obsd-update

#!/bin/sh

set -e

: "${_tgz_dir="/usr/rel"}"
: "${_sha="SHA256"}"
: "${_sha_sig="SHA256.sig"}"
_rel="${2:-"$(uname -r)"}"
_rel_underscore="$(printf '%s' "$_rel" | sed 's/\./_/')"
_rel_nodot="$(printf '%s' "$_rel" | sed 's/\.//')"
: "${_arch="$(uname -m)"}"

__status () {
  printf ':: %s\n' "$1" >&2
}

__verify () {
  __status "Verifying $1"
  signify -C -q -p "/etc/signify/openbsd-${_rel_nodot}-base.pub" -x \
   "$_sha_sig" "$1"
}

__dl () {
  __status "Downloading $1 for ${_rel} ${_arch}"
  ftp -o "$1" \
   "$(cat /etc/installurl)/${_rel}/${_arch}/$1" \
   >/dev/null
}

__usage () {
  cat << EOH
Initialize ${_tgz_dir} with OpenBSD's RELEASE tarballs for ${_rel}

$0 -h|help
$0 fetch [release]

fetch [release] will:
  * Download ${_sha} and ${_sha_sig} from the mirrors for [release]
  * Validate them with signify(1)
  * Download the base, game, comp, man tarballs
  * Download the bsd bsd.mp bsd.rd tarballs
  * Validate everything with signify(1)
EOH
}

case "$1" in
  -h|help)
    __usage
  ;;
  fetch)
    cd "$_tgz_dir"

    : > "${_sha}"
    : > "${_sha_sig}"

    # We download both SHA256.sig and SHA256 as base of truth
    for _h in "${_sha}" "${_sha_sig}"; do
      __dl "$_h"
    done

    # Check SHA256 against known signature keys (on current system)
    __status "Checking ${_sha} and ${_sha_sig}"
    signify -V -q -x "${_sha_sig}" \
     -p "/etc/signify/openbsd-${_rel_nodot}-base.pub" -m "${_sha}"

    # We download the archives until signify checks out
    for _f in base${_rel_nodot}.tgz game${_rel_nodot}.tgz \
     comp${_rel_nodot}.tgz man${_rel_nodot}.tgz bsd bsd.mp bsd.rd; do
      while ! __verify "$_f"; do
        __dl "$_f"
      done
    done

    __status "Now: https://www.openbsd.org/faq/upgrade${_rel_nodot}.html"
  ;;
  *)
    __usage >&2
    exit 5
  ;;
esac