Commit dec117d0 authored by Joshua Tauberer's avatar Joshua Tauberer

securely update to a newer version by verifying the signed git tag prior to checkout

parent cbb7f29f
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQENBFN+hN4BCADARMfTK/kDWNz5tFVXXrLfY0QSF9CBO4+vor3MVUmq5ygMcyq4
NX1FVDKoruzCo5hI/91o1QZuer5oZ716TACg46XivdgL66Y7rMZL5rVDmUKuDWit
tpVrL0Gaw6xsu7/ZloFDyHI5yUvB1cdGe4HYZY1Xn/2CE0YJaXxO2JjkTNWSiutx
LA0RV08nPeaiAt1KcCa2tO7RkG51uC0O3O67xr6xz6/q95Q2DBJpLYpoh+6yIoEY
L736peHQKZfcFfCOPQKpxKW+SEsUTvJ8qzQipGYpugiGGhDHzXBYKJk1V77BbWAP
3x4Ubj4UWFB54yhgPrBgvQajvoB08mzZEnopABEBAAG0IEpvc2h1YSBUYXViZXJl
ciA8anRAb2NjYW1zLmluZm8+iQE5BBMBAgAjBQJTfoTeAhsDBwsJCAcDAgEGFQgC
CQoLBBYCAwECHgECF4AACgkQuSBB9MEL3YFFOQgAkDfptbzC9Lq4zstIfUPl4by/
NeoCpsYahaNwWLYiDpQEUZIOsJO1Qi2IFll4tXAyDTGAXYZCbf4+v1lzVyN49h5j
70BuajISI6dcAb1IEZzIXx0vV1rMuu0iNYdwhFNi8KrP5iR3BHwZZ5Lql1UdkJNT
xVrz4cmr5jPGdFRizD9MXrI4bvt+pSOeykJasuTeH7a3uHBMPyydAivtbNRbo+Zn
IgV25FUADSFt6xD9AKfq6wLxN+P8P6PE/jZWDv9W4KtR5TqAhCq7D7Yvk8aJXubN
P2xfjFl6TXa5bcuHuldkmx5lacpag2HSmivIT261W3pIVC3lrkxB8T6rdux8ErkB
DQRTfoTeAQgAn5ijmVJtxPGvbdcaCsYD3+fCnAKNEdAJtJcy/e/lowKeEiIJZ9qV
ATFIFmIG9VZunZ7nD5F/4KMj6ht0JTXuY458VjK9jO1bPU2YM7Xo7zjJi8bFI0B/
2ya95M7polLUF/lhKHKUuxxANAW4guLahe5JotUnoRycxQkKWBhTF5VdayucSAZG
XlmSBUjIGjHbmTI50dAMQZffNOIvDIkpeCEQjPVRObCvr18xKDHhBaEJhd+wfA2T
6N4fMlwBgfeR1zdFrGt2SshVc28YvaoccWmP1xn6w/30J25swadeuDYZFckXjVv7
HPLtvyzuNdf7pI0A9rnlGF5rNt6yKSqeiQARAQABiQEfBBgBAgAJBQJTfoTeAhsM
AAoJELkgQfTBC92B0rAH/0hSoHcB5WIn4GLTz0D0wWQ6Y2wKDixOBGvH+S9aroSc
0bKud7VphpFm/4CKWOZ0sphsnmRZ2Dsk/3996pXjLL5T1HWgAkltYmTdWEg9BiEj
PlbcImF95tILJ7GC0QrXipUx+ktLayiT5LjcbZiYCGaWVdJM2hVdOLdHhh84dqNX
xautvI8RDFI1lN0RdyFA5CQAvIWOSTLC1QdLAgkCf7+uQGwUo2ubgapPWptRJYk8
rZuw6+Vi3NETYO0ExDxTFmVKRlMidsE0azMeY6JYpKb9jewKngfxa6oUSaygrhxQ
9gESPA2XZUvx/3PWBAMskBZxjOH/Lhabls0AUxaOYf0=
=SHsx
-----END PGP PUBLIC KEY BLOCK-----
#!/bin/bash
#########################################################
# This script is intended to be run like this:
################################################################
#
# This script is posted on HTTPS to make first-time installation
# super simple. Download and pipe to bash, e.g.:
#
# curl https://.../bootstrap.sh | sudo bash
#
#########################################################
################################################################
# What is the current version?
if [ -z "$TAG" ]; then
TAG=v0.08
fi
......@@ -35,17 +38,6 @@ fi
# Change directory to it.
cd $HOME/mailinabox
# Update it.
if [ "$TAG" != `git describe` ]; then
echo Updating Mail-in-a-Box to $TAG . . .
git fetch --depth 1 --force --prune origin tag $TAG
if ! git checkout -q $TAG; then
echo "Update failed. Did you modify something in `pwd`?"
exit
fi
echo
fi
# Start setup script.
setup/start.sh
# Run the upgrade script, which in turn runs the setup script.
setup/upgrade.sh $TAG
......@@ -20,13 +20,14 @@ apt_get_quiet upgrade
# * cron: Runs background processes periodically.
# * ntp: keeps the system time correct
# * fail2ban: scans log files for repeated failed login attempts and blocks the remote IP at the firewall
# * gpg: used by upgrade.sh to verify the Mail-in-a-Box tag signature, also by duplicity to make backups
# * git: we install some things directly from github
# * sudo: allows privileged users to execute commands as root without being root
# * coreutils: includes `nproc` tool to report number of processors
# * bc: allows us to do math to compute sane defaults
apt_install python3 python3-dev python3-pip \
wget curl git sudo coreutils bc \
wget curl gpg git sudo coreutils bc \
haveged unattended-upgrades cron ntp fail2ban
# Allow apt to install system updates automatically every day.
......
#!/bin/bash
# Updates an existing Mail-in-a-Box installation to a newer tag.
################################################################
# Are we running as root?
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root. Did you leave out sudo?"
exit
fi
# Was a tag specified on the command line?
TAG=$1
if [ -z "$TAG" ]; then
echo "Usage: setup/upgrade.sh TAGNAME"
exit 1
fi
# Is Mail-in-a-Box already installed?
if [ ! -d $HOME/mailinabox ]; then
echo Could not find your Mail-in-a-Box installation at $HOME/mailinabox.
exit 1
fi
# Change directory to it.
cd $HOME/mailinabox
# Are we on that tag?
if [ "$TAG" == `git describe` ]; then
echo "You already have Mail-in-a-Box $TAG. Run"
echo " sudo setup/start.sh"
echo "if there are any problems."
exit 1
fi
# Fetch that tag.
# bootstrap.sh script makes a shallow clone of our repository,
# which makes the download faster, but it also makes it harder
# to switch to a different tag. This magic combination of options
# to git seems to do the trick.
echo Updating Mail-in-a-Box to $TAG . . .
git fetch --depth 1 --force --prune origin tag $TAG
# Check that the tag exists and we're moving to a later version, not backwards.
CUR_VER_TIMESTAMP=$(git show -s --format="%ct") # commit time of HEAD
NEW_VER_TIMESTAMP=$(git show -s --format="%ct" $TAG^{tag}^{commit}) # commit time of the commit that the tag tags
if [ -z "$NEW_VER_TIMESTAMP" ]; then echo "$TAG is not a version of Mail-in-a-Box."; exit 1; fi
if [ $CUR_VER_TIMESTAMP -gt $NEW_VER_TIMESTAMP ]; then
echo -n "$TAG is older than the version you currently have installed: "
git describe
exit 1
fi
# Set up a temporary GPG keyring specifically for holding the
# Mail-in-a-Box maintainer's signing key. Load the keys found
# in the Mail-in-a-Box installation path. These keys are trusted
# in so far as the user has already gotten them. On first installs,
# we just bootstrap by assuming whatever is in github is good.
KEYRING=/tmp/miab-upgrade-keyring
rm -rf $KEYRING
mkdir -p $KEYRING
for key in `find keys/ -type f`; do
GNUPGHOME=$KEYRING gpg --import $key
done
# Prior to checking out the tag, verify that it was signed by a
# known key. gpg will return a success exit code if the tag is
# signed by any key known to gpg, whether trusted or not, which
# is why we establish a separate keyring for this purpose.
if ! GNUPGHOME=$KEYRING git verify-tag $TAG 2>&1 > /dev/null; then
echo "$TAG was not signed by the Mail-in-a-Box authors. This could"
echo "indicate the github repository has been compromised. Check"
echo "https://twitter.com/mailinabox and https://mailinabox.email/"
echo "for further instructions, although keep in mind that those"
echo "resources could be compromised as well."
exit 1
fi
# Clean up.
rm -rf $KEYRING
# Checkout the tag.
if ! git checkout -q $TAG; then
echo "Update failed. Did you modify something in `pwd`?"
exit
fi
# Start setup script.
setup/start.sh
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment