J'aime 0
Fork 0

Dernière activité 5 hours ago

theInscriber a révisé ce gist 5 hours ago. Aller à la révision

1 file changed, 107 insertions, 152 deletions

install-ca.sh

@@ -1,178 +1,133 @@
1 - #!/usr/bin/env bash
2 - set -euo pipefail
3 -
4 - CA_URL="${CA_URL:-https://10.10.40.53}"
5 - CA_FINGERPRINT="${CA_FINGERPRINT:-5fc8c379cab1119c1a9ac7038225f6bcf3a2ffb0e71b257af796b2bd6c71d594}"
6 - FORCE="${FORCE:-0}"
7 -
8 - log() {
9 - printf '\n[%s] %s\n' "$(date '+%Y-%m-%d %H:%M:%S')" "$*"
1 + param(
2 + [string]$CaUrl = "https://10.10.40.53",
3 + [string]$Fingerprint = "5fc8c379cab1119c1a9ac7038225f6bcf3a2ffb0e71b257af796b2bd6c71d594",
4 + [switch]$Force
5 + )
6 +
7 + $ErrorActionPreference = "Stop"
8 +
9 + function Write-Log {
10 + param([string]$Message)
11 + Write-Host ""
12 + Write-Host "[$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')] $Message"
10 13 }
11 14
12 - fail() {
13 - echo "ERROR: $*" >&2
14 - exit 1
15 + function Fail {
16 + param([string]$Message)
17 + throw $Message
15 18 }
16 19
17 - need_cmd() {
18 - command -v "$1" >/dev/null 2>&1
20 + function Test-IsAdmin {
21 + $currentIdentity = [Security.Principal.WindowsIdentity]::GetCurrent()
22 + $principal = New-Object Security.Principal.WindowsPrincipal($currentIdentity)
23 + return $principal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
19 24 }
20 25
21 - is_root() {
22 - [ "$(id -u)" -eq 0 ]
26 + function Require-Command {
27 + param([string]$Name)
28 + if (-not (Get-Command $Name -ErrorAction SilentlyContinue)) {
29 + Fail "Required command not found: $Name"
30 + }
23 31 }
24 32
25 - as_root() {
26 - if is_root; then
27 - "$@"
28 - else
29 - sudo "$@"
30 - fi
33 + function Refresh-Path {
34 + $machinePath = [System.Environment]::GetEnvironmentVariable("Path", "Machine")
35 + $userPath = [System.Environment]::GetEnvironmentVariable("Path", "User")
36 + $env:Path = "$machinePath;$userPath"
31 37 }
32 38
33 - detect_os() {
34 - case "$(uname -s)" in
35 - Linux*) echo "linux" ;;
36 - Darwin*) echo "darwin" ;;
37 - MINGW*|MSYS*|CYGWIN*) echo "windows_bash" ;;
38 - *) echo "unknown" ;;
39 - esac
40 - }
39 + function Ensure-Step {
40 + if (Get-Command step -ErrorAction SilentlyContinue) {
41 + Write-Log "step CLI already installed"
42 + return
43 + }
41 44
42 - install_step() {
43 - if need_cmd step; then
44 - log "step CLI already installed"
45 - return
46 - fi
47 -
48 - case "$(detect_os)" in
49 - darwin)
50 - need_cmd brew || fail "Homebrew not found"
51 - log "Installing step with Homebrew"
52 - brew install step
53 - ;;
54 -
55 - linux)
56 - if need_cmd apt-get; then
57 - log "Installing step-cli with apt"
58 - as_root apt-get update
59 - as_root apt-get install -y --no-install-recommends curl gpg ca-certificates
60 - as_root mkdir -p /etc/apt/keyrings
61 - curl -fsSL https://packages.smallstep.com/keys/apt/repo-signing-key.gpg | \
62 - as_root tee /etc/apt/keyrings/smallstep.asc >/dev/null
63 -
64 - tmpfile="$(mktemp)"
65 - cat > "$tmpfile" <<'EOF'
66 - Types: deb
67 - URIs: https://packages.smallstep.com/stable/debian
68 - Suites: debs
69 - Components: main
70 - Signed-By: /etc/apt/keyrings/smallstep.asc
71 - EOF
72 - as_root cp "$tmpfile" /etc/apt/sources.list.d/smallstep.sources
73 - rm -f "$tmpfile"
74 -
75 - as_root apt-get update
76 - as_root apt-get install -y step-cli
77 -
78 - elif need_cmd apk; then
79 - log "Installing step-cli with apk"
80 - as_root apk add --no-cache step-cli
81 -
82 - elif need_cmd dnf; then
83 - log "Installing step-cli with dnf"
84 - tmpfile="$(mktemp)"
85 - cat > "$tmpfile" <<'EOF'
86 - [smallstep]
87 - name=Smallstep
88 - baseurl=https://packages.smallstep.com/stable/fedora/
89 - enabled=1
90 - repo_gpgcheck=0
91 - gpgcheck=1
92 - gpgkey=https://packages.smallstep.com/keys/smallstep-0x889B19391F774443.gpg
93 - EOF
94 - as_root cp "$tmpfile" /etc/yum.repos.d/smallstep.repo
95 - rm -f "$tmpfile"
96 -
97 - as_root dnf makecache
98 - as_root dnf install -y step-cli
99 -
100 - elif need_cmd pacman; then
101 - log "Installing step-cli with pacman"
102 - as_root pacman -Sy --noconfirm step-cli
103 - if [ ! -e /usr/local/bin/step ] && [ -x /usr/bin/step-cli ]; then
104 - as_root ln -s /usr/bin/step-cli /usr/local/bin/step
105 - fi
106 -
107 - else
108 - fail "No supported package manager found"
109 - fi
110 - ;;
111 -
112 - *)
113 - fail "Unsupported OS"
114 - ;;
115 - esac
116 -
117 - need_cmd step || fail "step CLI installation failed"
118 - }
45 + Require-Command winget
119 46
120 - bootstrap_step() {
121 - if [ "$FORCE" = "1" ]; then
122 - rm -rf "$HOME/.step"
123 - fi
124 -
125 - log "Bootstrapping against $CA_URL"
126 - step ca bootstrap \
127 - --ca-url "$CA_URL" \
128 - --fingerprint "$CA_FINGERPRINT" \
129 - --install \
130 - --force
47 + Write-Log "Installing step CLI with winget"
48 + # Machine-wide install when admin, user install otherwise.
49 + if (Test-IsAdmin) {
50 + winget install --exact --id Smallstep.step --accept-package-agreements --accept-source-agreements --scope machine
51 + } else {
52 + winget install --exact --id Smallstep.step --accept-package-agreements --accept-source-agreements --scope user
53 + }
54 +
55 + Refresh-Path
56 +
57 + if (-not (Get-Command step -ErrorAction SilentlyContinue)) {
58 + Fail "step CLI installation failed or is not yet on PATH"
59 + }
131 60 }
132 61
133 - install_linux_trust() {
134 - local root_cert="$HOME/.step/certs/root_ca.crt"
135 - [ -f "$root_cert" ] || fail "Root certificate not found at $root_cert"
62 + function Reset-StepConfig {
63 + $stepDir = Join-Path $HOME ".step"
64 + if (Test-Path $stepDir) {
65 + Write-Log "Removing previous step configuration"
66 + Remove-Item -Recurse -Force $stepDir
67 + }
68 + }
136 69
137 - if need_cmd update-ca-certificates; then
138 - as_root mkdir -p /usr/local/share/ca-certificates
139 - as_root cp "$root_cert" /usr/local/share/ca-certificates/insmw-root-ca.crt
140 - as_root update-ca-certificates
141 - return
142 - fi
70 + function Bootstrap-Step {
71 + if ($Force) {
72 + Reset-StepConfig
73 + }
143 74
144 - if need_cmd trust; then
145 - as_root trust anchor "$root_cert"
146 - return
147 - fi
75 + Write-Log "Bootstrapping against $CaUrl"
76 + & step ca bootstrap --ca-url $CaUrl --fingerprint $Fingerprint --install --force
77 + if ($LASTEXITCODE -ne 0) {
78 + Fail "step bootstrap failed"
79 + }
80 + }
148 81
149 - fail "Could not determine Linux trust-store tool"
82 + function Get-RootCertPath {
83 + $rootCert = Join-Path $HOME ".step\certs\root_ca.crt"
84 + if (-not (Test-Path $rootCert)) {
85 + Fail "Root certificate not found at $rootCert"
86 + }
87 + return $rootCert
150 88 }
151 89
152 - install_macos_trust() {
153 - local root_cert="$HOME/.step/certs/root_ca.crt"
154 - [ -f "$root_cert" ] || fail "Root certificate not found at $root_cert"
90 + function Install-TrustStore {
91 + $rootCert = Get-RootCertPath
155 92
156 - as_root security add-trusted-cert \
157 - -d \
158 - -r trustRoot \
159 - -k /Library/Keychains/System.keychain \
160 - "$root_cert"
93 + if (Test-IsAdmin) {
94 + Write-Log "Installing root CA into LocalMachine Root store"
95 + Import-Certificate -FilePath $rootCert -CertStoreLocation "Cert:\LocalMachine\Root" | Out-Null
96 + } else {
97 + Write-Log "Not running as Administrator; installing root CA into CurrentUser Root store"
98 + Import-Certificate -FilePath $rootCert -CertStoreLocation "Cert:\CurrentUser\Root" | Out-Null
99 + }
161 100 }
162 101
163 - install_trust_store() {
164 - case "$(detect_os)" in
165 - linux) install_linux_trust ;;
166 - darwin) install_macos_trust ;;
167 - *) fail "Unsupported OS for trust-store installation" ;;
168 - esac
102 + function Verify-Install {
103 + $rootCert = Get-RootCertPath
104 +
105 + Write-Log "Installed root CA:"
106 + & step certificate inspect $rootCert --short
107 +
108 + if (Test-IsAdmin) {
109 + Write-Log "Verified using LocalMachine Root store"
110 + Get-ChildItem "Cert:\LocalMachine\Root" |
111 + Where-Object { $_.Thumbprint -eq (Get-PfxCertificate $rootCert).Thumbprint } |
112 + Select-Object Subject, Thumbprint |
113 + Format-Table -AutoSize
114 + } else {
115 + Write-Log "Verified using CurrentUser Root store"
116 + Get-ChildItem "Cert:\CurrentUser\Root" |
117 + Where-Object { $_.Thumbprint -eq (Get-PfxCertificate $rootCert).Thumbprint } |
118 + Select-Object Subject, Thumbprint |
119 + Format-Table -AutoSize
120 + }
121 +
122 + Write-Host ""
123 + Write-Host "Done."
169 124 }
170 125
171 - main() {
172 - install_step
173 - bootstrap_step
174 - install_trust_store
175 - log "Done"
126 + function Main {
127 + Ensure-Step
128 + Bootstrap-Step
129 + Install-TrustStore
130 + Verify-Install
176 131 }
177 132
178 - main "$@"
133 + Main

theInscriber a révisé ce gist 5 hours ago. Aller à la révision

1 file changed, 45 insertions, 18 deletions

install-ca.sh

@@ -18,6 +18,18 @@ need_cmd() {
18 18 command -v "$1" >/dev/null 2>&1
19 19 }
20 20
21 + is_root() {
22 + [ "$(id -u)" -eq 0 ]
23 + }
24 +
25 + as_root() {
26 + if is_root; then
27 + "$@"
28 + else
29 + sudo "$@"
30 + fi
31 + }
32 +
21 33 detect_os() {
22 34 case "$(uname -s)" in
23 35 Linux*) echo "linux" ;;
@@ -39,29 +51,38 @@ install_step() {
39 51 log "Installing step with Homebrew"
40 52 brew install step
41 53 ;;
54 +
42 55 linux)
43 56 if need_cmd apt-get; then
44 57 log "Installing step-cli with apt"
45 - sudo apt-get update
46 - sudo apt-get install -y --no-install-recommends curl gpg ca-certificates
47 - sudo mkdir -p /etc/apt/keyrings
58 + as_root apt-get update
59 + as_root apt-get install -y --no-install-recommends curl gpg ca-certificates
60 + as_root mkdir -p /etc/apt/keyrings
48 61 curl -fsSL https://packages.smallstep.com/keys/apt/repo-signing-key.gpg | \
49 - sudo tee /etc/apt/keyrings/smallstep.asc >/dev/null
50 - cat <<'EOF' | sudo tee /etc/apt/sources.list.d/smallstep.sources >/dev/null
62 + as_root tee /etc/apt/keyrings/smallstep.asc >/dev/null
63 +
64 + tmpfile="$(mktemp)"
65 + cat > "$tmpfile" <<'EOF'
51 66 Types: deb
52 67 URIs: https://packages.smallstep.com/stable/debian
53 68 Suites: debs
54 69 Components: main
55 70 Signed-By: /etc/apt/keyrings/smallstep.asc
56 71 EOF
57 - sudo apt-get update
58 - sudo apt-get install -y step-cli
72 + as_root cp "$tmpfile" /etc/apt/sources.list.d/smallstep.sources
73 + rm -f "$tmpfile"
74 +
75 + as_root apt-get update
76 + as_root apt-get install -y step-cli
77 +
59 78 elif need_cmd apk; then
60 79 log "Installing step-cli with apk"
61 - sudo apk add --no-cache step-cli
80 + as_root apk add --no-cache step-cli
81 +
62 82 elif need_cmd dnf; then
63 83 log "Installing step-cli with dnf"
64 - cat <<'EOF' | sudo tee /etc/yum.repos.d/smallstep.repo >/dev/null
84 + tmpfile="$(mktemp)"
85 + cat > "$tmpfile" <<'EOF'
65 86 [smallstep]
66 87 name=Smallstep
67 88 baseurl=https://packages.smallstep.com/stable/fedora/
@@ -70,18 +91,24 @@ repo_gpgcheck=0
70 91 gpgcheck=1
71 92 gpgkey=https://packages.smallstep.com/keys/smallstep-0x889B19391F774443.gpg
72 93 EOF
73 - sudo dnf makecache
74 - sudo dnf install -y step-cli
94 + as_root cp "$tmpfile" /etc/yum.repos.d/smallstep.repo
95 + rm -f "$tmpfile"
96 +
97 + as_root dnf makecache
98 + as_root dnf install -y step-cli
99 +
75 100 elif need_cmd pacman; then
76 101 log "Installing step-cli with pacman"
77 - sudo pacman -Sy --noconfirm step-cli
102 + as_root pacman -Sy --noconfirm step-cli
78 103 if [ ! -e /usr/local/bin/step ] && [ -x /usr/bin/step-cli ]; then
79 - sudo ln -s /usr/bin/step-cli /usr/local/bin/step
104 + as_root ln -s /usr/bin/step-cli /usr/local/bin/step
80 105 fi
106 +
81 107 else
82 108 fail "No supported package manager found"
83 109 fi
84 110 ;;
111 +
85 112 *)
86 113 fail "Unsupported OS"
87 114 ;;
@@ -108,14 +135,14 @@ install_linux_trust() {
108 135 [ -f "$root_cert" ] || fail "Root certificate not found at $root_cert"
109 136
110 137 if need_cmd update-ca-certificates; then
111 - sudo mkdir -p /usr/local/share/ca-certificates
112 - sudo cp "$root_cert" /usr/local/share/ca-certificates/insmw-root-ca.crt
113 - sudo update-ca-certificates
138 + as_root mkdir -p /usr/local/share/ca-certificates
139 + as_root cp "$root_cert" /usr/local/share/ca-certificates/insmw-root-ca.crt
140 + as_root update-ca-certificates
114 141 return
115 142 fi
116 143
117 144 if need_cmd trust; then
118 - sudo trust anchor "$root_cert"
145 + as_root trust anchor "$root_cert"
119 146 return
120 147 fi
121 148
@@ -126,7 +153,7 @@ install_macos_trust() {
126 153 local root_cert="$HOME/.step/certs/root_ca.crt"
127 154 [ -f "$root_cert" ] || fail "Root certificate not found at $root_cert"
128 155
129 - sudo security add-trusted-cert \
156 + as_root security add-trusted-cert \
130 157 -d \
131 158 -r trustRoot \
132 159 -k /Library/Keychains/System.keychain \

theInscriber a révisé ce gist 5 hours ago. Aller à la révision

1 file changed, 56 insertions, 125 deletions

install-ca.sh

@@ -3,22 +3,8 @@ set -euo pipefail
3 3
4 4 CA_URL="${CA_URL:-https://10.10.40.53}"
5 5 CA_FINGERPRINT="${CA_FINGERPRINT:-5fc8c379cab1119c1a9ac7038225f6bcf3a2ffb0e71b257af796b2bd6c71d594}"
6 - STEP_VERSION="${STEP_VERSION:-0.28.7}"
7 6 FORCE="${FORCE:-0}"
8 7
9 - usage() {
10 - cat <<EOF
11 - Usage:
12 - $0 [--force]
13 -
14 - Optional environment overrides:
15 - CA_URL
16 - CA_FINGERPRINT
17 - STEP_VERSION
18 - FORCE=1
19 - EOF
20 - }
21 -
22 8 log() {
23 9 printf '\n[%s] %s\n' "$(date '+%Y-%m-%d %H:%M:%S')" "$*"
24 10 }
@@ -32,19 +18,6 @@ need_cmd() {
32 18 command -v "$1" >/dev/null 2>&1
33 19 }
34 20
35 - download_file() {
36 - local url="$1"
37 - local out="$2"
38 -
39 - if need_cmd curl; then
40 - curl -fsSL "$url" -o "$out"
41 - elif need_cmd wget; then
42 - wget -qO "$out" "$url"
43 - else
44 - fail "Neither curl nor wget is installed"
45 - fi
46 - }
47 -
48 21 detect_os() {
49 22 case "$(uname -s)" in
50 23 Linux*) echo "linux" ;;
@@ -54,79 +27,64 @@ detect_os() {
54 27 esac
55 28 }
56 29
57 - detect_arch() {
58 - case "$(uname -m)" in
59 - x86_64|amd64) echo "amd64" ;;
60 - aarch64|arm64) echo "arm64" ;;
61 - armv7l) echo "armv7" ;;
62 - *) uname -m ;;
63 - esac
64 - }
65 -
66 - install_step_linux() {
67 - local arch="$1"
68 - local tmpdir pkg_name url
69 -
70 - tmpdir="$(mktemp -d)"
71 - trap 'rm -rf "$tmpdir"' RETURN
72 -
73 - if need_cmd apk; then
74 - case "$arch" in
75 - amd64) pkg_name="step-cli_${STEP_VERSION}_amd64.apk" ;;
76 - arm64) pkg_name="step-cli_${STEP_VERSION}_arm64.apk" ;;
77 - *) fail "Unsupported Alpine architecture: $arch" ;;
78 - esac
79 -
80 - url="https://github.com/smallstep/cli/releases/download/v${STEP_VERSION}/${pkg_name}"
81 - download_file "$url" "$tmpdir/$pkg_name"
82 - sudo apk add --allow-untrusted "$tmpdir/$pkg_name"
83 - return
84 - fi
85 -
86 - if need_cmd dpkg; then
87 - case "$arch" in
88 - amd64) pkg_name="step-cli_${STEP_VERSION}_amd64.deb" ;;
89 - arm64) pkg_name="step-cli_${STEP_VERSION}_arm64.deb" ;;
90 - *) fail "Unsupported Debian/Ubuntu architecture: $arch" ;;
91 - esac
92 -
93 - url="https://github.com/smallstep/cli/releases/download/v${STEP_VERSION}/${pkg_name}"
94 - download_file "$url" "$tmpdir/$pkg_name"
95 - sudo dpkg -i "$tmpdir/$pkg_name" || {
96 - sudo apt-get update
97 - sudo apt-get install -f -y
98 - }
99 - return
100 - fi
101 -
102 - fail "Unsupported Linux distribution. Supported: Debian/Ubuntu and Alpine"
103 - }
104 -
105 - install_step_darwin() {
106 - if need_cmd brew; then
107 - brew install step
108 - else
109 - fail "Homebrew is required on macOS to install step automatically"
110 - fi
111 - }
112 -
113 - ensure_step() {
30 + install_step() {
114 31 if need_cmd step; then
115 32 log "step CLI already installed"
116 33 return
117 34 fi
118 35
119 - local os arch
120 - os="$(detect_os)"
121 - arch="$(detect_arch)"
122 -
123 - log "Installing step CLI for $os/$arch"
124 -
125 - case "$os" in
126 - linux) install_step_linux "$arch" ;;
127 - darwin) install_step_darwin ;;
128 - windows_bash) fail "Use the PowerShell installer on native Windows" ;;
129 - *) fail "Unsupported OS: $os" ;;
36 + case "$(detect_os)" in
37 + darwin)
38 + need_cmd brew || fail "Homebrew not found"
39 + log "Installing step with Homebrew"
40 + brew install step
41 + ;;
42 + linux)
43 + if need_cmd apt-get; then
44 + log "Installing step-cli with apt"
45 + sudo apt-get update
46 + sudo apt-get install -y --no-install-recommends curl gpg ca-certificates
47 + sudo mkdir -p /etc/apt/keyrings
48 + curl -fsSL https://packages.smallstep.com/keys/apt/repo-signing-key.gpg | \
49 + sudo tee /etc/apt/keyrings/smallstep.asc >/dev/null
50 + cat <<'EOF' | sudo tee /etc/apt/sources.list.d/smallstep.sources >/dev/null
51 + Types: deb
52 + URIs: https://packages.smallstep.com/stable/debian
53 + Suites: debs
54 + Components: main
55 + Signed-By: /etc/apt/keyrings/smallstep.asc
56 + EOF
57 + sudo apt-get update
58 + sudo apt-get install -y step-cli
59 + elif need_cmd apk; then
60 + log "Installing step-cli with apk"
61 + sudo apk add --no-cache step-cli
62 + elif need_cmd dnf; then
63 + log "Installing step-cli with dnf"
64 + cat <<'EOF' | sudo tee /etc/yum.repos.d/smallstep.repo >/dev/null
65 + [smallstep]
66 + name=Smallstep
67 + baseurl=https://packages.smallstep.com/stable/fedora/
68 + enabled=1
69 + repo_gpgcheck=0
70 + gpgcheck=1
71 + gpgkey=https://packages.smallstep.com/keys/smallstep-0x889B19391F774443.gpg
72 + EOF
73 + sudo dnf makecache
74 + sudo dnf install -y step-cli
75 + elif need_cmd pacman; then
76 + log "Installing step-cli with pacman"
77 + sudo pacman -Sy --noconfirm step-cli
78 + if [ ! -e /usr/local/bin/step ] && [ -x /usr/bin/step-cli ]; then
79 + sudo ln -s /usr/bin/step-cli /usr/local/bin/step
80 + fi
81 + else
82 + fail "No supported package manager found"
83 + fi
84 + ;;
85 + *)
86 + fail "Unsupported OS"
87 + ;;
130 88 esac
131 89
132 90 need_cmd step || fail "step CLI installation failed"
@@ -161,7 +119,7 @@ install_linux_trust() {
161 119 return
162 120 fi
163 121
164 - fail "Could not determine how to install the CA into this Linux trust store"
122 + fail "Could not determine Linux trust-store tool"
165 123 }
166 124
167 125 install_macos_trust() {
@@ -183,38 +141,11 @@ install_trust_store() {
183 141 esac
184 142 }
185 143
186 - verify_install() {
187 - local root_cert="$HOME/.step/certs/root_ca.crt"
188 - log "Installed root CA:"
189 - step certificate inspect "$root_cert" --short || true
190 - echo
191 - echo "Done."
192 - }
193 -
194 - parse_args() {
195 - while [ $# -gt 0 ]; do
196 - case "$1" in
197 - --force)
198 - FORCE=1
199 - shift
200 - ;;
201 - -h|--help)
202 - usage
203 - exit 0
204 - ;;
205 - *)
206 - fail "Unknown argument: $1"
207 - ;;
208 - esac
209 - done
210 - }
211 -
212 144 main() {
213 - parse_args "$@"
214 - ensure_step
145 + install_step
215 146 bootstrap_step
216 147 install_trust_store
217 - verify_install
148 + log "Done"
218 149 }
219 150
220 151 main "$@"

theInscriber a révisé ce gist 5 hours ago. Aller à la révision

Aucun changement

theInscriber a révisé ce gist 5 hours ago. Aller à la révision

1 file changed, 30 insertions, 99 deletions

install-ca.sh

@@ -1,37 +1,21 @@
1 1 #!/usr/bin/env bash
2 2 set -euo pipefail
3 3
4 - # ==========================================
5 - # Root CA bootstrap + install script
6 - # For Linux/macOS/WSL/Git Bash
7 - # ==========================================
8 -
9 - # Defaults can be overridden with env vars or CLI args
10 - CA_URL="${CA_URL:-https://ca.insmw.internal}"
11 - CA_FINGERPRINT="${CA_FINGERPRINT:-}"
4 + CA_URL="${CA_URL:-https://10.10.40.53}"
5 + CA_FINGERPRINT="${CA_FINGERPRINT:-5fc8c379cab1119c1a9ac7038225f6bcf3a2ffb0e71b257af796b2bd6c71d594}"
12 6 STEP_VERSION="${STEP_VERSION:-0.28.7}"
13 - STEP_BIN_DIR="${STEP_BIN_DIR:-/usr/local/bin}"
14 - STEP_CONFIG_DIR="${STEP_CONFIG_DIR:-$HOME/.step}"
15 7 FORCE="${FORCE:-0}"
16 8
17 9 usage() {
18 10 cat <<EOF
19 11 Usage:
20 - $0 --ca-url <url> --fingerprint <fingerprint> [--force]
12 + $0 [--force]
21 13
22 - Examples:
23 - curl -fsSL https://your-opengist/raw/install-ca.sh | bash -s -- \\
24 - --ca-url https://ca.insmw.internal \\
25 - --fingerprint abcdef1234567890...
26 -
27 - Environment variables:
14 + Optional environment overrides:
28 15 CA_URL
29 16 CA_FINGERPRINT
30 17 STEP_VERSION
31 - STEP_BIN_DIR
32 - STEP_CONFIG_DIR
33 18 FORCE=1
34 -
35 19 EOF
36 20 }
37 21
@@ -62,10 +46,7 @@ download_file() {
62 46 }
63 47
64 48 detect_os() {
65 - local uname_s
66 - uname_s="$(uname -s 2>/dev/null || true)"
67 -
68 - case "$uname_s" in
49 + case "$(uname -s)" in
69 50 Linux*) echo "linux" ;;
70 51 Darwin*) echo "darwin" ;;
71 52 MINGW*|MSYS*|CYGWIN*) echo "windows_bash" ;;
@@ -74,104 +55,89 @@ detect_os() {
74 55 }
75 56
76 57 detect_arch() {
77 - local uname_m
78 - uname_m="$(uname -m 2>/dev/null || true)"
79 -
80 - case "$uname_m" in
58 + case "$(uname -m)" in
81 59 x86_64|amd64) echo "amd64" ;;
82 60 aarch64|arm64) echo "arm64" ;;
83 61 armv7l) echo "armv7" ;;
84 - *) echo "$uname_m" ;;
62 + *) uname -m ;;
85 63 esac
86 64 }
87 65
88 66 install_step_linux() {
89 67 local arch="$1"
90 - local tmpdir pkg_ext pkg_name url
68 + local tmpdir pkg_name url
91 69
92 70 tmpdir="$(mktemp -d)"
93 71 trap 'rm -rf "$tmpdir"' RETURN
94 72
95 73 if need_cmd apk; then
96 - pkg_ext="apk"
97 74 case "$arch" in
98 75 amd64) pkg_name="step-cli_${STEP_VERSION}_amd64.apk" ;;
99 76 arm64) pkg_name="step-cli_${STEP_VERSION}_arm64.apk" ;;
100 - *) fail "Unsupported architecture for Alpine: $arch" ;;
77 + *) fail "Unsupported Alpine architecture: $arch" ;;
101 78 esac
102 79
103 80 url="https://github.com/smallstep/cli/releases/download/v${STEP_VERSION}/${pkg_name}"
104 - log "Downloading step-cli from $url"
105 81 download_file "$url" "$tmpdir/$pkg_name"
106 82 sudo apk add --allow-untrusted "$tmpdir/$pkg_name"
107 83 return
108 84 fi
109 85
110 86 if need_cmd dpkg; then
111 - pkg_ext="deb"
112 87 case "$arch" in
113 88 amd64) pkg_name="step-cli_${STEP_VERSION}_amd64.deb" ;;
114 89 arm64) pkg_name="step-cli_${STEP_VERSION}_arm64.deb" ;;
115 - *) fail "Unsupported architecture for Debian/Ubuntu: $arch" ;;
90 + *) fail "Unsupported Debian/Ubuntu architecture: $arch" ;;
116 91 esac
117 92
118 93 url="https://github.com/smallstep/cli/releases/download/v${STEP_VERSION}/${pkg_name}"
119 - log "Downloading step-cli from $url"
120 94 download_file "$url" "$tmpdir/$pkg_name"
121 - sudo dpkg -i "$tmpdir/$pkg_name" || sudo apt-get update && sudo apt-get install -f -y
95 + sudo dpkg -i "$tmpdir/$pkg_name" || {
96 + sudo apt-get update
97 + sudo apt-get install -f -y
98 + }
122 99 return
123 100 fi
124 101
125 - fail "Unsupported Linux distribution. Supported: Debian/Ubuntu, Alpine"
102 + fail "Unsupported Linux distribution. Supported: Debian/Ubuntu and Alpine"
126 103 }
127 104
128 105 install_step_darwin() {
129 106 if need_cmd brew; then
130 - log "Installing step via Homebrew"
131 107 brew install step
132 - return
108 + else
109 + fail "Homebrew is required on macOS to install step automatically"
133 110 fi
134 -
135 - fail "Homebrew is required on macOS to install step automatically"
136 111 }
137 112
138 113 ensure_step() {
139 - local os arch
140 114 if need_cmd step; then
141 115 log "step CLI already installed"
142 116 return
143 117 fi
144 118
119 + local os arch
145 120 os="$(detect_os)"
146 121 arch="$(detect_arch)"
147 122
148 - log "step CLI not found, installing for $os/$arch"
123 + log "Installing step CLI for $os/$arch"
149 124
150 125 case "$os" in
151 126 linux) install_step_linux "$arch" ;;
152 127 darwin) install_step_darwin ;;
153 - windows_bash)
154 - fail "For native Windows, use the PowerShell installer instead of the bash script"
155 - ;;
156 - *)
157 - fail "Unsupported OS: $os"
158 - ;;
128 + windows_bash) fail "Use the PowerShell installer on native Windows" ;;
129 + *) fail "Unsupported OS: $os" ;;
159 130 esac
160 131
161 132 need_cmd step || fail "step CLI installation failed"
162 133 }
163 134
164 135 bootstrap_step() {
165 - [ -n "$CA_FINGERPRINT" ] || fail "CA fingerprint is required"
166 -
167 136 if [ "$FORCE" = "1" ]; then
168 - log "Removing previous step configuration because FORCE=1"
169 - rm -rf "$STEP_CONFIG_DIR"
137 + rm -rf "$HOME/.step"
170 138 fi
171 139
172 - mkdir -p "$STEP_CONFIG_DIR"
173 -
174 - log "Bootstrapping step against $CA_URL"
140 + log "Bootstrapping against $CA_URL"
175 141 step ca bootstrap \
176 142 --ca-url "$CA_URL" \
177 143 --fingerprint "$CA_FINGERPRINT" \
@@ -180,13 +146,10 @@ bootstrap_step() {
180 146 }
181 147
182 148 install_linux_trust() {
183 - local root_cert
184 - root_cert="$STEP_CONFIG_DIR/certs/root_ca.crt"
185 -
149 + local root_cert="$HOME/.step/certs/root_ca.crt"
186 150 [ -f "$root_cert" ] || fail "Root certificate not found at $root_cert"
187 151
188 152 if need_cmd update-ca-certificates; then
189 - log "Installing root CA into system trust store using update-ca-certificates"
190 153 sudo mkdir -p /usr/local/share/ca-certificates
191 154 sudo cp "$root_cert" /usr/local/share/ca-certificates/insmw-root-ca.crt
192 155 sudo update-ca-certificates
@@ -194,27 +157,17 @@ install_linux_trust() {
194 157 fi
195 158
196 159 if need_cmd trust; then
197 - log "Installing root CA into system trust store using p11-kit trust"
198 160 sudo trust anchor "$root_cert"
199 161 return
200 162 fi
201 163
202 - if [ -d /etc/ssl/certs ]; then
203 - log "Copying certificate to /etc/ssl/certs as fallback"
204 - sudo cp "$root_cert" /etc/ssl/certs/insmw-root-ca.crt
205 - return
206 - fi
207 -
208 - fail "Could not determine how to install the CA into the Linux trust store"
164 + fail "Could not determine how to install the CA into this Linux trust store"
209 165 }
210 166
211 167 install_macos_trust() {
212 - local root_cert
213 - root_cert="$STEP_CONFIG_DIR/certs/root_ca.crt"
214 -
168 + local root_cert="$HOME/.step/certs/root_ca.crt"
215 169 [ -f "$root_cert" ] || fail "Root certificate not found at $root_cert"
216 170
217 - log "Installing root CA into macOS System keychain"
218 171 sudo security add-trusted-cert \
219 172 -d \
220 173 -r trustRoot \
@@ -223,42 +176,24 @@ install_macos_trust() {
223 176 }
224 177
225 178 install_trust_store() {
226 - local os
227 - os="$(detect_os)"
228 -
229 - case "$os" in
179 + case "$(detect_os)" in
230 180 linux) install_linux_trust ;;
231 181 darwin) install_macos_trust ;;
232 - *)
233 - fail "Unsupported OS for trust installation: $os"
234 - ;;
182 + *) fail "Unsupported OS for trust-store installation" ;;
235 183 esac
236 184 }
237 185
238 186 verify_install() {
239 - local root_cert
240 - root_cert="$STEP_CONFIG_DIR/certs/root_ca.crt"
241 -
242 - log "Installed root CA at: $root_cert"
243 - log "Certificate subject:"
187 + local root_cert="$HOME/.step/certs/root_ca.crt"
188 + log "Installed root CA:"
244 189 step certificate inspect "$root_cert" --short || true
245 -
246 190 echo
247 191 echo "Done."
248 - echo "You may need to restart applications that cache trust settings, such as browsers or Docker."
249 192 }
250 193
251 194 parse_args() {
252 195 while [ $# -gt 0 ]; do
253 196 case "$1" in
254 - --ca-url)
255 - CA_URL="$2"
256 - shift 2
257 - ;;
258 - --fingerprint)
259 - CA_FINGERPRINT="$2"
260 - shift 2
261 - ;;
262 197 --force)
263 198 FORCE=1
264 199 shift
@@ -276,10 +211,6 @@ parse_args() {
276 211
277 212 main() {
278 213 parse_args "$@"
279 -
280 - [ -n "$CA_URL" ] || fail "CA URL is required"
281 - [ -n "$CA_FINGERPRINT" ] || fail "CA fingerprint is required"
282 -
283 214 ensure_step
284 215 bootstrap_step
285 216 install_trust_store

theInscriber a révisé ce gist 6 hours ago. Aller à la révision

1 file changed, 289 insertions

install-ca.sh(fichier créé)

@@ -0,0 +1,289 @@
1 + #!/usr/bin/env bash
2 + set -euo pipefail
3 +
4 + # ==========================================
5 + # Root CA bootstrap + install script
6 + # For Linux/macOS/WSL/Git Bash
7 + # ==========================================
8 +
9 + # Defaults can be overridden with env vars or CLI args
10 + CA_URL="${CA_URL:-https://ca.insmw.internal}"
11 + CA_FINGERPRINT="${CA_FINGERPRINT:-}"
12 + STEP_VERSION="${STEP_VERSION:-0.28.7}"
13 + STEP_BIN_DIR="${STEP_BIN_DIR:-/usr/local/bin}"
14 + STEP_CONFIG_DIR="${STEP_CONFIG_DIR:-$HOME/.step}"
15 + FORCE="${FORCE:-0}"
16 +
17 + usage() {
18 + cat <<EOF
19 + Usage:
20 + $0 --ca-url <url> --fingerprint <fingerprint> [--force]
21 +
22 + Examples:
23 + curl -fsSL https://your-opengist/raw/install-ca.sh | bash -s -- \\
24 + --ca-url https://ca.insmw.internal \\
25 + --fingerprint abcdef1234567890...
26 +
27 + Environment variables:
28 + CA_URL
29 + CA_FINGERPRINT
30 + STEP_VERSION
31 + STEP_BIN_DIR
32 + STEP_CONFIG_DIR
33 + FORCE=1
34 +
35 + EOF
36 + }
37 +
38 + log() {
39 + printf '\n[%s] %s\n' "$(date '+%Y-%m-%d %H:%M:%S')" "$*"
40 + }
41 +
42 + fail() {
43 + echo "ERROR: $*" >&2
44 + exit 1
45 + }
46 +
47 + need_cmd() {
48 + command -v "$1" >/dev/null 2>&1
49 + }
50 +
51 + download_file() {
52 + local url="$1"
53 + local out="$2"
54 +
55 + if need_cmd curl; then
56 + curl -fsSL "$url" -o "$out"
57 + elif need_cmd wget; then
58 + wget -qO "$out" "$url"
59 + else
60 + fail "Neither curl nor wget is installed"
61 + fi
62 + }
63 +
64 + detect_os() {
65 + local uname_s
66 + uname_s="$(uname -s 2>/dev/null || true)"
67 +
68 + case "$uname_s" in
69 + Linux*) echo "linux" ;;
70 + Darwin*) echo "darwin" ;;
71 + MINGW*|MSYS*|CYGWIN*) echo "windows_bash" ;;
72 + *) echo "unknown" ;;
73 + esac
74 + }
75 +
76 + detect_arch() {
77 + local uname_m
78 + uname_m="$(uname -m 2>/dev/null || true)"
79 +
80 + case "$uname_m" in
81 + x86_64|amd64) echo "amd64" ;;
82 + aarch64|arm64) echo "arm64" ;;
83 + armv7l) echo "armv7" ;;
84 + *) echo "$uname_m" ;;
85 + esac
86 + }
87 +
88 + install_step_linux() {
89 + local arch="$1"
90 + local tmpdir pkg_ext pkg_name url
91 +
92 + tmpdir="$(mktemp -d)"
93 + trap 'rm -rf "$tmpdir"' RETURN
94 +
95 + if need_cmd apk; then
96 + pkg_ext="apk"
97 + case "$arch" in
98 + amd64) pkg_name="step-cli_${STEP_VERSION}_amd64.apk" ;;
99 + arm64) pkg_name="step-cli_${STEP_VERSION}_arm64.apk" ;;
100 + *) fail "Unsupported architecture for Alpine: $arch" ;;
101 + esac
102 +
103 + url="https://github.com/smallstep/cli/releases/download/v${STEP_VERSION}/${pkg_name}"
104 + log "Downloading step-cli from $url"
105 + download_file "$url" "$tmpdir/$pkg_name"
106 + sudo apk add --allow-untrusted "$tmpdir/$pkg_name"
107 + return
108 + fi
109 +
110 + if need_cmd dpkg; then
111 + pkg_ext="deb"
112 + case "$arch" in
113 + amd64) pkg_name="step-cli_${STEP_VERSION}_amd64.deb" ;;
114 + arm64) pkg_name="step-cli_${STEP_VERSION}_arm64.deb" ;;
115 + *) fail "Unsupported architecture for Debian/Ubuntu: $arch" ;;
116 + esac
117 +
118 + url="https://github.com/smallstep/cli/releases/download/v${STEP_VERSION}/${pkg_name}"
119 + log "Downloading step-cli from $url"
120 + download_file "$url" "$tmpdir/$pkg_name"
121 + sudo dpkg -i "$tmpdir/$pkg_name" || sudo apt-get update && sudo apt-get install -f -y
122 + return
123 + fi
124 +
125 + fail "Unsupported Linux distribution. Supported: Debian/Ubuntu, Alpine"
126 + }
127 +
128 + install_step_darwin() {
129 + if need_cmd brew; then
130 + log "Installing step via Homebrew"
131 + brew install step
132 + return
133 + fi
134 +
135 + fail "Homebrew is required on macOS to install step automatically"
136 + }
137 +
138 + ensure_step() {
139 + local os arch
140 + if need_cmd step; then
141 + log "step CLI already installed"
142 + return
143 + fi
144 +
145 + os="$(detect_os)"
146 + arch="$(detect_arch)"
147 +
148 + log "step CLI not found, installing for $os/$arch"
149 +
150 + case "$os" in
151 + linux) install_step_linux "$arch" ;;
152 + darwin) install_step_darwin ;;
153 + windows_bash)
154 + fail "For native Windows, use the PowerShell installer instead of the bash script"
155 + ;;
156 + *)
157 + fail "Unsupported OS: $os"
158 + ;;
159 + esac
160 +
161 + need_cmd step || fail "step CLI installation failed"
162 + }
163 +
164 + bootstrap_step() {
165 + [ -n "$CA_FINGERPRINT" ] || fail "CA fingerprint is required"
166 +
167 + if [ "$FORCE" = "1" ]; then
168 + log "Removing previous step configuration because FORCE=1"
169 + rm -rf "$STEP_CONFIG_DIR"
170 + fi
171 +
172 + mkdir -p "$STEP_CONFIG_DIR"
173 +
174 + log "Bootstrapping step against $CA_URL"
175 + step ca bootstrap \
176 + --ca-url "$CA_URL" \
177 + --fingerprint "$CA_FINGERPRINT" \
178 + --install \
179 + --force
180 + }
181 +
182 + install_linux_trust() {
183 + local root_cert
184 + root_cert="$STEP_CONFIG_DIR/certs/root_ca.crt"
185 +
186 + [ -f "$root_cert" ] || fail "Root certificate not found at $root_cert"
187 +
188 + if need_cmd update-ca-certificates; then
189 + log "Installing root CA into system trust store using update-ca-certificates"
190 + sudo mkdir -p /usr/local/share/ca-certificates
191 + sudo cp "$root_cert" /usr/local/share/ca-certificates/insmw-root-ca.crt
192 + sudo update-ca-certificates
193 + return
194 + fi
195 +
196 + if need_cmd trust; then
197 + log "Installing root CA into system trust store using p11-kit trust"
198 + sudo trust anchor "$root_cert"
199 + return
200 + fi
201 +
202 + if [ -d /etc/ssl/certs ]; then
203 + log "Copying certificate to /etc/ssl/certs as fallback"
204 + sudo cp "$root_cert" /etc/ssl/certs/insmw-root-ca.crt
205 + return
206 + fi
207 +
208 + fail "Could not determine how to install the CA into the Linux trust store"
209 + }
210 +
211 + install_macos_trust() {
212 + local root_cert
213 + root_cert="$STEP_CONFIG_DIR/certs/root_ca.crt"
214 +
215 + [ -f "$root_cert" ] || fail "Root certificate not found at $root_cert"
216 +
217 + log "Installing root CA into macOS System keychain"
218 + sudo security add-trusted-cert \
219 + -d \
220 + -r trustRoot \
221 + -k /Library/Keychains/System.keychain \
222 + "$root_cert"
223 + }
224 +
225 + install_trust_store() {
226 + local os
227 + os="$(detect_os)"
228 +
229 + case "$os" in
230 + linux) install_linux_trust ;;
231 + darwin) install_macos_trust ;;
232 + *)
233 + fail "Unsupported OS for trust installation: $os"
234 + ;;
235 + esac
236 + }
237 +
238 + verify_install() {
239 + local root_cert
240 + root_cert="$STEP_CONFIG_DIR/certs/root_ca.crt"
241 +
242 + log "Installed root CA at: $root_cert"
243 + log "Certificate subject:"
244 + step certificate inspect "$root_cert" --short || true
245 +
246 + echo
247 + echo "Done."
248 + echo "You may need to restart applications that cache trust settings, such as browsers or Docker."
249 + }
250 +
251 + parse_args() {
252 + while [ $# -gt 0 ]; do
253 + case "$1" in
254 + --ca-url)
255 + CA_URL="$2"
256 + shift 2
257 + ;;
258 + --fingerprint)
259 + CA_FINGERPRINT="$2"
260 + shift 2
261 + ;;
262 + --force)
263 + FORCE=1
264 + shift
265 + ;;
266 + -h|--help)
267 + usage
268 + exit 0
269 + ;;
270 + *)
271 + fail "Unknown argument: $1"
272 + ;;
273 + esac
274 + done
275 + }
276 +
277 + main() {
278 + parse_args "$@"
279 +
280 + [ -n "$CA_URL" ] || fail "CA URL is required"
281 + [ -n "$CA_FINGERPRINT" ] || fail "CA fingerprint is required"
282 +
283 + ensure_step
284 + bootstrap_step
285 + install_trust_store
286 + verify_install
287 + }
288 +
289 + main "$@"
Plus récent Plus ancien

Propulsé par Opengist Load: 25ms

Français