From 6b9cd1f6c17e2a8044fb3070cb453861a8ebca76 Mon Sep 17 00:00:00 2001 From: ZF sun <34314687@qq.com> Date: Mon, 17 Nov 2025 10:49:49 +0800 Subject: [PATCH] =?UTF-8?q?chore:=20=E9=99=A4=E4=BA=86=E5=BC=80=E5=90=AF?= =?UTF-8?q?=E7=AD=BE=E5=90=8D=E5=A4=96=EF=BC=8C=E9=AA=8C=E8=AF=81=E8=84=9A?= =?UTF-8?q?=E6=9C=AC=E4=B9=9F=E9=80=9A=E8=BF=87?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- scripts/patch_tools/install_patch_system.sh | 43 +++++++++++++++++++++ scripts/patch_tools/patch_verifier.sh | 25 ++++++------ 2 files changed, 57 insertions(+), 11 deletions(-) diff --git a/scripts/patch_tools/install_patch_system.sh b/scripts/patch_tools/install_patch_system.sh index 2098333dd..bd9e93b85 100644 --- a/scripts/patch_tools/install_patch_system.sh +++ b/scripts/patch_tools/install_patch_system.sh @@ -5,6 +5,7 @@ set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" INSTALL_DIR="/opt/patch-management" +CONFIG_FILE="${SCRIPT_DIR}/patch_config.sh" log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1"; } info() { log "INFO: $1"; } @@ -62,6 +63,17 @@ get_cmd_prefix() { fi } +# 配置加载 +load_config() { + if [[ ! -f "$CONFIG_FILE" ]]; then + error "配置文件不存在: $CONFIG_FILE" + exit 1 + fi + + source "$CONFIG_FILE" + info "配置文件加载完成" +} + install_dependencies() { info "安装系统依赖..." @@ -185,6 +197,30 @@ setup_cron() { fi } +generate_gpg_key() { + local name="${1:-John Doe}" + local email="${2:-johndoe@example.com}" + local key_type="${3:-RSA}" + local key_length="${4:-4096}" + + cat > /tmp/gpg_batch << EOF +Key-Type: $key_type +Key-Length: $key_length +Subkey-Type: $key_type +Subkey-Length: $key_length +Name-Real: $name +Name-Email: $email +Expire-Date: 0 +%commit +EOF + + gpg --batch --generate-key /tmp/gpg_batch + rm -f /tmp/gpg_batch + + echo "✅ 密钥生成完成" + gpg --list-secret-keys --keyid-format LONG "$email" +} + generate_keys() { info "生成签名密钥..." @@ -194,6 +230,9 @@ generate_keys() { if [[ ! -f "$key_dir/private.pem" ]]; then $sudo_prefix mkdir -p "$key_dir" + + # 生成GPG密钥对 + generate_gpg_key "$PATCH_AUTHOR" "$PATCH_EMAIL" "RSA" "4096" # 生成RSA密钥对 openssl genrsa -out "$key_dir/private.pem" 4096 @@ -211,6 +250,10 @@ generate_keys() { main() { info "开始安装企业级补丁管理系统" echo "========================================" + echo "📋 安装配置文件: $INSTALL_DIR/patch_config.sh" + + # 加载配置 + load_config # 检查运行环境 if is_docker_environment; then diff --git a/scripts/patch_tools/patch_verifier.sh b/scripts/patch_tools/patch_verifier.sh index 36e4d27a3..ffc05ee34 100644 --- a/scripts/patch_tools/patch_verifier.sh +++ b/scripts/patch_tools/patch_verifier.sh @@ -165,21 +165,23 @@ verify_security() { fi # 签名验证 - if [[ -f "${package_path}.sig" ]]; then - if command -v gpg >/dev/null 2>&1; then - if gpg --verify "${package_path}.sig" "$package_path" >/dev/null 2>&1; then - info "✅ 签名验证通过" + if [[ "$SIGNING_ENABLED" == "true" ]] ;then + if [[ -f "${package_path}.sig" ]]; then + if command -v gpg >/dev/null 2>&1; then + if gpg --verify "${package_path}.sig" "$package_path" >/dev/null 2>&1; then + info "✅ 签名验证通过" + else + error "❌ 签名验证失败" + result=false + fi else - error "❌ 签名验证失败" - result=false + warn "⚠️ GPG未安装,跳过签名验证" fi else - warn "⚠️ GPG未安装,跳过签名验证" - fi - else - warn "⚠️ 未找到签名文件" + warn "⚠️ 未找到签名文件" + fi fi - + $result } @@ -192,6 +194,7 @@ verify_content() { # 解压补丁包 local extract_dir="$TEMP_DIR/extract" + mkdir -p "$extract_dir" if ! tar -xzf "$package_path" -C "$extract_dir"; then error "❌ 补丁包解压失败" return false