deraadt@ noticed that if you install a list of local files fw_update still tries to download the SHA256.sig and will fail if it can't. That doesn't make sense, so instead only download it if we're going to use it and it doesn't exist. It does continue to attempt to update the SHA256.sig if we're downloading firmware in case there is a new one and possibly new firmware.
Comments, OK? Index: fw_update.sh =================================================================== RCS file: /cvs/src/usr.sbin/fw_update/fw_update.sh,v retrieving revision 1.25 diff -u -p -r1.25 fw_update.sh --- fw_update.sh 6 Jan 2022 19:27:01 -0000 1.25 +++ fw_update.sh 7 Jan 2022 02:08:34 -0000 @@ -119,7 +119,21 @@ fetch() { fi } +fetch_cfile() { + if "$DOWNLOAD"; then + set +o noclobber # we want to get the latest CFILE + fetch "$CFILE" || return 1 + set -o noclobber + ! signify -qVep "$FWPUB_KEY" -x "$CFILE" -m "$CFILE" && + echo "Signature check of SHA256.sig failed" >&2 && return 1 + elif [ ! -e "$CFILE" ]; then + echo "${0##*/}: $CFILE: No such file or directory" >&2 + return 2 + fi +} + verify() { + [ -e "$CFILE" ] || fetch_cfile # On the installer we don't get sha256 -C, so fake it. if ! fgrep -qx "SHA256 (${1##*/}) = $( /bin/sha256 -qb "$1" )" "$CFILE"; then echo "Checksum test for ${1##*/} failed." >&2 @@ -149,6 +163,7 @@ firmware_in_dmesg() { firmware_filename() { local _f + [ -e "$CFILE" ] || fetch_cfile _f="$( sed -n "s/.*(\($1-firmware-.*\.tgz\)).*/\1/p" "$CFILE" | sed '$!d' )" ! [ "$_f" ] && echo "Unable to find firmware for $1" >&2 && return 1 echo "$_f" @@ -313,6 +328,17 @@ fi if [ "$OPT_F" ]; then INSTALL=false LOCALSRC="${LOCALSRC:-.}" + + # Always check for latest CFILE and so latest firmware + if [ -e "$LOCALSRC/$CFILE" ]; then + mv "$LOCALSRC/$CFILE" "$LOCALSRC/$CFILE-OLD" + if fetch_cfile; then + rm -f "$LOCALSRC/$CFILE-OLD" + else + mv "$LOCALSRC/$CFILE-OLD" "$LOCALSRC/$CFILE" + echo "Using existing $CFILE" >&2 + fi + fi elif [ "$LOCALSRC" ]; then DOWNLOAD=false fi @@ -385,18 +411,6 @@ else fi [ "${devices[*]:-}" ] || exit - -if "$DOWNLOAD"; then - set +o noclobber # we want to get the latest CFILE - fetch "$CFILE" - set -o noclobber - ! signify -qVep "$FWPUB_KEY" -x "$CFILE" -m "$CFILE" && - echo "Signature check of SHA256.sig failed" >&2 && exit 1 -elif [ ! -e "$CFILE" ]; then - # TODO: We shouldn't need a CFILE if all arguments are files. - echo "${0##*/}: $CFILE: No such file or directory" >&2 - exit 2 -fi added='' updated=''