Implemented update feature

2025-02-22 16:53:56 +00:00 · 2021-06-06 10:12:01 -04:00 · 2021-06-06 10:12:01 -04:00 · 324dbed312
commit 324dbed312
parent 6d884cfd58
3 changed files with 170 additions and 13 deletions
--- a/how-to-create-encrypted-paper-backup/README.md
+++ b/how-to-create-encrypted-paper-backup/README.md
@ -252,10 +252,12 @@ $ sudo curl -o /etc/udev/rules.d/51-trezor.rules https://data.trezor.io/udev/51-
 ### Step 10: import Sun’s PGP public key (used to verify downloads below)

 ```console
-$ curl https://sunknudsen.com/sunknudsen.asc | gpg --import
+$ curl -o /home/pi/sunknudsen.asc https://sunknudsen.com/sunknudsen.asc
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
-100  6896  100  6896    0     0   6499      0  0:00:01  0:00:01 --:--:--  6499
+100  6896  100  6896    0     0   7569      0 --:--:-- --:--:-- --:--:--  7561
+
+$ gpg --import /home/pi/sunknudsen.asc
 gpg: key C1323A377DE14C8B: public key "Sun Knudsen <hello@sunknudsen.com>" imported
 gpg: Total number processed: 1
 gpg:               imported: 1
@ -475,16 +477,16 @@ Good signature
 $ curl -o /home/pi/.local/bin/secure-erase.sh https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/secure-erase.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
-100  1283  100  1283    0     0   1189      0  0:00:01  0:00:01 --:--:--  1189
+100  1350  100  1350    0     0    992      0  0:00:01  0:00:01 --:--:--   992

 $ curl -o /home/pi/.local/bin/secure-erase.sh.sig https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/secure-erase.sh.sig
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
-100   833  100   833    0     0    944      0 --:--:-- --:--:-- --:--:--   944
+100   833  100   833    0     0    805      0  0:00:01  0:00:01 --:--:--   805

 $ gpg --verify /home/pi/.local/bin/secure-erase.sh.sig
 gpg: assuming signed data in '/home/pi/.local/bin/secure-erase.sh'
-gpg: Signature made Mon 19 Apr 2021 12:51:50 EDT
+gpg: Signature made Thu 03 Jun 2021 19:34:35 BST
 gpg:                using RSA key A98CCD122243655B26FAFB611FA767862BBD1305
 gpg: Good signature from "Sun Knudsen <hello@sunknudsen.com>" [unknown]
 gpg: WARNING: This key is not certified with a trusted signature!
@ -571,7 +573,41 @@ Good signature

 👍

-### Step 20: make filesystem read-only
+### Step 20: download and verify [update.sh](./update.sh) (uupdate Trezor devices)
+
+```console
+$ curl -o /home/pi/.local/bin/update.sh https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/update.sh
+  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
+                                 Dload  Upload   Total   Spent    Left  Speed
+100  1494  100  1494    0     0   1498      0 --:--:-- --:--:-- --:--:--  149
+
+$ curl -o /home/pi/.local/bin/update.sh.sig https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/update.sh.sig
+  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
+                                 Dload  Upload   Total   Spent    Left  Speed
+100   833  100   833    0     0    929      0 --:--:-- --:--:-- --:--:--   928
+
+$ gpg --verify /home/pi/.local/bin/update.sh.sig
+gpg: assuming signed data in '/home/pi/.local/bin/update.sh'
+gpg: Signature made Sat 05 Jun 2021 16:01:37 BST
+gpg:                using RSA key A98CCD122243655B26FAFB611FA767862BBD1305
+gpg: Good signature from "Sun Knudsen <hello@sunknudsen.com>" [unknown]
+gpg: WARNING: This key is not certified with a trusted signature!
+gpg:          There is no indication that the signature belongs to the owner.
+Primary key fingerprint: C4FB DDC1 6A26 2672 920D  0A0F C132 3A37 7DE1 4C8B
+     Subkey fingerprint: A98C CD12 2243 655B 26FA  FB61 1FA7 6786 2BBD 1305
+
+$ chmod 700 /home/pi/.local/bin/update.sh
+```
+
+Primary key fingerprint matches [published](../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-its-fingerprint) fingerprints
+
+👍
+
+Good signature
+
+👍
+
+### Step 21: make filesystem read-only

 > Heads-up: shout-out to Nico Kaiser for his amazing [guide](https://gist.github.com/nicokaiser/08aa5b7b3958f171cf61549b70e8a34b) on how to configure a read-only Raspberry Pi.

@ -643,13 +679,13 @@ $ sudo sed -i -e 's/vfat\s*defaults\s/vfat defaults,ro/' /etc/fstab
 $ sudo sed -i -e 's/ext4\s*defaults,noatime\s/ext4 defaults,noatime,ro,noload/' /etc/fstab
 ```

-### Step 21: disable Wi-Fi (if not using ethernet)
+### Step 22: disable Wi-Fi (if not using ethernet)

 ```shell
 echo "dtoverlay=disable-wifi" | sudo tee -a /boot/config.txt
 ```

-### Step 22: disable `dhcpcd`, `networking` and `wpa_supplicant` services and “fix” `rfkill` bug
+### Step 23: disable `dhcpcd`, `networking` and `wpa_supplicant` services and “fix” `rfkill` bug

 ```console
 $ sudo systemctl disable dhcpcd networking wpa_supplicant
@ -657,13 +693,13 @@ $ sudo systemctl disable dhcpcd networking wpa_supplicant
 $ sudo rm /etc/profile.d/wifi-check.sh
 ```

-### Step 23: delete macOS hidden files (if present)
+### Step 24: delete macOS hidden files (if present)

 ```shell
 sudo rm -fr /boot/.fseventsd /boot/.DS_Store /boot/.Spotlight-V100
 ```

-### Step 24: reboot
+### Step 25: reboot

 ```shell
 sudo systemctl reboot
@ -671,9 +707,9 @@ sudo systemctl reboot

 > WARNING: DO NOT CONNECT RASPBERRY PI TO NETWORK EVER AGAIN WITHOUT REINSTALLING RASPBERRY PI OS FIRST (DEVICE IS NOW “READ-ONLY” AND “COLD”).

-### Step 25 (optional): disable auto-mount of `boot` volume (on macOS)
+### Step 26 (optional): disable auto-mount of `boot` volume (on macOS)

-> Heads-up: done to prevent macOS from writing [hidden files](#step-23-delete-macos-hidden-files-if-present) to `boot` volume which would invalidate stored SHA512 hash of micro SD card.
+> Heads-up: done to prevent macOS from writing [hidden files](#step-24-delete-macos-hidden-files-if-present) to `boot` volume which would invalidate stored SHA512 hash of micro SD card.

 #### Enable read-only mode using switch on micro SD to SD adapter

@ -689,7 +725,7 @@ volume_uuid=$(diskutil info "$volume_path" | awk '/Volume UUID:/ { print $3 }')
 echo "UUID=$volume_uuid none msdos ro,noauto" | sudo tee -a /etc/fstab
 ```

-### Step 26 (optional): compute SHA512 hash of SD card and store in password manager (on macOS)
+### Step 27 (optional): compute SHA512 hash of SD card and store in password manager (on macOS)

 Run `diskutil list` to find disk ID of micro SD card with “Raspberry Pi OS Lite” installed (`disk2` in the following example).

--- a/how-to-create-encrypted-paper-backup/update.sh
+++ b/how-to-create-encrypted-paper-backup/update.sh
@ -0,0 +1,105 @@
+#! /bin/bash
+
+set -e
+set -o pipefail
+
+if [ "$1" = "--help" ]; then
+  printf "%s\n" "Usage: update.sh"
+  exit 0
+fi
+
+bold=$(tput bold)
+red=$(tput setaf 1)
+normal=$(tput sgr0)
+
+basedir=$(dirname "$0")
+
+dev="/dev/sda1"
+tmp="/tmp/pi"
+usb="/tmp/usb"
+
+tput reset
+
+wait_for_usb_flash_drive () {
+  if [ ! -e $dev ]; then
+    printf "$bold%s$normal" "Insert USB flash drive and press enter"
+    read -r confirmation
+    wait_for_usb_flash_drive
+  fi
+}
+
+wait_for_usb_flash_drive
+
+sudo mkdir -p $usb
+
+if ! mount | grep $dev > /dev/null; then
+  sudo mount $dev $usb --options uid=pi,gid=pi
+fi
+
+printf "$bold%s$normal\n" "Please type current date (ISO 8601 format) and press enter"
+read -r current_date
+
+if [[ "$current_date" =~ ^\d{4}-\d{2}-\d{2}$ ]]; then
+  printf "$bold$red%s$normal\n" "Invalid date"
+  exit 1
+fi
+
+sudo timedatectl set-timezone America/Montreal
+sudo date --set="$current_date"
+
+gpg --import /home/pi/sunknudsen.asc
+
+update=$(ls -t $usb/pi-qr-update-*-*-*.zip | head -1  || echo "")
+
+if [ -z "$update" ]; then
+  printf "$bold$red%s$normal\n" "Update archive not found"
+  exit 1
+fi
+
+update_sig=$(ls -t $update.sig | head -1 || echo "")
+
+if [ -z "$update_sig" ]; then
+  printf "$bold$red%s$normal\n" "Update signature not found"
+  exit 1
+fi
+
+printf "%s\n" "Verifying integrity of update…"
+
+gpg --verify $update_sig
+
+printf "%s\n" "Decompressing update…"
+
+unzip -d $tmp -o $update
+
+update_dir=$tmp/$(basename $update .zip)
+
+sudo mount -o rw,remount /
+sudo mount -o rw,remount /boot
+
+printf "%s\n" "Updating…"
+
+cd $update_dir
+
+./run.sh
+
+printf "%s\n" "Done"
+
+coutdown() {
+  tput rc
+  tput ed
+  second_s="seconds"
+  if [ "$1" = "1" ]; then
+    second_s="second"
+  fi
+  printf "$bold%s$normal" "Rebooting in $1 $second_s"
+}
+
+tput sc
+
+for ((index=10; index > 0; index--))
+do
+  coutdown $index
+  sleep 1
+done
+
+sudo systemctl reboot
--- a/how-to-create-encrypted-paper-backup/update.sh.sig
+++ b/how-to-create-encrypted-paper-backup/update.sh.sig
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEqYzNEiJDZVsm+vthH6dnhiu9EwUFAmC8zeQACgkQH6dnhiu9
+EwURXA//Yb7dCnTa4lkoi5MlJnmfoIxtpd8GhLr0CxQZc4ocQt3aO8rUiQ62gwcS
+ocjKlb0v/4XVyP/KZxHmaoMjJJr5bNEBeJTJjMaN+0/QY8eQ+3eYjcr5QGsrVQCq
+FzpKYMd2zyHFRshsvHlwPlkTK/hA++cyNYcMGZJDX7RMvl3Z8+XkECgjs2Z0QDhq
+h8hg1/wvJoVeLxC8qmFnM1c0tBIa7xpfJYZmsPIgVHK0o4EykLInGqrNpsYcIgQv
+869WWBrnQylpnIcA25QkfTOS2CXJxaMA7CcG79Ooh6I8Rwgl9PbzogLY2o2Z1W96
+r+0E5DdKqGgD500hoYCRRUftCc/aHZKqD60aktWhXUivLvD0QU5CvRT/1RcHvghB
+9SKh202jY45ixgyQqWYuIfIn2s/51tCFBu4D5Qf8t1WiKmYDZF261tDx4KlnGTG
+WVqwS0YzZPBL1fmzW/3O9OaC/xlO+4u6WHFXnleOdAddyXiW1e+Ev0/xOzcQdT1o
+n4n5Qh1gJZcJHVM5X8qVTDmUGTVVTP0hqfGv15pYkTTVYnoInuOE2riXmaVjPumV
+1Yo2YoC5oQ68BsWKCPy81fequMoxD0dkiBkloY9j2u/i9QyLucejOKWgWGcUNF5V
+VGAgs244VuUdKD1IMcQrEEvakyd+snY2cb+jQiOAqoeh+PLyte4=
+=7s6E
+-----END PGP SIGNATURE-----