[Replicant] [vendor_replicant-scripts] [PATCH] key-migration.sh: enable it to run multiple times
Denis 'GNUtoo' Carikli
GNUtoo at cyberdimension.org
Sun Oct 11 18:07:47 UTC 2020
Before this patch, the key-migration.sh script only migrated the keys the
first time it ran. To do that, in that first run, it also creates the
/data/system/.key-migration-done file, and in subsequent runs it skips
the key migration if that file is present.
It probably did that to not redo the same operations again and again,
and this way limit the data loss risk by not doing any filesystem writes
if the migration has already been done.
However if we have more than one maintainer or keyset changes over time,
users will need to run this script the first time, and at the second
change later on, the new script will not run. In addition users also need
to be able to create such script themselves and run them whenever they
need to in order to migrate to self builds, or downgrade.
Instead of using an arbitrary revision to do that, this patches does it by
computing a hash of the script that is then used in the filename created
at the script first run.
This enables users to more automatically migrate to new key sets without
needing to have to manage a revision by themselves. The downside is that
the exact same script will not run twice. So an upgrade-downgrade-upgrade
will not work.
The computed hash is compatible with the git objects hash. This enables
with just the file name and the git holding Replicant's key-migration.sh
scripts to understand if the script that created this file was from the
Replicant git repository or not, and if it was, to get the script and
even find the commits that have the exact same script.
Thanks to the help in #git on Freenode for helping me debug mismatches
between git object-hash and the hash I got. The mismatch was due to
newlines being inserted by the shell (and not the commands).
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo at cyberdimension.org>
---
.../templates/key-migration.sh | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/images/gen_key_migration_script/templates/key-migration.sh b/images/gen_key_migration_script/templates/key-migration.sh
index 879022a..c5194a2 100644
--- a/images/gen_key_migration_script/templates/key-migration.sh
+++ b/images/gen_key_migration_script/templates/key-migration.sh
@@ -14,9 +14,19 @@
# See the License for the specific language governing permissions and
# limitations under the License.
+get_git_blob_hash()
+{
+ path="$1"
+
+ # We need to do a sha1sum of 'blob <size>\0<file content>' without
+ # introducing new newlines.
+ { printf 'blob %s\0' $(wc -c < ${path}); cat ${path}; } | \
+ sha1sum | awk '{print $1}'
+}
+
PACKAGES=/data/system/packages.xml
PACKAGES_BACKUP=/data/system/packages-backup.xml
-MIGRATION_DONE=/data/system/.key-migration-done
+MIGRATION_DONE="/data/system/.key-migration-$(get_git_blob_hash $(realpath ${0}))-done"
if [ -f ${MIGRATION_DONE} ]; then
exit 0
--
2.28.0
More information about the Replicant
mailing list