mirror of
https://github.com/alexbelgium/hassio-addons.git
synced 2026-01-09 09:21:03 +01:00
87 lines
2.8 KiB
Bash
Executable File
87 lines
2.8 KiB
Bash
Executable File
#!/bin/bash
|
|
# Secure script downloader with integrity verification
|
|
set -euo pipefail
|
|
|
|
##################################
|
|
# Secure Template Script Download #
|
|
##################################
|
|
|
|
# Function to securely download and verify scripts
|
|
secure_download() {
|
|
local url="$1"
|
|
local output_file="$2"
|
|
local expected_sha256="$3"
|
|
|
|
echo "🔒 Securely downloading: $(basename "$output_file")"
|
|
|
|
# Download with retry logic
|
|
local retries=3
|
|
local retry_delay=2
|
|
|
|
for i in $(seq 1 $retries); do
|
|
if curl -fsSL --retry 3 --retry-delay 1 --connect-timeout 10 --max-time 30 "$url" -o "$output_file"; then
|
|
break
|
|
elif [ $i -eq $retries ]; then
|
|
echo "❌ Failed to download after $retries attempts: $url" >&2
|
|
return 1
|
|
else
|
|
echo "⚠️ Download attempt $i failed, retrying in ${retry_delay}s..." >&2
|
|
sleep $retry_delay
|
|
fi
|
|
done
|
|
|
|
# Verify SHA256 checksum if provided
|
|
if [ -n "$expected_sha256" ]; then
|
|
echo "🔍 Verifying integrity..."
|
|
local actual_sha256
|
|
actual_sha256=$(sha256sum "$output_file" | cut -d' ' -f1)
|
|
|
|
if [ "$actual_sha256" = "$expected_sha256" ]; then
|
|
echo "✅ Integrity verification passed"
|
|
else
|
|
echo "❌ INTEGRITY VERIFICATION FAILED!" >&2
|
|
echo "Expected: $expected_sha256" >&2
|
|
echo "Actual: $actual_sha256" >&2
|
|
rm -f "$output_file"
|
|
return 1
|
|
fi
|
|
else
|
|
echo "⚠️ No checksum provided - skipping integrity verification"
|
|
fi
|
|
|
|
# Set secure permissions
|
|
chmod 755 "$output_file"
|
|
echo "🔧 Set secure permissions (755)"
|
|
}
|
|
|
|
# Function to install common dependencies securely
|
|
install_dependencies() {
|
|
echo "📦 Installing secure dependencies..."
|
|
|
|
# Install bash if needed
|
|
if ! command -v bash > /dev/null 2>&1; then
|
|
(apt-get update && apt-get install -yqq --no-install-recommends bash || apk add --no-cache bash) > /dev/null
|
|
fi
|
|
|
|
# Install curl if needed
|
|
if ! command -v curl > /dev/null 2>&1; then
|
|
(apt-get update && apt-get install -yqq --no-install-recommends curl || apk add --no-cache curl) > /dev/null
|
|
fi
|
|
|
|
# Install ca-certificates for SSL verification
|
|
(apt-get update && apt-get install -yqq --no-install-recommends ca-certificates || apk add --no-cache ca-certificates) > /dev/null 2>&1 || true
|
|
}
|
|
|
|
# Main execution if called directly
|
|
if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
|
|
echo "🛡️ Home Assistant Secure Script Downloader"
|
|
echo "This script provides secure download functions for HA add-ons"
|
|
echo ""
|
|
echo "Usage:"
|
|
echo " source $0"
|
|
echo " secure_download <url> <output_file> <sha256_hash>"
|
|
echo ""
|
|
echo "Example:"
|
|
echo " secure_download 'https://example.com/script.sh' '/tmp/script.sh' 'abc123...'"
|
|
fi
|