refactor(35-build-deploy-review): harden auto-update install path in internal/updates

2026-02-18 00:17:39 +01:00 · 2026-02-12 09:19:05 +00:00
parent f2f34933bb
commit 4f37ae4382
2 changed files with 62 additions and 8 deletions
--- a/install.sh
+++ b/install.sh
@@ -2670,6 +2670,8 @@ EOF

 download_auto_update_script() {
    local url="https://github.com/$GITHUB_REPO/releases/latest/download/pulse-auto-update.sh"
+    local checksums_url="https://github.com/$GITHUB_REPO/releases/latest/download/checksums.txt"
+    local legacy_checksum_url="${url}.sha256"
    local dest="/usr/local/bin/pulse-auto-update.sh"
    local attempts=0
    local max_attempts=3
@@ -2682,20 +2684,70 @@ download_auto_update_script() {

        if command -v timeout >/dev/null 2>&1; then
            if timeout $((max_time + 10)) curl -fsSL --connect-timeout "$connect_timeout" --max-time "$max_time" -o "$dest" "$url"; then
-                chmod +x "$dest"
-                return 0
+                :
            else
                curl_status=$?
            fi
        else
            if curl -fsSL --connect-timeout "$connect_timeout" --max-time "$max_time" -o "$dest" "$url"; then
-                chmod +x "$dest"
-                return 0
+                :
            else
                curl_status=$?
            fi
        fi

+        if [[ $curl_status -eq 0 ]]; then
+            if ! command -v sha256sum >/dev/null 2>&1; then
+                print_warn "sha256sum is unavailable; cannot verify auto-update script integrity"
+                rm -f "$dest"
+                return 1
+            fi
+
+            local checksum_file expected_checksum actual_checksum
+            checksum_file=$(mktemp /tmp/pulse-auto-update-checksum.XXXXXX)
+            expected_checksum=""
+
+            if command -v timeout >/dev/null 2>&1; then
+                timeout $((max_time + 10)) curl -fsSL --connect-timeout "$connect_timeout" --max-time "$max_time" -o "$checksum_file" "$checksums_url" || true
+            else
+                curl -fsSL --connect-timeout "$connect_timeout" --max-time "$max_time" -o "$checksum_file" "$checksums_url" || true
+            fi
+
+            if [[ -s "$checksum_file" ]]; then
+                expected_checksum=$(grep -w "pulse-auto-update.sh" "$checksum_file" 2>/dev/null | awk '{print $1}' | head -1)
+            fi
+
+            if [[ -z "$expected_checksum" ]]; then
+                if command -v timeout >/dev/null 2>&1; then
+                    timeout $((max_time + 10)) curl -fsSL --connect-timeout "$connect_timeout" --max-time "$max_time" -o "$checksum_file" "$legacy_checksum_url" || true
+                else
+                    curl -fsSL --connect-timeout "$connect_timeout" --max-time "$max_time" -o "$checksum_file" "$legacy_checksum_url" || true
+                fi
+
+                if [[ -s "$checksum_file" ]]; then
+                    expected_checksum=$(awk '{print $1}' "$checksum_file" | head -1)
+                fi
+            fi
+
+            rm -f "$checksum_file"
+
+            if [[ -z "$expected_checksum" ]]; then
+                print_warn "Failed to download checksum for pulse-auto-update.sh"
+                rm -f "$dest"
+                curl_status=1
+            else
+                actual_checksum=$(sha256sum "$dest" | awk '{print $1}')
+                if [[ "$actual_checksum" != "$expected_checksum" ]]; then
+                    print_warn "pulse-auto-update.sh checksum verification failed"
+                    rm -f "$dest"
+                    curl_status=1
+                else
+                    chmod +x "$dest"
+                    return 0
+                fi
+            fi
+        fi
+
        print_warn "Auto-update download attempt $attempts/$max_attempts failed (curl exit code $curl_status)"
        if (( attempts < max_attempts )); then
            local wait_time=$((attempts * 3))
@@ -2736,6 +2788,8 @@ Wants=network-online.target
 Type=oneshot
 User=root
 Group=root
+# Skip auto-update run unless a supported Pulse service is active
+ExecCondition=/bin/sh -c 'systemctl is-active --quiet pulse || systemctl is-active --quiet pulse-backend'
 ExecStart=/usr/local/bin/pulse-auto-update.sh
 Restart=no
 TimeoutStartSec=600
--- a/scripts/systemd/pulse-update.service
+++ b/scripts/systemd/pulse-update.service
@@ -3,16 +3,16 @@ Description=Automatic Pulse update check and install
 Documentation=https://github.com/rcourtman/Pulse
 After=network-online.target
 Wants=network-online.target
-# Don't run if pulse service is not running
-Requisite=pulse.service

 [Service]
 Type=oneshot
 # Run as root to allow service restart
 User=root
 Group=root
+# Skip auto-update run unless a supported Pulse service is active
+ExecCondition=/bin/sh -c 'systemctl is-active --quiet pulse || systemctl is-active --quiet pulse-backend'
 # Use the update script
-ExecStart=/opt/pulse/scripts/pulse-auto-update.sh
+ExecStart=/usr/local/bin/pulse-auto-update.sh
 # Restart policy for the update service itself
 Restart=no
 # Timeout for the update process (10 minutes should be plenty)
@@ -32,4 +32,4 @@ PrivateNetwork=no
 Nice=10

 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target