On 2019-02-21, Edgar Pettijohn <ed...@pettijohn-web.com> wrote: > > On Feb 21, 2019 6:38 AM, Tom Smyth <tom.sm...@wirelessconnect.eu> wrote: >> >> Hello All , >> >> we have an in house shell script based deployment system for our >> OpenBSD boxes in the field >> this involves the boxes pulling config files over https but Im always >> concerned that if the downloaded files are incomplete or empty that >> this would break the configs and require heavy manual intervention to fix >> and Im wondering is there a framework or best practices guide >> or a good script example where OpenBSD folks have solved this issue >> >> At the moment im using native OpenBSD FTP client and the pull scripts >> are simple shell scripts, >> Im just-wondering is there shell scripts / functions that solve this problem >> in a much more safe & elegant way than me manually verifying hashes >> on each file download, >> >> Im concerned particularly that in the future that deployment scripts will >> add services (and hence imply the downloading of shell scripts) and i need >> to be certain >> >> im wondering if there is something like rcctl.subr >> that my shell script could call with functions that have been written by >> smarter >> people than I, >> any suggestions would be welcome ,
It's not especially smart, but I've done this in the past where I've just a comment at the end of the file which I've checked for in the fetcher to check for truncation (but obviously this misses other possible problems). If I was doing this now I'd probably use something based around signify, probably as gzip archives with the -z method for embedded signatures. (As you're doing this with https, make sure you consider that the clock might be wrong at boot.) > rdist(1) I'm not entirely familiar with rdist, but I think it's push-based whereas Tom is asking about pull-based.
