install-ca.sh - Opengist

修订 9c36c629092120a527a2a1fee30232fd61756598

install-ca.sh · 4.5 KiB · Bash 原始文件

#!/usr/bin/env bash set -euo pipefail CA_URL="${CA_URL:-https://10.10.40.53}" CA_FINGERPRINT="${CA_FINGERPRINT:-5fc8c379cab1119c1a9ac7038225f6bcf3a2ffb0e71b257af796b2bd6c71d594}" STEP_VERSION="${STEP_VERSION:-0.28.7}" FORCE="${FORCE:-0}" usage() { cat <<EOF Usage: $0 [--force] Optional environment overrides: CA_URL CA_FINGERPRINT STEP_VERSION FORCE=1 EOF } log() { printf '\n[%s] %s\n' "$(date '+%Y-%m-%d %H:%M:%S')" "$*" } fail() { echo "ERROR: $*" >&2 exit 1 } need_cmd() { command -v "$1" >/dev/null 2>&1 } download_file() { local url="$1" local out="$2" if need_cmd curl; then curl -fsSL "$url" -o "$out" elif need_cmd wget; then wget -qO "$out" "$url" else fail "Neither curl nor wget is installed" fi } detect_os() { case "$(uname -s)" in Linux*) echo "linux" ;; Darwin*) echo "darwin" ;; MINGW*|MSYS*|CYGWIN*) echo "windows_bash" ;; *) echo "unknown" ;; esac } detect_arch() { case "$(uname -m)" in x86_64|amd64) echo "amd64" ;; aarch64|arm64) echo "arm64" ;; armv7l) echo "armv7" ;; *) uname -m ;; esac } install_step_linux() { local arch="$1" local tmpdir pkg_name url tmpdir="$(mktemp -d)" trap 'rm -rf "$tmpdir"' RETURN if need_cmd apk; then case "$arch" in amd64) pkg_name="step-cli_${STEP_VERSION}_amd64.apk" ;; arm64) pkg_name="step-cli_${STEP_VERSION}_arm64.apk" ;; *) fail "Unsupported Alpine architecture: $arch" ;; esac url="https://github.com/smallstep/cli/releases/download/v${STEP_VERSION}/${pkg_name}" download_file "$url" "$tmpdir/$pkg_name" sudo apk add --allow-untrusted "$tmpdir/$pkg_name" return fi if need_cmd dpkg; then case "$arch" in amd64) pkg_name="step-cli_${STEP_VERSION}_amd64.deb" ;; arm64) pkg_name="step-cli_${STEP_VERSION}_arm64.deb" ;; *) fail "Unsupported Debian/Ubuntu architecture: $arch" ;; esac url="https://github.com/smallstep/cli/releases/download/v${STEP_VERSION}/${pkg_name}" download_file "$url" "$tmpdir/$pkg_name" sudo dpkg -i "$tmpdir/$pkg_name" || { sudo apt-get update sudo apt-get install -f -y } return fi fail "Unsupported Linux distribution. Supported: Debian/Ubuntu and Alpine" } install_step_darwin() { if need_cmd brew; then brew install step else fail "Homebrew is required on macOS to install step automatically" fi } ensure_step() { if need_cmd step; then log "step CLI already installed" return fi local os arch os="$(detect_os)" arch="$(detect_arch)" log "Installing step CLI for $os/$arch" case "$os" in linux) install_step_linux "$arch" ;; darwin) install_step_darwin ;; windows_bash) fail "Use the PowerShell installer on native Windows" ;; *) fail "Unsupported OS: $os" ;; esac need_cmd step || fail "step CLI installation failed" } bootstrap_step() { if [ "$FORCE" = "1" ]; then rm -rf "$HOME/.step" fi log "Bootstrapping against $CA_URL" step ca bootstrap \ --ca-url "$CA_URL" \ --fingerprint "$CA_FINGERPRINT" \ --install \ --force } install_linux_trust() { local root_cert="$HOME/.step/certs/root_ca.crt" [ -f "$root_cert" ] || fail "Root certificate not found at $root_cert" if need_cmd update-ca-certificates; then sudo mkdir -p /usr/local/share/ca-certificates sudo cp "$root_cert" /usr/local/share/ca-certificates/insmw-root-ca.crt sudo update-ca-certificates return fi if need_cmd trust; then sudo trust anchor "$root_cert" return fi fail "Could not determine how to install the CA into this Linux trust store" } install_macos_trust() { local root_cert="$HOME/.step/certs/root_ca.crt" [ -f "$root_cert" ] || fail "Root certificate not found at $root_cert" sudo security add-trusted-cert \ -d \ -r trustRoot \ -k /Library/Keychains/System.keychain \ "$root_cert" } install_trust_store() { case "$(detect_os)" in linux) install_linux_trust ;; darwin) install_macos_trust ;; *) fail "Unsupported OS for trust-store installation" ;; esac } verify_install() { local root_cert="$HOME/.step/certs/root_ca.crt" log "Installed root CA:" step certificate inspect "$root_cert" --short || true echo echo "Done." } parse_args() { while [ $# -gt 0 ]; do case "$1" in --force) FORCE=1 shift ;; -h|--help) usage exit 0 ;; *) fail "Unknown argument: $1" ;; esac done } main() { parse_args "$@" ensure_step bootstrap_step install_trust_store verify_install } main "$@"

1	#!/usr/bin/env bash
2	set -euo pipefail
3
4	CA_URL="${CA_URL:-https://10.10.40.53}"
5	CA_FINGERPRINT="${CA_FINGERPRINT:-5fc8c379cab1119c1a9ac7038225f6bcf3a2ffb0e71b257af796b2bd6c71d594}"
6	STEP_VERSION="${STEP_VERSION:-0.28.7}"
7	FORCE="${FORCE:-0}"
8
9	usage() {
10	cat <<EOF
11	Usage:
12	$0 [--force]
13
14	Optional environment overrides:
15	CA_URL
16	CA_FINGERPRINT
17	STEP_VERSION
18	FORCE=1
19	EOF
20	}
21
22	log() {
23	printf '\n[%s] %s\n' "$(date '+%Y-%m-%d %H:%M:%S')" "$*"
24	}
25
26	fail() {
27	echo "ERROR: $*" >&2
28	exit 1
29	}
30
31	need_cmd() {
32	command -v "$1" >/dev/null 2>&1
33	}
34
35	download_file() {
36	local url="$1"
37	local out="$2"
38
39	if need_cmd curl; then
40	curl -fsSL "$url" -o "$out"
41	elif need_cmd wget; then
42	wget -qO "$out" "$url"
43	else
44	fail "Neither curl nor wget is installed"
45	fi
46	}
47
48	detect_os() {
49	case "$(uname -s)" in
50	Linux*) echo "linux" ;;
51	Darwin*) echo "darwin" ;;
52	MINGW\|MSYS\|CYGWIN*) echo "windows_bash" ;;
53	*) echo "unknown" ;;
54	esac
55	}
56
57	detect_arch() {
58	case "$(uname -m)" in
59	x86_64\|amd64) echo "amd64" ;;
60	aarch64\|arm64) echo "arm64" ;;
61	armv7l) echo "armv7" ;;
62	*) uname -m ;;
63	esac
64	}
65
66	install_step_linux() {
67	local arch="$1"
68	local tmpdir pkg_name url
69
70	tmpdir="$(mktemp -d)"
71	trap 'rm -rf "$tmpdir"' RETURN
72
73	if need_cmd apk; then
74	case "$arch" in
75	amd64) pkg_name="step-cli_${STEP_VERSION}_amd64.apk" ;;
76	arm64) pkg_name="step-cli_${STEP_VERSION}_arm64.apk" ;;
77	*) fail "Unsupported Alpine architecture: $arch" ;;
78	esac
79
80	url="https://github.com/smallstep/cli/releases/download/v${STEP_VERSION}/${pkg_name}"
81	download_file "$url" "$tmpdir/$pkg_name"
82	sudo apk add --allow-untrusted "$tmpdir/$pkg_name"
83	return
84	fi
85
86	if need_cmd dpkg; then
87	case "$arch" in
88	amd64) pkg_name="step-cli_${STEP_VERSION}_amd64.deb" ;;
89	arm64) pkg_name="step-cli_${STEP_VERSION}_arm64.deb" ;;
90	*) fail "Unsupported Debian/Ubuntu architecture: $arch" ;;
91	esac
92
93	url="https://github.com/smallstep/cli/releases/download/v${STEP_VERSION}/${pkg_name}"
94	download_file "$url" "$tmpdir/$pkg_name"
95	sudo dpkg -i "$tmpdir/$pkg_name" \|\| {
96	sudo apt-get update
97	sudo apt-get install -f -y
98	}
99	return
100	fi
101
102	fail "Unsupported Linux distribution. Supported: Debian/Ubuntu and Alpine"
103	}
104
105	install_step_darwin() {
106	if need_cmd brew; then
107	brew install step
108	else
109	fail "Homebrew is required on macOS to install step automatically"
110	fi
111	}
112
113	ensure_step() {
114	if need_cmd step; then
115	log "step CLI already installed"
116	return
117	fi
118
119	local os arch
120	os="$(detect_os)"
121	arch="$(detect_arch)"
122
123	log "Installing step CLI for $os/$arch"
124
125	case "$os" in
126	linux) install_step_linux "$arch" ;;
127	darwin) install_step_darwin ;;
128	windows_bash) fail "Use the PowerShell installer on native Windows" ;;
129	*) fail "Unsupported OS: $os" ;;
130	esac
131
132	need_cmd step \|\| fail "step CLI installation failed"
133	}
134
135	bootstrap_step() {
136	if [ "$FORCE" = "1" ]; then
137	rm -rf "$HOME/.step"
138	fi
139
140	log "Bootstrapping against $CA_URL"
141	step ca bootstrap \
142	--ca-url "$CA_URL" \
143	--fingerprint "$CA_FINGERPRINT" \
144	--install \
145	--force
146	}
147
148	install_linux_trust() {
149	local root_cert="$HOME/.step/certs/root_ca.crt"
150	[ -f "$root_cert" ] \|\| fail "Root certificate not found at $root_cert"
151
152	if need_cmd update-ca-certificates; then
153	sudo mkdir -p /usr/local/share/ca-certificates
154	sudo cp "$root_cert" /usr/local/share/ca-certificates/insmw-root-ca.crt
155	sudo update-ca-certificates
156	return
157	fi
158
159	if need_cmd trust; then
160	sudo trust anchor "$root_cert"
161	return
162	fi
163
164	fail "Could not determine how to install the CA into this Linux trust store"
165	}
166
167	install_macos_trust() {
168	local root_cert="$HOME/.step/certs/root_ca.crt"
169	[ -f "$root_cert" ] \|\| fail "Root certificate not found at $root_cert"
170
171	sudo security add-trusted-cert \
172	-d \
173	-r trustRoot \
174	-k /Library/Keychains/System.keychain \
175	"$root_cert"
176	}
177
178	install_trust_store() {
179	case "$(detect_os)" in
180	linux) install_linux_trust ;;
181	darwin) install_macos_trust ;;
182	*) fail "Unsupported OS for trust-store installation" ;;
183	esac
184	}
185
186	verify_install() {
187	local root_cert="$HOME/.step/certs/root_ca.crt"
188	log "Installed root CA:"
189	step certificate inspect "$root_cert" --short \|\| true
190	echo
191	echo "Done."
192	}
193
194	parse_args() {
195	while [ $# -gt 0 ]; do
196	case "$1" in
197	--force)
198	FORCE=1
199	shift
200	;;
201	-h\|--help)
202	usage
203	exit 0
204	;;
205	*)
206	fail "Unknown argument: $1"
207	;;
208	esac
209	done
210	}
211
212	main() {
213	parse_args "$@"
214	ensure_step
215	bootstrap_step
216	install_trust_store
217	verify_install
218	}
219
220	main "$@"