Before this patch, the key-migration.sh script only migrated the keys the first time it ran. To do that, in that first run, it also creates the /data/system/.key-migration-done file, and in subsequent runs it skips the key migration if that file is present.
It probably did that to not redo the same operations again and again, and this way limit the data loss risk by not doing any filesystem writes if the migration has already been done. However if we have more than one maintainer or keyset changes over time, users will need to run this script the first time, and at the second change later on, the new script will not run. In addition users also need to be able to create such script themselves and run them whenever they need to in order to migrate to self builds, or downgrade. Instead of using an arbitrary revision to do that, this patches does it by computing a hash of the script that is then used in the filename created at the script first run. This enables users to more automatically migrate to new key sets without needing to have to manage a revision by themselves. The downside is that the exact same script will not run twice. So an upgrade-downgrade-upgrade will not work. The computed hash is compatible with the git objects hash. This enables with just the file name and the git holding Replicant's key-migration.sh scripts to understand if the script that created this file was from the Replicant git repository or not, and if it was, to get the script and even find the commits that have the exact same script. Thanks to the help in #git on Freenode for helping me debug mismatches between git object-hash and the hash I got. The mismatch was due to newlines being inserted by the shell (and not the commands). Signed-off-by: Denis 'GNUtoo' Carikli <[email protected]> --- .../templates/key-migration.sh | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/images/gen_key_migration_script/templates/key-migration.sh b/images/gen_key_migration_script/templates/key-migration.sh index 879022a..c5194a2 100644 --- a/images/gen_key_migration_script/templates/key-migration.sh +++ b/images/gen_key_migration_script/templates/key-migration.sh @@ -14,9 +14,19 @@ # See the License for the specific language governing permissions and # limitations under the License. +get_git_blob_hash() +{ + path="$1" + + # We need to do a sha1sum of 'blob <size>\0<file content>' without + # introducing new newlines. + { printf 'blob %s\0' $(wc -c < ${path}); cat ${path}; } | \ + sha1sum | awk '{print $1}' +} + PACKAGES=/data/system/packages.xml PACKAGES_BACKUP=/data/system/packages-backup.xml -MIGRATION_DONE=/data/system/.key-migration-done +MIGRATION_DONE="/data/system/.key-migration-$(get_git_blob_hash $(realpath ${0}))-done" if [ -f ${MIGRATION_DONE} ]; then exit 0 -- 2.28.0 _______________________________________________ Replicant mailing list [email protected] https://lists.osuosl.org/mailman/listinfo/replicant
