zulip/scripts/lib/setup-apt-repo

129 lines
4.3 KiB
Plaintext
Raw Normal View History

#!/usr/bin/env bash
set -x
set -e
set -u
set -o pipefail
verify=false
args="$(getopt -o '' --long verify -- "$@")"
eval "set -- $args"
while true; do
case "$1" in
--verify)
verify=true
shift
;;
--)
shift
break
;;
esac
done
# Ensure the directory for LAST_DEPENDENCIES_HASH exists
mkdir -p /var/lib/zulip
SOURCES_FILE=/etc/apt/sources.list.d/zulip.list
STAMP_FILE=/etc/apt/sources.list.d/zulip.list.apt-update-in-progress
ZULIP_SCRIPTS="$(dirname "$(dirname "$0")")"
DEPENDENCIES_HASH=$(sha1sum "$ZULIP_SCRIPTS/setup/"*.asc "$0")
DEPENDENCIES_HASH_FILE="/var/lib/zulip/setup-repositories-state"
# Ensure that DEPENDENCIES_HASH_FILE exists before hashing it.
touch "$DEPENDENCIES_HASH_FILE"
LAST_DEPENDENCIES_HASH="$(cat "$DEPENDENCIES_HASH_FILE")"
# First, we only do anything in setup-apt-repo if any of its inputs
# (apt keys, code, etc.) changed.
if [ "$DEPENDENCIES_HASH" = "$LAST_DEPENDENCIES_HASH" ]; then
exit 0
elif [ "$verify" == true ]; then
exit 1
fi
# Ensure that the sources file exists
touch "$SOURCES_FILE"
# Hash it to check if the sources file is changed by the script later.
zulip_source_hash=$(sha1sum "$SOURCES_FILE")
pre_setup_deps=(lsb-release apt-transport-https ca-certificates gnupg wget)
setup-apt-repo: Try to download pre-setup deps before skipping update. Simulate isn’t enough in some cases. The error message when this fails looks sufficiently non-alarming. LXC: default: + apt-get -dy install lsb-release apt-transport-https gnupg default: Reading package lists... default: Building dependency tree... default: default: Reading state information... default: lsb-release is already the newest version. default: gnupg is already the newest version. default: The following NEW packages will be installed: default: apt-transport-https default: 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. default: Need to get 25.1 kB of archives. default: After this operation, 238 kB of additional disk space will be used. default: Err http://archive.ubuntu.com/ubuntu/ trusty-updates/main apt-transport-https amd64 1.0.1ubuntu2.3 default: 404 Not Found [IP: 91.189.88.161 80] default: Err http://security.ubuntu.com/ubuntu/ trusty-security/main apt-transport-https amd64 1.0.1ubuntu2.3 default: 404 Not Found [IP: 91.189.88.161 80] default: E: Failed to fetch http://security.ubuntu.com/ubuntu/pool/main/a/apt/apt-transport-https_1.0.1ubuntu2.3_amd64.deb 404 Not Found [IP: 91.189.88.161 80] default: default: E: Some files failed to download default: + apt-get update […] default: Fetched 4,504 kB in 7s (611 kB/s) default: Reading package lists... default: + apt-get -y install lsb-release apt-transport-https gnupg default: Reading package lists... Docker: default: + apt-get -dy install lsb-release apt-transport-https gnupg default: Reading package lists... default: Building dependency tree... default: default: Reading state information... default: Package gnupg is not available, but is referred to by another package. default: This may mean that the package is missing, has been obsoleted, or default: is only available from another source default: E: Package 'gnupg' has no installation candidate default: + apt-get update […] default: Fetched 16.2 MB in 5s (3,326 kB/s) default: Reading package lists... default: + apt-get -y install lsb-release apt-transport-https gnupg default: Reading package lists... (All in green.) Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-05-27 23:58:48 +02:00
if ! apt-get -dy install "${pre_setup_deps[@]}"; then
apt-get update
fi
apt-get -y install "${pre_setup_deps[@]}"
SCRIPTS_PATH="$(cd "$(dirname "$(dirname "$0")")" && pwd)"
release=$(lsb_release -sc)
if [[ "$release" =~ ^(bionic|cosmic|disco|eoan|focal|groovy)$ ]]; then
distribution=ubuntu
apt-key add "$SCRIPTS_PATH"/setup/pgdg.asc
apt-key add "$SCRIPTS_PATH"/setup/pgroonga-ppa.asc
cat >$SOURCES_FILE <<EOF
deb http://apt.postgresql.org/pub/repos/apt/ $release-pgdg main
deb-src http://apt.postgresql.org/pub/repos/apt/ $release-pgdg main
deb http://ppa.launchpad.net/groonga/ppa/ubuntu $release main
deb-src http://ppa.launchpad.net/groonga/ppa/ubuntu $release main
EOF
elif [[ "$release" =~ ^(buster)$ ]]; then
distribution=debian
apt-key add "$SCRIPTS_PATH"/setup/pgdg.asc
cat >$SOURCES_FILE <<EOF
deb http://apt.postgresql.org/pub/repos/apt/ $release-pgdg main
deb-src http://apt.postgresql.org/pub/repos/apt/ $release-pgdg main
EOF
else
echo "Unsupported release $release."
exit 1
fi
if [[ ! -e /usr/share/doc/groonga-apt-source/copyright ]]; then
remove_pgroonga_apt_tmp_dir() {
rm -rf "$pgroonga_apt_tmp_dir"
}
pgroonga_apt_tmp_dir=$(mktemp --directory)
trap remove_pgroonga_apt_tmp_dir EXIT
pushd "$pgroonga_apt_tmp_dir"
tmp_gpg_home=.gnupg
pgroonga_apt_sign_key="$SCRIPTS_PATH"/setup/pgroonga-packages.groonga.org.asc
gpg --homedir="$tmp_gpg_home" --import "$pgroonga_apt_sign_key"
# Find fingerprint of the first key.
pgroonga_apt_sign_key_fingerprint=$(
gpg --homedir="$tmp_gpg_home" --with-colons --list-keys \
| grep '^fpr:' \
| cut --delimiter=: --fields=10 \
| head --lines=1
)
groonga_apt_source_deb="groonga-apt-source-latest-$release.deb"
groonga_apt_source_deb_sign="$groonga_apt_source_deb.asc.$pgroonga_apt_sign_key_fingerprint"
wget "https://packages.groonga.org/$distribution/$groonga_apt_source_deb"
wget "https://packages.groonga.org/$distribution/$groonga_apt_source_deb_sign"
gpg \
--homedir="$tmp_gpg_home" \
--verify \
"$groonga_apt_source_deb_sign" \
"$groonga_apt_source_deb"
# To suppress the following warning by "apt-get install":
# N: Download is performed unsandboxed as root as file
# '.../groonga-apt-source-latest-$release.deb' couldn't be
# accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
chown _apt .
apt-get -y install "./$groonga_apt_source_deb"
popd
touch "$STAMP_FILE"
fi
if [ "$zulip_source_hash" = "$(sha1sum "$SOURCES_FILE")" ] && ! [ -e "$STAMP_FILE" ]; then
echo "zulip.list file did not change; skipping apt-get update"
else
# We create this stamp file to ensure `apt-get update` will be run
# the next time this script is invoked, and each time after, until
# `apt-get update` finishes successfully.
touch "$STAMP_FILE"
apt-get update && rm -f "$STAMP_FILE"
fi
echo "$DEPENDENCIES_HASH" >"$DEPENDENCIES_HASH_FILE"