From e6d4403b593360d5847b49b144afdfc4a8c0853d Mon Sep 17 00:00:00 2001 From: Chi Nul Date: Tue, 21 Aug 2018 14:47:31 +0200 Subject: [PATCH 1/3] Also verify checksum for bouncy castle .jar in prepare-system.sh We do this for the jce_policy-8.zip file, but we also fetch the BC .jar over http and it could be trivially MitM'ed by a network adversary before this patch. --- package/linux/prepare-system.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/package/linux/prepare-system.sh b/package/linux/prepare-system.sh index 7c87850b724..1fc066b46f0 100644 --- a/package/linux/prepare-system.sh +++ b/package/linux/prepare-system.sh @@ -1,5 +1,4 @@ #!/usr/bin/env bash - cd $(dirname $0) echo Update OS @@ -37,6 +36,11 @@ then echo Configure Bouncy Castle wget "http://central.maven.org/maven2/org/bouncycastle/bcprov-jdk15on/1.56/$bouncyCastleJar" +if ! echo "963e1ee14f808ffb99897d848ddcdb28fa91ddda867eb18d303e82728f878349 ${bouncyCastleJar}" | sha256sum -c -; +then + echo "Bad checksum for ${bouncyCastleJar}." >&2 + exit 1 +fi sudo mv $bouncyCastleJar $JAVA_HOME/jre/lib/ext/ sudo chmod 777 "$JAVA_HOME/jre/lib/ext/$bouncyCastleJar" else From c026d71f53dc9058a240b43cd8114b38dcbb9d29 Mon Sep 17 00:00:00 2001 From: Chi Nul Date: Tue, 21 Aug 2018 14:55:08 +0200 Subject: [PATCH 2/3] Improve style for prepare-system.sh script Consistently indent with four spaces. Use ${foo} instead of $foo to expand variables. Edit log messages to say e.g "Enabling foo..." instead of "Enable foo" (the second sounds like we are telling the user to do something). Add log message at the end of script, so it shows a message even if nothing needs to be done on the current run. --- package/linux/prepare-system.sh | 62 ++++++++++++++++----------------- 1 file changed, 31 insertions(+), 31 deletions(-) diff --git a/package/linux/prepare-system.sh b/package/linux/prepare-system.sh index 1fc066b46f0..f5adadce168 100644 --- a/package/linux/prepare-system.sh +++ b/package/linux/prepare-system.sh @@ -1,48 +1,48 @@ #!/usr/bin/env bash -cd $(dirname $0) - -echo Update OS +# +# Install dependencies necessary for releasing Bisq on Debian-like systems. +# +cd $(dirname ${0}) +echo "Updating OS.." sudo apt-get update sudo apt-get upgrade sudo apt-get dist-upgrade -if [ ! -f "$JAVA_HOME/jre/lib/security/local_policy.jar" ] -then -echo "Enable strong crypto support for Java" +if [ ! -f "${JAVA_HOME}/jre/lib/security/local_policy.jar" ]; then + echo "Enabling strong crypto support for Java.." -wget --no-check-certificate --no-cookies --header "Cookie: oraclelicense=accept-securebackup-cookie" http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip + wget --no-check-certificate --no-cookies --header "Cookie: oraclelicense=accept-securebackup-cookie" http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip -checksum=f3020a3922efd6626c2fff45695d527f34a8020e938a49292561f18ad1320b59 # see https://github.com/jonathancross/jc-docs/blob/master/java-strong-crypto-test/README.md + checksum=f3020a3922efd6626c2fff45695d527f34a8020e938a49292561f18ad1320b59 # see https://github.com/jonathancross/jc-docs/blob/master/java-strong-crypto-test/README.md -if ! echo "$checksum jce_policy-8.zip" | sha256sum -c -; -then - echo "Checksum failed" >&2 - exit 1 -fi + if ! echo "${checksum} jce_policy-8.zip" | sha256sum -c -; then + echo "Bad checksum for ${jce_policy-8.zip}." >&2 + exit 1 + fi -unzip jce_policy-8.zip -sudo cp UnlimitedJCEPolicyJDK8/{US_export_policy.jar,local_policy.jar} $JAVA_HOME/jre/lib/security/ -sudo chmod 664 $JAVA_HOME/jre/lib/security/{US_export_policy.jar,local_policy.jar} -sudo rm -rf UnlimitedJCEPolicyJDK8 jce_policy-8.zip + unzip jce_policy-8.zip + sudo cp UnlimitedJCEPolicyJDK8/{US_export_policy.jar,local_policy.jar} ${JAVA_HOME}/jre/lib/security/ + sudo chmod 664 ${JAVA_HOME}/jre/lib/security/{US_export_policy.jar,local_policy.jar} + sudo rm -rf UnlimitedJCEPolicyJDK8 jce_policy-8.zip else -echo "Strong Crypto support for Java already available" + echo "Strong Crypto support for Java already available." fi bouncyCastleJar=bcprov-jdk15on-1.56.jar -if [ ! -f "$JAVA_HOME/jre/lib/ext/$bouncyCastleJar" ] -then -echo Configure Bouncy Castle - -wget "http://central.maven.org/maven2/org/bouncycastle/bcprov-jdk15on/1.56/$bouncyCastleJar" -if ! echo "963e1ee14f808ffb99897d848ddcdb28fa91ddda867eb18d303e82728f878349 ${bouncyCastleJar}" | sha256sum -c -; -then - echo "Bad checksum for ${bouncyCastleJar}." >&2 - exit 1 -fi -sudo mv $bouncyCastleJar $JAVA_HOME/jre/lib/ext/ -sudo chmod 777 "$JAVA_HOME/jre/lib/ext/$bouncyCastleJar" +if [ ! -f "${JAVA_HOME}/jre/lib/ext/${bouncyCastleJar}" ]; then + echo "Configuring Bouncy Castle.." + checksum="963e1ee14f808ffb99897d848ddcdb28fa91ddda867eb18d303e82728f878349" + wget "http://central.maven.org/maven2/org/bouncycastle/bcprov-jdk15on/1.56/${bouncyCastleJar}" + if ! echo "${checksum} ${bouncyCastleJar}" | sha256sum -c -; then + echo "Bad checksum for ${bouncyCastleJar}." >&2 + exit 1 + fi + sudo mv ${bouncyCastleJar} ${JAVA_HOME}/jre/lib/ext/ + sudo chmod 777 "${JAVA_HOME}/jre/lib/ext/${bouncyCastleJar}" else -echo Bouncy Castle already configured + echo "Bouncy Castle already configured." fi + +echo "Done." From 84b9070d455e949d6a1de0aa2a6d4533941fcbf6 Mon Sep 17 00:00:00 2001 From: Chi Nul Date: Sat, 25 Aug 2018 16:32:39 +0200 Subject: [PATCH 3/3] Add -e and -u options in prepare-system.sh The -e makes any command that exits with non-success terminate the script. The -u makes any reference to an undefined variable exit with an error. --- package/linux/prepare-system.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/package/linux/prepare-system.sh b/package/linux/prepare-system.sh index f5adadce168..13117a1f6f8 100644 --- a/package/linux/prepare-system.sh +++ b/package/linux/prepare-system.sh @@ -3,6 +3,7 @@ # Install dependencies necessary for releasing Bisq on Debian-like systems. # cd $(dirname ${0}) +set -eu echo "Updating OS.." sudo apt-get update