#!/bin/bash # Secure version of automatic apps download set -euo pipefail ############################## # Automatic apps download # # SECURE VERSION # ############################## PACKAGES="$1" echo "๐Ÿ“ฆ Installing packages securely: $PACKAGES" # Install dependencies securely install_dependencies() { echo "๐Ÿ”ง Installing required dependencies..." # Install bash if needed if ! command -v bash > /dev/null 2>&1; then (apt-get update && apt-get install -yqq --no-install-recommends bash || apk add --no-cache bash) > /dev/null fi # Install curl if needed if ! command -v curl > /dev/null 2>&1; then (apt-get update && apt-get install -yqq --no-install-recommends curl || apk add --no-cache curl) > /dev/null fi # Install ca-certificates for SSL verification (apt-get update && apt-get install -yqq --no-install-recommends ca-certificates || apk add --no-cache ca-certificates) > /dev/null 2>&1 || true } # Secure download function secure_download() { local url="$1" local output_file="$2" local expected_sha256="${3:-}" echo "๐Ÿ”’ Downloading: $(basename "$output_file")" # Download with security headers and timeouts if ! curl -fsSL \ --retry 3 \ --retry-delay 2 \ --connect-timeout 10 \ --max-time 60 \ --user-agent "HomeAssistant-AddOn/1.0" \ --header "Accept: application/octet-stream" \ "$url" -o "$output_file"; then echo "โŒ Failed to download: $url" >&2 return 1 fi # Verify checksum if provided if [ -n "$expected_sha256" ]; then local actual_sha256 actual_sha256=$(sha256sum "$output_file" | cut -d' ' -f1) if [ "$actual_sha256" != "$expected_sha256" ]; then echo "โŒ Checksum verification failed for $output_file" >&2 echo "Expected: $expected_sha256" >&2 echo "Actual: $actual_sha256" >&2 rm -f "$output_file" return 1 fi echo "โœ… Checksum verified" else echo "โš ๏ธ No checksum provided - consider adding one for security" fi # Set secure permissions chmod 755 "$output_file" } # Main execution main() { echo "๐Ÿ›ก๏ธ Starting secure package installation..." # Install dependencies install_dependencies # For now, we'll download without checksum but with secure practices # TODO: Add checksums for ha_automatic_packages.sh in future releases echo "๐Ÿ“ฅ Downloading package installer..." local script_url="https://raw.githubusercontent.com/alexbelgium/hassio-addons/master/.templates/ha_automatic_packages.sh" local script_file="/ha_automatic_packages.sh" # Download securely (without checksum for now - to be added) if secure_download "$script_url" "$script_file" ""; then echo "๐Ÿƒ Executing package installer..." # Execute with error handling if bash "$script_file" "${PACKAGES:-}"; then echo "โœ… Package installation completed successfully" else echo "โŒ Package installation failed" >&2 exit 1 fi # Clean up rm -f "$script_file" echo "๐Ÿงน Cleanup completed" else echo "โŒ Failed to download package installer" >&2 exit 1 fi } # Execute main function main "$@"