From 2fd0de4743b134ad1a0be6bea119301d16b98ef5 Mon Sep 17 00:00:00 2001 From: DL6ER Date: Sun, 10 Mar 2024 08:43:37 +0100 Subject: [PATCH 1/2] Verify that we actually downloaded a valid checksum before comparing it to the local one. This covers situations where downloading the checksum from remote might have failed Signed-off-by: DL6ER --- automated install/basic-install.sh | 38 +++++++++++++++++++++++------- 1 file changed, 30 insertions(+), 8 deletions(-) diff --git a/automated install/basic-install.sh b/automated install/basic-install.sh index 24abb7e7..eca7d8b0 100755 --- a/automated install/basic-install.sh +++ b/automated install/basic-install.sh @@ -2002,9 +2002,11 @@ FTLcheckUpdate() { local localSha1 if [[ ! "${ftlBranch}" == "master" ]]; then - # Check whether or not the binary for this FTL branch actually exists. If not, then there is no update! + # This is not the master branch local path path="${ftlBranch}/${binary}" + + # Check whether or not the binary for this FTL branch actually exists. If not, then there is no update! # shellcheck disable=SC1090 check_download_exists "$path" local ret=$? @@ -2023,12 +2025,20 @@ FTLcheckUpdate() { fi if [[ ${ftlLoc} ]]; then - # We already have a pihole-FTL binary downloaded. - # Alt branches don't have a tagged version against them, so just confirm the checksum of the local vs remote to decide whether we download or not + # We already have a pihole-FTL binary installed, check if it's the + # same as the remote one + # Alt branches don't have a tagged version against them, so just + # confirm the checksum of the local vs remote to decide whether we + # download or not remoteSha1=$(curl -sSL --fail "https://ftl.pi-hole.net/${ftlBranch}/${binary}.sha1" | cut -d ' ' -f 1) - localSha1=$(sha1sum "$(command -v pihole-FTL)" | cut -d ' ' -f 1) + localSha1=$(sha1sum "${ftlLoc}" | cut -d ' ' -f 1) - if [[ "${remoteSha1}" != "${localSha1}" ]]; then + # Check we downloaded a valid checksum (no 404 or other error like + # no DNS resolution) + if [[ ! "${remoteSha1}" =~ ^[a-f0-9]{40}$ ]]; then + printf " %b Remote checksum not available, trying to download binary from ftl.pi-hole.net.\\n" "${CROSS}" + return 0 + elif [[ "${remoteSha1}" != "${localSha1}" ]]; then printf " %b Checksums do not match, downloading from ftl.pi-hole.net.\\n" "${INFO}" return 0 else @@ -2039,7 +2049,10 @@ FTLcheckUpdate() { return 0 fi else + # This is the master branch if [[ ${ftlLoc} ]]; then + # We already have a pihole-FTL binary installed, check if it's the + # same as the remote one local FTLversion FTLversion=$(/usr/bin/pihole-FTL tag) local FTLlatesttag @@ -2053,15 +2066,24 @@ FTLcheckUpdate() { # Check if the installed version matches the latest version if [[ "${FTLversion}" != "${FTLlatesttag}" ]]; then + # If the installed version does not match the latest version, then download return 0 else + # If the installed version matches the latest version, then + # check the installed sha1sum of the binary vs the remote + # sha1sum. If they do not match, then download printf " %b Latest FTL Binary already installed (%s). Confirming Checksum...\\n" "${INFO}" "${FTLlatesttag}" remoteSha1=$(curl -sSL --fail "https://github.com/pi-hole/FTL/releases/download/${FTLversion%$'\r'}/${binary}.sha1" | cut -d ' ' -f 1) - localSha1=$(sha1sum "$(command -v pihole-FTL)" | cut -d ' ' -f 1) + localSha1=$(sha1sum "${ftlLoc}" | cut -d ' ' -f 1) - if [[ "${remoteSha1}" != "${localSha1}" ]]; then - printf " %b Corruption detected...\\n" "${INFO}" + # Check we downloaded a valid checksum (no 404 or other error like + # no DNS resolution) + if [[ ! "${remoteSha1}" =~ ^[a-f0-9]{40}$ ]]; then + printf " %b Remote checksum not available, trying to redownload binary...\\n" "${CROSS}" + return 0 + elif [[ "${remoteSha1}" != "${localSha1}" ]]; then + printf " %b Corruption detected, redownloading binary...\\n" "${CROSS}" return 0 else printf " %b Checksum correct. No need to download!\\n" "${INFO}" From 82a83c497dd772cf6f044ec50b4471af102bff37 Mon Sep 17 00:00:00 2001 From: DL6ER Date: Sun, 10 Mar 2024 21:18:13 +0100 Subject: [PATCH 2/2] Reduce code-duplication Signed-off-by: DL6ER --- automated install/basic-install.sh | 59 +++++++++++++----------------- 1 file changed, 26 insertions(+), 33 deletions(-) diff --git a/automated install/basic-install.sh b/automated install/basic-install.sh index eca7d8b0..d057cb82 100755 --- a/automated install/basic-install.sh +++ b/automated install/basic-install.sh @@ -2030,21 +2030,9 @@ FTLcheckUpdate() { # Alt branches don't have a tagged version against them, so just # confirm the checksum of the local vs remote to decide whether we # download or not - remoteSha1=$(curl -sSL --fail "https://ftl.pi-hole.net/${ftlBranch}/${binary}.sha1" | cut -d ' ' -f 1) - localSha1=$(sha1sum "${ftlLoc}" | cut -d ' ' -f 1) - - # Check we downloaded a valid checksum (no 404 or other error like - # no DNS resolution) - if [[ ! "${remoteSha1}" =~ ^[a-f0-9]{40}$ ]]; then - printf " %b Remote checksum not available, trying to download binary from ftl.pi-hole.net.\\n" "${CROSS}" - return 0 - elif [[ "${remoteSha1}" != "${localSha1}" ]]; then - printf " %b Checksums do not match, downloading from ftl.pi-hole.net.\\n" "${INFO}" - return 0 - else - printf " %b Checksum of installed binary matches remote. No need to download!\\n" "${INFO}" - return 1 - fi + printf " %b FTL binary already installed. Confirming Checksum...\\n" "${INFO}" + checkSumFile="https://ftl.pi-hole.net/${ftlBranch}/${binary}.sha1" + # Continue further down... else return 0 fi @@ -2066,34 +2054,39 @@ FTLcheckUpdate() { # Check if the installed version matches the latest version if [[ "${FTLversion}" != "${FTLlatesttag}" ]]; then - # If the installed version does not match the latest version, then download + # If the installed version does not match the latest version, + # then download return 0 else # If the installed version matches the latest version, then # check the installed sha1sum of the binary vs the remote # sha1sum. If they do not match, then download - printf " %b Latest FTL Binary already installed (%s). Confirming Checksum...\\n" "${INFO}" "${FTLlatesttag}" - - remoteSha1=$(curl -sSL --fail "https://github.com/pi-hole/FTL/releases/download/${FTLversion%$'\r'}/${binary}.sha1" | cut -d ' ' -f 1) - localSha1=$(sha1sum "${ftlLoc}" | cut -d ' ' -f 1) - - # Check we downloaded a valid checksum (no 404 or other error like - # no DNS resolution) - if [[ ! "${remoteSha1}" =~ ^[a-f0-9]{40}$ ]]; then - printf " %b Remote checksum not available, trying to redownload binary...\\n" "${CROSS}" - return 0 - elif [[ "${remoteSha1}" != "${localSha1}" ]]; then - printf " %b Corruption detected, redownloading binary...\\n" "${CROSS}" - return 0 - else - printf " %b Checksum correct. No need to download!\\n" "${INFO}" - return 1 - fi + printf " %b Latest FTL binary already installed (%s). Confirming Checksum...\\n" "${INFO}" "${FTLlatesttag}" + checkSumFile="https://github.com/pi-hole/FTL/releases/download/${FTLversion%$'\r'}/${binary}.sha1" + # Continue further down... fi else return 0 fi fi + + # If we reach this point, we need to check the checksum of the local vs + # remote to decide whether we download or not + remoteSha1=$(curl -sSL --fail "${checkSumFile}" | cut -d ' ' -f 1) + localSha1=$(sha1sum "${ftlLoc}" | cut -d ' ' -f 1) + + # Check we downloaded a valid checksum (no 404 or other error like + # no DNS resolution) + if [[ ! "${remoteSha1}" =~ ^[a-f0-9]{40}$ ]]; then + printf " %b Remote checksum not available, trying to redownload binary...\\n" "${CROSS}" + return 0 + elif [[ "${remoteSha1}" != "${localSha1}" ]]; then + printf " %b Corruption detected, redownloading binary...\\n" "${CROSS}" + return 0 + fi + + printf " %b Checksum correct. No need to download!\\n" "${INFO}" + return 1 } # Detect suitable FTL binary platform