chore: 除了开启签名外,验证脚本也通过
This commit is contained in:
@@ -5,6 +5,7 @@ set -euo pipefail
|
||||
|
||||
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
INSTALL_DIR="/opt/patch-management"
|
||||
CONFIG_FILE="${SCRIPT_DIR}/patch_config.sh"
|
||||
|
||||
log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1"; }
|
||||
info() { log "INFO: $1"; }
|
||||
@@ -62,6 +63,17 @@ get_cmd_prefix() {
|
||||
fi
|
||||
}
|
||||
|
||||
# 配置加载
|
||||
load_config() {
|
||||
if [[ ! -f "$CONFIG_FILE" ]]; then
|
||||
error "配置文件不存在: $CONFIG_FILE"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
source "$CONFIG_FILE"
|
||||
info "配置文件加载完成"
|
||||
}
|
||||
|
||||
install_dependencies() {
|
||||
info "安装系统依赖..."
|
||||
|
||||
@@ -185,6 +197,30 @@ setup_cron() {
|
||||
fi
|
||||
}
|
||||
|
||||
generate_gpg_key() {
|
||||
local name="${1:-John Doe}"
|
||||
local email="${2:-johndoe@example.com}"
|
||||
local key_type="${3:-RSA}"
|
||||
local key_length="${4:-4096}"
|
||||
|
||||
cat > /tmp/gpg_batch << EOF
|
||||
Key-Type: $key_type
|
||||
Key-Length: $key_length
|
||||
Subkey-Type: $key_type
|
||||
Subkey-Length: $key_length
|
||||
Name-Real: $name
|
||||
Name-Email: $email
|
||||
Expire-Date: 0
|
||||
%commit
|
||||
EOF
|
||||
|
||||
gpg --batch --generate-key /tmp/gpg_batch
|
||||
rm -f /tmp/gpg_batch
|
||||
|
||||
echo "✅ 密钥生成完成"
|
||||
gpg --list-secret-keys --keyid-format LONG "$email"
|
||||
}
|
||||
|
||||
generate_keys() {
|
||||
info "生成签名密钥..."
|
||||
|
||||
@@ -195,6 +231,9 @@ generate_keys() {
|
||||
if [[ ! -f "$key_dir/private.pem" ]]; then
|
||||
$sudo_prefix mkdir -p "$key_dir"
|
||||
|
||||
# 生成GPG密钥对
|
||||
generate_gpg_key "$PATCH_AUTHOR" "$PATCH_EMAIL" "RSA" "4096"
|
||||
|
||||
# 生成RSA密钥对
|
||||
openssl genrsa -out "$key_dir/private.pem" 4096
|
||||
openssl rsa -in "$key_dir/private.pem" -pubout -out "$key_dir/public.pem"
|
||||
@@ -211,6 +250,10 @@ generate_keys() {
|
||||
main() {
|
||||
info "开始安装企业级补丁管理系统"
|
||||
echo "========================================"
|
||||
echo "📋 安装配置文件: $INSTALL_DIR/patch_config.sh"
|
||||
|
||||
# 加载配置
|
||||
load_config
|
||||
|
||||
# 检查运行环境
|
||||
if is_docker_environment; then
|
||||
|
||||
@@ -165,19 +165,21 @@ verify_security() {
|
||||
fi
|
||||
|
||||
# 签名验证
|
||||
if [[ -f "${package_path}.sig" ]]; then
|
||||
if command -v gpg >/dev/null 2>&1; then
|
||||
if gpg --verify "${package_path}.sig" "$package_path" >/dev/null 2>&1; then
|
||||
info "✅ 签名验证通过"
|
||||
if [[ "$SIGNING_ENABLED" == "true" ]] ;then
|
||||
if [[ -f "${package_path}.sig" ]]; then
|
||||
if command -v gpg >/dev/null 2>&1; then
|
||||
if gpg --verify "${package_path}.sig" "$package_path" >/dev/null 2>&1; then
|
||||
info "✅ 签名验证通过"
|
||||
else
|
||||
error "❌ 签名验证失败"
|
||||
result=false
|
||||
fi
|
||||
else
|
||||
error "❌ 签名验证失败"
|
||||
result=false
|
||||
warn "⚠️ GPG未安装,跳过签名验证"
|
||||
fi
|
||||
else
|
||||
warn "⚠️ GPG未安装,跳过签名验证"
|
||||
warn "⚠️ 未找到签名文件"
|
||||
fi
|
||||
else
|
||||
warn "⚠️ 未找到签名文件"
|
||||
fi
|
||||
|
||||
$result
|
||||
@@ -192,6 +194,7 @@ verify_content() {
|
||||
|
||||
# 解压补丁包
|
||||
local extract_dir="$TEMP_DIR/extract"
|
||||
mkdir -p "$extract_dir"
|
||||
if ! tar -xzf "$package_path" -C "$extract_dir"; then
|
||||
error "❌ 补丁包解压失败"
|
||||
return false
|
||||
|
||||
Reference in New Issue
Block a user