diff --git a/lib/functions/bsp/armbian-bsp-cli-deb.sh b/lib/functions/bsp/armbian-bsp-cli-deb.sh index 8d5d55ec8..4d14c5adc 100644 --- a/lib/functions/bsp/armbian-bsp-cli-deb.sh +++ b/lib/functions/bsp/armbian-bsp-cli-deb.sh @@ -398,6 +398,7 @@ function board_side_bsp_cli_postrm() { # not run here if [[ remove == "$1" ]] || [[ abort-install == "$1" ]]; then systemctl disable armbian-hardware-monitor.service armbian-hardware-optimize.service > /dev/null 2>&1 systemctl disable armbian-zram-config.service armbian-ramlog.service > /dev/null 2>&1 + systemctl disable armbian-live-patch.service > /dev/null 2>&1 fi } diff --git a/lib/functions/rootfs/distro-agnostic.sh b/lib/functions/rootfs/distro-agnostic.sh index 43f1759ac..fa187ffa7 100644 --- a/lib/functions/rootfs/distro-agnostic.sh +++ b/lib/functions/rootfs/distro-agnostic.sh @@ -398,6 +398,7 @@ function install_distribution_agnostic() { [[ -f "${SDCARD}"/lib/systemd/system/armbian-resize-filesystem.service ]] && chroot_sdcard systemctl --no-reload enable armbian-resize-filesystem.service [[ -f "${SDCARD}"/lib/systemd/system/armbian-hardware-monitor.service ]] && chroot_sdcard systemctl --no-reload enable armbian-hardware-monitor.service [[ -f "${SDCARD}"/lib/systemd/system/armbian-led-state.service ]] && chroot_sdcard systemctl --no-reload enable armbian-led-state.service + [[ -f "${SDCARD}"/lib/systemd/system/armbian-live-patch.service ]] && chroot_sdcard systemctl --no-reload enable armbian-live-patch.service # copy "first run automated config, optional user configured" run_host_command_logged cp -v "${SRC}"/packages/bsp/armbian_first_run.txt.template "${SDCARD}"/boot/armbian_first_run.txt.template diff --git a/packages/bsp/common/etc/apt/apt.conf.d/02-armbian-preupdate b/packages/bsp/common/etc/apt/apt.conf.d/02-armbian-preupdate new file mode 100644 index 000000000..4cea8b8c1 --- /dev/null +++ b/packages/bsp/common/etc/apt/apt.conf.d/02-armbian-preupdate @@ -0,0 +1 @@ +DPkg::Pre-Install-Pkgs {"/usr/lib/armbian/armbian-live-patch apt";}; diff --git a/packages/bsp/common/lib/systemd/system/armbian-live-patch.service b/packages/bsp/common/lib/systemd/system/armbian-live-patch.service new file mode 100644 index 000000000..6d27fdc2a --- /dev/null +++ b/packages/bsp/common/lib/systemd/system/armbian-live-patch.service @@ -0,0 +1,24 @@ +# Armbian simple patch system service +# Sometimes we need to fix minor issues like changing the key or fixing other small problem on live OS. +# This downloads patch script from CDN, verify its signature and executes it at various stages +# +# Currently execute by: booting the system up, at apt upgrade stage, right before installing packages +# +# GH Action script for automatic signing and upload: +# https://github.com/armbian/os/tree/main/live-patch + +[Unit] +Description=Armbian simple patch +Wants=time-sync.target +Before=time-sync.target +After=network.target + +[Service] +Type=forking +ExecStart=/usr/lib/armbian/armbian-live-patch startup +ExecStop=/usr/lib/armbian/armbian-live-patch stop +RemainAfterExit=no +TimeoutStartSec=2m + +[Install] +WantedBy=multi-user.target diff --git a/packages/bsp/common/usr/lib/armbian/armbian-live-patch b/packages/bsp/common/usr/lib/armbian/armbian-live-patch new file mode 100755 index 000000000..d4a3bf217 --- /dev/null +++ b/packages/bsp/common/usr/lib/armbian/armbian-live-patch @@ -0,0 +1,58 @@ +#!/bin/bash +# + +SERVER_PATH="https://dl.armbian.com/_patch" + +# exit if dependencies are not met +if ! command -v "wget" &> /dev/null; then + echo "Warning: patch system is not working as dependencies are not met (wget)"| logger -t "armbian-live-patch" + exit 0 +fi + +if ! command -v gpg &> /dev/null; then + echo "Warning: patch system is not working as dependencies are not met (gpg)"| logger -t "armbian-live-patch" + exit 0 +fi + +case $1 in + apt) + PATCH="${SERVER_PATH}/01-pre-apt-upgrade.sh" + PATCH_SIG="${SERVER_PATH}/01-pre-apt-upgrade.sh.asc" + ;; + startup) + PATCH="${SERVER_PATH}/02-startup.sh" + PATCH_SIG="${SERVER_PATH}/02-startup.sh.asc" + ;; + stop) + exit 0 + ;; + *) + echo "Warning: patch was not selected (apt|startup)"| logger -t "armbian-live-patch" + exit 0 + ;; +esac + +echo "Armbian live patch $1" + +TMP_DIR=$(mktemp -d -t test-XXXX) +timeout 10 wget -q --retry-connrefused --waitretry=1 --read-timeout=20 --timeout=15 -t 3 ${PATCH} -P ${TMP_DIR} +timeout 10 wget -q --retry-connrefused --waitretry=1 --read-timeout=20 --timeout=15 -t 3 ${PATCH_SIG} -P ${TMP_DIR} + +# Check if installed key is ours +gpg --keyring /usr/share/keyrings/armbian.gpg --list-keys | grep DF00FAF1C577104B50BF1D0093D6889F9F0E78D5 +if [[ $? != 0 ]]; then + echo "Warning: signing key invalid or expired"| logger -t "armbian-live-patch" +fi + +# Check if file is signed with Armbian key +gpg --keyring /usr/share/keyrings/armbian.gpg --verify ${TMP_DIR}/${PATCH_SIG##*/} ${TMP_DIR}/${PATCH##*/} > ${TMP_DIR}/live-patch.log 2>/dev/null + +if [[ $? == 0 ]]; then + echo "Patch file is signed with Armbian GPG key" + echo "Running Armbian Live Patch" + bash ${TMP_DIR}/${PATCH##*/} | logger -t "armbian-live-patch" + rm -rf ${TMP_DIR}/${PATCH##*/} +else + echo "Warning: we could not download patch files. Run manually: sudo bash $0 $1"| logger -t "armbian-live-patch" +fi +exit 0