# Start setup script.
|
||||
setup/start.sh
|
||||
# Run the upgrade script, which in turn runs the setup script.
|
||||
setup/upgrade.sh $TAG
|
||||
|
||||
|
|
|
|||
|
|
@ -20,13 +20,14 @@ apt_get_quiet upgrade
|
|||
# * cron: Runs background processes periodically.
|
||||
# * ntp: keeps the system time correct
|
||||
# * fail2ban: scans log files for repeated failed login attempts and blocks the remote IP at the firewall
|
||||
# * gpg: used by upgrade.sh to verify the Mail-in-a-Box tag signature, also by duplicity to make backups
|
||||
# * git: we install some things directly from github
|
||||
# * sudo: allows privileged users to execute commands as root without being root
|
||||
# * coreutils: includes `nproc` tool to report number of processors
|
||||
# * bc: allows us to do math to compute sane defaults
|
||||
|
||||
apt_install python3 python3-dev python3-pip \
|
||||
wget curl git sudo coreutils bc \
|
||||
wget curl gpg git sudo coreutils bc \
|
||||
haveged unattended-upgrades cron ntp fail2ban
|
||||
|
||||
# Allow apt to install system updates automatically every day.
|
||||
|
|
|
|||
|
|
@ -0,0 +1,88 @@
|
|||
#!/bin/bash
|
||||
# Updates an existing Mail-in-a-Box installation to a newer tag.
|
||||
################################################################
|
||||
|
||||
# Are we running as root?
|
||||
if [[ $EUID -ne 0 ]]; then
|
||||
echo "This script must be run as root. Did you leave out sudo?"
|
||||
exit
|
||||
fi
|
||||
|
||||
# Was a tag specified on the command line?
|
||||
TAG=$1
|
||||
if [ -z "$TAG" ]; then
|
||||
echo "Usage: setup/upgrade.sh TAGNAME"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Is Mail-in-a-Box already installed?
|
||||
if [ ! -d $HOME/mailinabox ]; then
|
||||
echo Could not find your Mail-in-a-Box installation at $HOME/mailinabox.
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Change directory to it.
|
||||
cd $HOME/mailinabox
|
||||
|
||||
# Are we on that tag?
|
||||
if [ "$TAG" == `git describe` ]; then
|
||||
echo "You already have Mail-in-a-Box $TAG. Run"
|
||||
echo " sudo setup/start.sh"
|
||||
echo "if there are any problems."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Fetch that tag.
|
||||
# bootstrap.sh script makes a shallow clone of our repository,
|
||||
# which makes the download faster, but it also makes it harder
|
||||
# to switch to a different tag. This magic combination of options
|
||||
# to git seems to do the trick.
|
||||
echo Updating Mail-in-a-Box to $TAG . . .
|
||||
git fetch --depth 1 --force --prune origin tag $TAG
|
||||
|
||||
# Check that the tag exists and we're moving to a later version, not backwards.
|
||||
CUR_VER_TIMESTAMP=$(git show -s --format="%ct") # commit time of HEAD
|
||||
NEW_VER_TIMESTAMP=$(git show -s --format="%ct" $TAG^{tag}^{commit}) # commit time of the commit that the tag tags
|
||||
if [ -z "$NEW_VER_TIMESTAMP" ]; then echo "$TAG is not a version of Mail-in-a-Box."; exit 1; fi
|
||||
if [ $CUR_VER_TIMESTAMP -gt $NEW_VER_TIMESTAMP ]; then
|
||||
echo -n "$TAG is older than the version you currently have installed: "
|
||||
git describe
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Set up a temporary GPG keyring specifically for holding the
|
||||
# Mail-in-a-Box maintainer's signing key. Load the keys found
|
||||
# in the Mail-in-a-Box installation path. These keys are trusted
|
||||
# in so far as the user has already gotten them. On first installs,
|
||||
# we just bootstrap by assuming whatever is in github is good.
|
||||
KEYRING=/tmp/miab-upgrade-keyring
|
||||
rm -rf $KEYRING
|
||||
mkdir -p $KEYRING
|
||||
for key in `find keys/ -type f`; do
|
||||
GNUPGHOME=$KEYRING gpg --import $key
|
||||
done
|
||||
|
||||
# Prior to checking out the tag, verify that it was signed by a
|
||||
# known key. gpg will return a success exit code if the tag is
|
||||
# signed by any key known to gpg, whether trusted or not, which
|
||||
# is why we establish a separate keyring for this purpose.
|
||||
if ! GNUPGHOME=$KEYRING git verify-tag $TAG 2>&1 > /dev/null; then
|
||||
echo "$TAG was not signed by the Mail-in-a-Box authors. This could"
|
||||
echo "indicate the github repository has been compromised. Check"
|
||||
echo "https://twitter.com/mailinabox and https://mailinabox.email/"
|
||||
echo "for further instructions, although keep in mind that those"
|
||||
echo "resources could be compromised as well."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Clean up.
|
||||
rm -rf $KEYRING
|
||||
|
||||
# Checkout the tag.
|
||||
if ! git checkout -q $TAG; then
|
||||
echo "Update failed. Did you modify something in `pwd`?"
|
||||
exit
|
||||
fi
|
||||
|
||||
# Start setup script.
|
||||
setup/start.sh
|
||||
Loading…
Reference in New Issue