From 2fd0de4743b134ad1a0be6bea119301d16b98ef5 Mon Sep 17 00:00:00 2001 From: DL6ER Date: Sun, 10 Mar 2024 08:43:37 +0100 Subject: [PATCH] Verify that we actually downloaded a valid checksum before comparing it to the local one. This covers situations where downloading the checksum from remote might have failed Signed-off-by: DL6ER --- automated install/basic-install.sh | 38 +++++++++++++++++++++++------- 1 file changed, 30 insertions(+), 8 deletions(-) diff --git a/automated install/basic-install.sh b/automated install/basic-install.sh index 24abb7e7..eca7d8b0 100755 --- a/automated install/basic-install.sh +++ b/automated install/basic-install.sh @@ -2002,9 +2002,11 @@ FTLcheckUpdate() { local localSha1 if [[ ! "${ftlBranch}" == "master" ]]; then - # Check whether or not the binary for this FTL branch actually exists. If not, then there is no update! + # This is not the master branch local path path="${ftlBranch}/${binary}" + + # Check whether or not the binary for this FTL branch actually exists. If not, then there is no update! # shellcheck disable=SC1090 check_download_exists "$path" local ret=$? @@ -2023,12 +2025,20 @@ FTLcheckUpdate() { fi if [[ ${ftlLoc} ]]; then - # We already have a pihole-FTL binary downloaded. - # Alt branches don't have a tagged version against them, so just confirm the checksum of the local vs remote to decide whether we download or not + # We already have a pihole-FTL binary installed, check if it's the + # same as the remote one + # Alt branches don't have a tagged version against them, so just + # confirm the checksum of the local vs remote to decide whether we + # download or not remoteSha1=$(curl -sSL --fail "https://ftl.pi-hole.net/${ftlBranch}/${binary}.sha1" | cut -d ' ' -f 1) - localSha1=$(sha1sum "$(command -v pihole-FTL)" | cut -d ' ' -f 1) + localSha1=$(sha1sum "${ftlLoc}" | cut -d ' ' -f 1) - if [[ "${remoteSha1}" != "${localSha1}" ]]; then + # Check we downloaded a valid checksum (no 404 or other error like + # no DNS resolution) + if [[ ! "${remoteSha1}" =~ ^[a-f0-9]{40}$ ]]; then + printf " %b Remote checksum not available, trying to download binary from ftl.pi-hole.net.\\n" "${CROSS}" + return 0 + elif [[ "${remoteSha1}" != "${localSha1}" ]]; then printf " %b Checksums do not match, downloading from ftl.pi-hole.net.\\n" "${INFO}" return 0 else @@ -2039,7 +2049,10 @@ FTLcheckUpdate() { return 0 fi else + # This is the master branch if [[ ${ftlLoc} ]]; then + # We already have a pihole-FTL binary installed, check if it's the + # same as the remote one local FTLversion FTLversion=$(/usr/bin/pihole-FTL tag) local FTLlatesttag @@ -2053,15 +2066,24 @@ FTLcheckUpdate() { # Check if the installed version matches the latest version if [[ "${FTLversion}" != "${FTLlatesttag}" ]]; then + # If the installed version does not match the latest version, then download return 0 else + # If the installed version matches the latest version, then + # check the installed sha1sum of the binary vs the remote + # sha1sum. If they do not match, then download printf " %b Latest FTL Binary already installed (%s). Confirming Checksum...\\n" "${INFO}" "${FTLlatesttag}" remoteSha1=$(curl -sSL --fail "https://github.com/pi-hole/FTL/releases/download/${FTLversion%$'\r'}/${binary}.sha1" | cut -d ' ' -f 1) - localSha1=$(sha1sum "$(command -v pihole-FTL)" | cut -d ' ' -f 1) + localSha1=$(sha1sum "${ftlLoc}" | cut -d ' ' -f 1) - if [[ "${remoteSha1}" != "${localSha1}" ]]; then - printf " %b Corruption detected...\\n" "${INFO}" + # Check we downloaded a valid checksum (no 404 or other error like + # no DNS resolution) + if [[ ! "${remoteSha1}" =~ ^[a-f0-9]{40}$ ]]; then + printf " %b Remote checksum not available, trying to redownload binary...\\n" "${CROSS}" + return 0 + elif [[ "${remoteSha1}" != "${localSha1}" ]]; then + printf " %b Corruption detected, redownloading binary...\\n" "${CROSS}" return 0 else printf " %b Checksum correct. No need to download!\\n" "${INFO}"