From f69b423b308a98ee7534d17c9794f62876d40df8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= <unbrot@obel1x.de>
Date: Wed, 29 Apr 2026 16:17:33 +0200
Subject: [PATCH] Add repo URL verification via curl checksum in install.sh

Before partitioning, check_repo_url() downloads
system_setup/install.sh from REPO_URL and compares its sha256sum
against the running script. Warns and asks to continue if the URL
is unreachable or the checksums differ.

Also accept an optional first argument to override REPO_URL.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 system_setup/install.sh | 41 ++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 40 insertions(+), 1 deletion(-)

diff --git a/system_setup/install.sh b/system_setup/install.sh
index c81a501..cabb65a 100755
--- a/system_setup/install.sh
+++ b/system_setup/install.sh
@@ -14,7 +14,7 @@ SHRINK_MIB=4096
 OEMDRV_LABEL="OEMDRV"
 MOUNT_POINT="/opt/sys_config"
 MOUNT_OPTS="compress=zstd:6"
-REPO_URL="https://gitea.dtext.online/obel1x/fedora-OEMDRV.git"
+REPO_URL="${1:-https://gitea.dtext.online/obel1x/fedora-OEMDRV.git}"
 MIN_FREE_MIB=$(( SHRINK_MIB + 512 ))   # require 512 MiB headroom above the shrink size
 
 # ── Helpers ───────────────────────────────────────────────────────────────────
@@ -35,6 +35,28 @@ check_tools() {
     [[ ${#missing[@]} -eq 0 ]] || die "Missing required tools: ${missing[*]}"
 }
 
+# Returns 0 if the remote install.sh matches this script's checksum,
+# 1 if the URL is unreachable or the file cannot be downloaded,
+# 2 if the checksum does not match.
+check_repo_url() {
+    local tmpdir sum_remote sum_local
+
+    tmpdir=$(mktemp -d /tmp/oemdrv_repocheck.XXXXXX)
+
+    if ! curl -fsSL "${REPO_URL%.git}/raw/branch/main/system_setup/install.sh" \
+              -o "$tmpdir/install.sh" 2>/dev/null; then
+        rm -rf "$tmpdir"
+        return 1
+    fi
+
+    sum_remote=$(sha256sum "$tmpdir/install.sh" | awk '{print $1}')
+    sum_local=$(sha256sum "$0"                  | awk '{print $1}')
+    rm -rf "$tmpdir"
+
+    [[ "$sum_remote" == "$sum_local" ]] || return 2
+    return 0
+}
+
 # ── Free-space helpers ────────────────────────────────────────────────────────
 
 # Free MiB for a mounted device via df
@@ -241,6 +263,23 @@ new_part_device() {
 require_root
 check_tools
 
+info "Verifying repository URL..."
+check_repo_url
+case $? in
+    1) echo
+       echo "WARNING: '$REPO_URL' is not a reachable git repository."
+       read -r -p "  Continue anyway? [y/N]: " ans
+       [[ "${ans,,}" == "y" ]] || { echo "Aborted."; exit 0; }
+       ;;
+    2) echo
+       echo "WARNING: The checksum of this script does not match 'system_setup/install.sh'"
+       echo "         at '$REPO_URL'."
+       echo "         You may be running an outdated or modified version of install.sh."
+       read -r -p "  Continue anyway? [y/N]: " ans
+       [[ "${ans,,}" == "y" ]] || { echo "Aborted."; exit 0; }
+       ;;
+esac
+
 info "Scanning for shrinkable partitions and unpartitioned free space..."
 collect_partitions
 collect_free_space