mirror of
https://github.com/rcourtman/Pulse.git
synced 2026-07-09 16:00:59 +00:00
Install signature verifier dependencies
This commit is contained in:
parent
85c46cfcd1
commit
d796928969
3 changed files with 32 additions and 4 deletions
|
|
@ -315,6 +315,13 @@ TLS floor in the dynamic config.
|
|||
`scripts/validate-release.sh` at build time and re-verified by
|
||||
`install-sh-smoke.yml` against the served asset.
|
||||
3. Add or change root server installer, shell installer, Docker bootstrap installer, Windows installer, container-agent installer, repo-root compose defaults, or auto-update script behavior through `install.sh`, `scripts/install.sh`, `scripts/install-docker.sh`, `scripts/install.ps1`, `scripts/install-container-agent.sh`, `docker-compose.yml`, and `scripts/pulse-auto-update.sh`
|
||||
The root `install.sh` server installer owns its fresh-host dependency
|
||||
bootstrap for supported Debian, Ubuntu, and Proxmox targets. It must install
|
||||
`curl`, `wget`, `ca-certificates`, and `openssh-client` before installing
|
||||
release archives, with `jq` as an optional reliability dependency; release
|
||||
signature verification depends on `ssh-keygen` from `openssh-client` and
|
||||
must not fail on a minimal supported host solely because that package was
|
||||
absent before installation started.
|
||||
The top-level `install.sh` asset published on GitHub Releases must be the
|
||||
root Pulse SERVER installer (the LXC / systemd / Proxmox VE installer that
|
||||
accepts `--version vX.Y.Z`, `--rc`, `--stable`, and friends). The rendered
|
||||
|
|
|
|||
10
install.sh
10
install.sh
|
|
@ -2720,10 +2720,12 @@ install_dependencies() {
|
|||
print_info "Installing dependencies..."
|
||||
|
||||
apt-get update -qq >/dev/null 2>&1
|
||||
# Install essential dependencies plus jq for reliable JSON handling
|
||||
apt-get install -y -qq curl wget jq >/dev/null 2>&1 || {
|
||||
# If jq fails to install, just install the essentials
|
||||
apt-get install -y -qq curl wget >/dev/null 2>&1
|
||||
# Install essential dependencies plus jq for reliable JSON handling.
|
||||
# openssh-client provides ssh-keygen, which signed release verification
|
||||
# requires before installing downloaded or local release archives.
|
||||
apt-get install -y -qq curl wget ca-certificates openssh-client jq >/dev/null 2>&1 || {
|
||||
# If jq fails to install, keep the installer-critical dependencies.
|
||||
apt-get install -y -qq curl wget ca-certificates openssh-client >/dev/null 2>&1
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -89,6 +89,25 @@ func TestRootInstallScriptArchiveSupportContract(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
func TestRootInstallScriptInstallsSignatureVerificationDependencies(t *testing.T) {
|
||||
content, err := os.ReadFile(filepath.Join("..", "..", "install.sh"))
|
||||
if err != nil {
|
||||
t.Fatalf("read root install.sh: %v", err)
|
||||
}
|
||||
|
||||
script := string(content)
|
||||
required := []string{
|
||||
`apt-get install -y -qq curl wget ca-certificates openssh-client jq`,
|
||||
`apt-get install -y -qq curl wget ca-certificates openssh-client`,
|
||||
`ssh-keygen is required to verify signed Pulse release assets.`,
|
||||
}
|
||||
for _, needle := range required {
|
||||
if !strings.Contains(script, needle) {
|
||||
t.Fatalf("install.sh missing signature verification dependency contract: %s", needle)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestRootInstallScriptInfersPrivateProArchiveVersion(t *testing.T) {
|
||||
script := `
|
||||
set -euo pipefail
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue