Draft update script

2020-05-19 17:55:09 +02:00 · 2020-05-19 17:55:09 +02:00 · 06e6d7e4f3
commit 06e6d7e4f3
parent 7931d9d455
2 changed files with 47 additions and 0 deletions
--- a/update/Readme.md
+++ b/update/Readme.md
@ -0,0 +1,23 @@
+## Istruzioni
+### Intro
+Questo script consiste nell'ultimo step della challenge. Questo script viene eseguito con `sudo` dall'interfaccia nella pagina di aggiornamento firmware.
+
+Da inserire in  `/etc/sudoers`:
+
+```
+www-data ALL=(root) NOPASSWD: /bin/bash /root/update.sh
+```
+
+Per generare la chiave per firmware le immagini:
+```
+openssl genrsa -out key.pem 2048
+openssl rsa -in key.pem -outform PEM -pubout -out pub.pem
+
+```
+
+Per firmare un file:
+```
+openssl dgst -sha256 -sign private.pem -out update.tgz.sig update.tgz
+cat update.tgz.sig > update.tgz.cc
+cat update.tgz >> update.tgz.cc
+```
--- a/update/update.sh
+++ b/update/update.sh
@ -0,0 +1,24 @@
+#!/bin/bash
+
+pubkey="/pub.pem"
+echo "### ccOS Update Script ###"
+echo "[+] Starting"
+sleep 1
+echo "[+] Extracting Signature"
+skip=$(expr $(stat -c '%s' update.tgz.cc) - 256)
+dd if=/tmp/update.tgz.cc of=sig bs=1 count=256 skip=$skip > /dev/null 2>&1
+truncate -s $skip update.tgz.cc
+check=`openssl dgst -sha256 -verify $pubkey -signature /tmp/sig /tmp/update.tgz.cc`
+if [ "$check" == "Verified OK" ]
+then
+        echo "[+] Signature is valid!"
+        echo "[+] Upgrading..."
+        tar -xvzf /tmp/update.tgz.cc -C /
+        rm /tmp/update.tgz.cc /tmp/sig
+        echo "[+] Done"
+        exit 0
+else
+        echo "[-] Signature error, exiting..."
+        rm /tmp/update.tgz.cc /tmp/sig
+        exit 1
+fi