Add repo URL verification via curl checksum in install.sh

Before partitioning, check_repo_url() downloads system_setup/install.sh from REPO_URL and compares its sha256sum against the running script. Warns and asks to continue if the URL is unreachable or the checksums differ. Also accept an optional first argument to override REPO_URL. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-29 16:17:33 +02:00
parent 05a47a140d
commit f69b423b30
1 changed files with 40 additions and 1 deletions
@@ -14,7 +14,7 @@ SHRINK_MIB=4096
 OEMDRV_LABEL="OEMDRV"
 MOUNT_POINT="/opt/sys_config"
 MOUNT_OPTS="compress=zstd:6"
-REPO_URL="https://gitea.dtext.online/obel1x/fedora-OEMDRV.git"
+REPO_URL="${1:-https://gitea.dtext.online/obel1x/fedora-OEMDRV.git}"
 MIN_FREE_MIB=$(( SHRINK_MIB + 512 ))   # require 512 MiB headroom above the shrink size

 # ── Helpers ───────────────────────────────────────────────────────────────────
@@ -35,6 +35,28 @@ check_tools() {
    [[ ${#missing[@]} -eq 0 ]] || die "Missing required tools: ${missing[*]}"
 }

+# Returns 0 if the remote install.sh matches this script's checksum,
+# 1 if the URL is unreachable or the file cannot be downloaded,
+# 2 if the checksum does not match.
+check_repo_url() {
+    local tmpdir sum_remote sum_local
+
+    tmpdir=$(mktemp -d /tmp/oemdrv_repocheck.XXXXXX)
+
+    if ! curl -fsSL "${REPO_URL%.git}/raw/branch/main/system_setup/install.sh" \
+              -o "$tmpdir/install.sh" 2>/dev/null; then
+        rm -rf "$tmpdir"
+        return 1
+    fi
+
+    sum_remote=$(sha256sum "$tmpdir/install.sh" | awk '{print $1}')
+    sum_local=$(sha256sum "$0"                  | awk '{print $1}')
+    rm -rf "$tmpdir"
+
+    [[ "$sum_remote" == "$sum_local" ]] || return 2
+    return 0
+}
+
 # ── Free-space helpers ────────────────────────────────────────────────────────

 # Free MiB for a mounted device via df
@@ -241,6 +263,23 @@ new_part_device() {
 require_root
 check_tools

+info "Verifying repository URL..."
+check_repo_url
+case $? in
+    1) echo
+       echo "WARNING: '$REPO_URL' is not a reachable git repository."
+       read -r -p "  Continue anyway? [y/N]: " ans
+       [[ "${ans,,}" == "y" ]] || { echo "Aborted."; exit 0; }
+       ;;
+    2) echo
+       echo "WARNING: The checksum of this script does not match 'system_setup/install.sh'"
+       echo "         at '$REPO_URL'."
+       echo "         You may be running an outdated or modified version of install.sh."
+       read -r -p "  Continue anyway? [y/N]: " ans
+       [[ "${ans,,}" == "y" ]] || { echo "Aborted."; exit 0; }
+       ;;
+esac
+
 info "Scanning for shrinkable partitions and unpartitioned free space..."
 collect_partitions
 collect_free_space