diff options
| -rw-r--r-- | .github/workflows/release-on-tag.yml | 5 | ||||
| -rw-r--r-- | user_install_script.sh | 50 |
2 files changed, 45 insertions, 10 deletions
diff --git a/.github/workflows/release-on-tag.yml b/.github/workflows/release-on-tag.yml index 5512646..92dc816 100644 --- a/.github/workflows/release-on-tag.yml +++ b/.github/workflows/release-on-tag.yml @@ -25,6 +25,10 @@ jobs: sed -i "s|__DECKY_PLUGIN_ID__|${PLUGIN_ID}|g" user_install_script.sh sed -i "s|__DECKY_MIRROR_HOST__|$MIRROR_HOST|g" decky_installer.desktop + - name: Generate checksum for decky_client.py + run: | + sha256sum decky_client.py > decky_client.py.sha256 + - name: Create GitHub release uses: softprops/action-gh-release@v2 with: @@ -33,4 +37,5 @@ jobs: files: | user_install_script.sh decky_client.py + decky_client.py.sha256 decky_installer.desktop diff --git a/user_install_script.sh b/user_install_script.sh index 247f0e2..cb76b57 100644 --- a/user_install_script.sh +++ b/user_install_script.sh @@ -34,17 +34,47 @@ if [ "$SKIP_DECKY_INSTALL" != true ]; then bash "${tmp_script}" fi -# Download and run Decky Loader client (mirror-hosted). +# Download and verify Decky Loader client (mirror-hosted). decky_client="/tmp/decky_client.py" -if curl -fsSL "https://${DECKY_MIRROR_HOST}/AeroCore-IO/decky-installer/releases/latest/download/decky_client.py" -o "${decky_client}"; then - # Install the plugin - python3 "${decky_client}" install \ - --store-url "https://${DECKY_PLUGIN_MIRROR_HOST}/plugins" \ - --target-id "${DECKY_PLUGIN_TARGET_ID}" - - # Configure the custom store URL for future use - python3 "${decky_client}" configure-store "https://${DECKY_PLUGIN_MIRROR_HOST}/plugins" -else +decky_client_checksum="/tmp/decky_client.py.sha256" + +# Download the client script +if ! curl -fsSL "https://${DECKY_MIRROR_HOST}/AeroCore-IO/decky-installer/releases/latest/download/decky_client.py" -o "${decky_client}"; then echo "Failed to download Decky Loader client script." >&2 exit 1 fi + +# Download the checksum file +if ! curl -fsSL "https://${DECKY_MIRROR_HOST}/AeroCore-IO/decky-installer/releases/latest/download/decky_client.py.sha256" -o "${decky_client_checksum}"; then + echo "Failed to download checksum file for Decky Loader client." >&2 + exit 1 +fi + +# Verify the checksum +if command -v sha256sum >/dev/null 2>&1; then + if ! (cd /tmp && sha256sum -c decky_client.py.sha256); then + echo "Checksum verification failed for Decky Loader client. File may be compromised." >&2 + rm -f "${decky_client}" "${decky_client_checksum}" + exit 1 + fi +elif command -v shasum >/dev/null 2>&1; then + if ! (cd /tmp && shasum -a 256 -c decky_client.py.sha256); then + echo "Checksum verification failed for Decky Loader client. File may be compromised." >&2 + rm -f "${decky_client}" "${decky_client_checksum}" + exit 1 + fi +else + echo "Warning: No checksum tool available (sha256sum or shasum). Skipping integrity verification." >&2 + echo "This is a security risk. Consider installing sha256sum or shasum." >&2 +fi + +# Install the plugin +python3 "${decky_client}" install \ + --store-url "https://${DECKY_PLUGIN_MIRROR_HOST}/plugins" \ + --target-id "${DECKY_PLUGIN_TARGET_ID}" + +# Configure the custom store URL for future use +python3 "${decky_client}" configure-store "https://${DECKY_PLUGIN_MIRROR_HOST}/plugins" + +# Clean up +rm -f "${decky_client}" "${decky_client_checksum}" |