Install signature verifier dependencies

This commit is contained in:
rcourtman 2026-06-28 03:26:13 +01:00
parent 85c46cfcd1
commit d796928969
3 changed files with 32 additions and 4 deletions

View file

@ -315,6 +315,13 @@ TLS floor in the dynamic config.
`scripts/validate-release.sh` at build time and re-verified by
`install-sh-smoke.yml` against the served asset.
3. Add or change root server installer, shell installer, Docker bootstrap installer, Windows installer, container-agent installer, repo-root compose defaults, or auto-update script behavior through `install.sh`, `scripts/install.sh`, `scripts/install-docker.sh`, `scripts/install.ps1`, `scripts/install-container-agent.sh`, `docker-compose.yml`, and `scripts/pulse-auto-update.sh`
The root `install.sh` server installer owns its fresh-host dependency
bootstrap for supported Debian, Ubuntu, and Proxmox targets. It must install
`curl`, `wget`, `ca-certificates`, and `openssh-client` before installing
release archives, with `jq` as an optional reliability dependency; release
signature verification depends on `ssh-keygen` from `openssh-client` and
must not fail on a minimal supported host solely because that package was
absent before installation started.
The top-level `install.sh` asset published on GitHub Releases must be the
root Pulse SERVER installer (the LXC / systemd / Proxmox VE installer that
accepts `--version vX.Y.Z`, `--rc`, `--stable`, and friends). The rendered

View file

@ -2720,10 +2720,12 @@ install_dependencies() {
print_info "Installing dependencies..."
apt-get update -qq >/dev/null 2>&1
# Install essential dependencies plus jq for reliable JSON handling
apt-get install -y -qq curl wget jq >/dev/null 2>&1 || {
# If jq fails to install, just install the essentials
apt-get install -y -qq curl wget >/dev/null 2>&1
# Install essential dependencies plus jq for reliable JSON handling.
# openssh-client provides ssh-keygen, which signed release verification
# requires before installing downloaded or local release archives.
apt-get install -y -qq curl wget ca-certificates openssh-client jq >/dev/null 2>&1 || {
# If jq fails to install, keep the installer-critical dependencies.
apt-get install -y -qq curl wget ca-certificates openssh-client >/dev/null 2>&1
}
}

View file

@ -89,6 +89,25 @@ func TestRootInstallScriptArchiveSupportContract(t *testing.T) {
}
}
func TestRootInstallScriptInstallsSignatureVerificationDependencies(t *testing.T) {
content, err := os.ReadFile(filepath.Join("..", "..", "install.sh"))
if err != nil {
t.Fatalf("read root install.sh: %v", err)
}
script := string(content)
required := []string{
`apt-get install -y -qq curl wget ca-certificates openssh-client jq`,
`apt-get install -y -qq curl wget ca-certificates openssh-client`,
`ssh-keygen is required to verify signed Pulse release assets.`,
}
for _, needle := range required {
if !strings.Contains(script, needle) {
t.Fatalf("install.sh missing signature verification dependency contract: %s", needle)
}
}
}
func TestRootInstallScriptInfersPrivateProArchiveVersion(t *testing.T) {
script := `
set -euo pipefail