mirror of
https://github.com/kuhyx/testsAndMisc.git
synced 2026-07-04 16:43:05 +02:00
124 lines
4.3 KiB
Bash
124 lines
4.3 KiB
Bash
|
|
#!/bin/bash
|
||
|
|
# System upgrade script with automatic apt source hygiene
|
||
|
|
# Fixes common warnings/errors before running upgrades.
|
||
|
|
# All fixes are idempotent and safe to re-run.
|
||
|
|
|
||
|
|
set -euo pipefail
|
||
|
|
|
||
|
|
log() { printf '[upgrade] %s\n' "$*"; }
|
||
|
|
|
||
|
|
# =====================================================================
|
||
|
|
# Fix 1: Duplicate repository — microsoft-edge.list is a copy of
|
||
|
|
# google-chrome.list (both point to dl.google.com/linux/chrome)
|
||
|
|
# =====================================================================
|
||
|
|
fix_duplicate_chrome_edge_repo() {
|
||
|
|
local edge="/etc/apt/sources.list.d/microsoft-edge.list"
|
||
|
|
local chrome="/etc/apt/sources.list.d/google-chrome.list"
|
||
|
|
|
||
|
|
if [[ ! -f $edge ]]; then
|
||
|
|
return
|
||
|
|
fi
|
||
|
|
|
||
|
|
# Only act if edge list points to the chrome repo (the known bug)
|
||
|
|
if grep -q 'dl.google.com/linux/chrome' "$edge" 2>/dev/null; then
|
||
|
|
log "Disabling duplicate microsoft-edge.list (identical to google-chrome.list)"
|
||
|
|
mv "$edge" "${edge}.disabled"
|
||
|
|
fi
|
||
|
|
}
|
||
|
|
|
||
|
|
# =====================================================================
|
||
|
|
# Fix 2: Expired Cloudflare WARP GPG key (expired 2025-12-03)
|
||
|
|
# =====================================================================
|
||
|
|
fix_cloudflare_key() {
|
||
|
|
local keyring="/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg"
|
||
|
|
local source_list="/etc/apt/sources.list.d/cloudflare-client.list"
|
||
|
|
|
||
|
|
if [[ ! -f $source_list ]]; then
|
||
|
|
return
|
||
|
|
fi
|
||
|
|
|
||
|
|
# Check if key is expired
|
||
|
|
local expired
|
||
|
|
expired=$(gpg --no-default-keyring --keyring "$keyring" --list-keys 2>&1 | grep -c 'expired' || true)
|
||
|
|
|
||
|
|
if [[ ${expired:-0} -gt 0 ]]; then
|
||
|
|
log "Refreshing expired Cloudflare WARP GPG key..."
|
||
|
|
curl -fsSL https://pkg.cloudflareclient.com/pubkey.gpg \
|
||
|
|
| gpg --yes --dearmor -o "$keyring" 2>/dev/null \
|
||
|
|
&& log "Cloudflare key refreshed." \
|
||
|
|
|| log "WARNING: Could not refresh Cloudflare key (network issue?). Skipping."
|
||
|
|
fi
|
||
|
|
}
|
||
|
|
|
||
|
|
# =====================================================================
|
||
|
|
# Fix 3: WineHQ key in legacy trusted.gpg + repo targets focal not noble
|
||
|
|
# =====================================================================
|
||
|
|
fix_wine_legacy_key() {
|
||
|
|
local legacy_keyring="/etc/apt/trusted.gpg"
|
||
|
|
local wine_key_id="D43F640145369C51D786DDEA76F1A20FF987672F"
|
||
|
|
local modern_keyring="/usr/share/keyrings/winehq-archive.gpg"
|
||
|
|
local wine_source="/etc/apt/sources.list.d/winehq-focal.list"
|
||
|
|
|
||
|
|
# Check if wine key is in the legacy keyring
|
||
|
|
if ! gpg --no-default-keyring --keyring "$legacy_keyring" --list-keys "$wine_key_id" >/dev/null 2>&1; then
|
||
|
|
return
|
||
|
|
fi
|
||
|
|
|
||
|
|
log "Migrating WineHQ key from legacy trusted.gpg to modern keyring..."
|
||
|
|
|
||
|
|
# Export key to modern location
|
||
|
|
gpg --no-default-keyring --keyring "$legacy_keyring" \
|
||
|
|
--export "$wine_key_id" \
|
||
|
|
| gpg --yes --dearmor -o "$modern_keyring" 2>/dev/null
|
||
|
|
|
||
|
|
# Remove from legacy keyring (suppress the deprecation warning)
|
||
|
|
apt-key del "$wine_key_id" >/dev/null 2>&1 || true
|
||
|
|
|
||
|
|
# Fix the source file to use signed-by and correct distro codename
|
||
|
|
local codename
|
||
|
|
codename=$(lsb_release -cs 2>/dev/null || echo "noble")
|
||
|
|
|
||
|
|
# Find all wine source files
|
||
|
|
for src in /etc/apt/sources.list.d/*wine*.list; do
|
||
|
|
[[ -f $src ]] || continue
|
||
|
|
|
||
|
|
# Check if already using signed-by
|
||
|
|
if grep -q 'signed-by=' "$src" 2>/dev/null; then
|
||
|
|
continue
|
||
|
|
fi
|
||
|
|
|
||
|
|
local old_codename
|
||
|
|
old_codename=$(grep -oP 'ubuntu/?\s+\K\w+' "$src" | head -1)
|
||
|
|
|
||
|
|
log "Updating $src: ${old_codename:-unknown} → $codename, adding signed-by"
|
||
|
|
sed -i \
|
||
|
|
-e "s|deb https://|deb [arch=amd64 signed-by=$modern_keyring] https://|" \
|
||
|
|
-e "s|deb-src https://|# deb-src [arch=amd64 signed-by=$modern_keyring] https://|" \
|
||
|
|
-e "s|ubuntu/ ${old_codename}|ubuntu/ ${codename}|g" \
|
||
|
|
-e "s|ubuntu ${old_codename}|ubuntu ${codename}|g" \
|
||
|
|
"$src"
|
||
|
|
done
|
||
|
|
|
||
|
|
log "WineHQ key migrated and source updated."
|
||
|
|
}
|
||
|
|
|
||
|
|
# =====================================================================
|
||
|
|
# Run all fixes, then upgrade
|
||
|
|
# =====================================================================
|
||
|
|
log "Running apt source hygiene checks..."
|
||
|
|
fix_duplicate_chrome_edge_repo
|
||
|
|
fix_cloudflare_key
|
||
|
|
fix_wine_legacy_key
|
||
|
|
log "Apt source checks complete."
|
||
|
|
|
||
|
|
echo ""
|
||
|
|
log "Installing aptitude if needed..."
|
||
|
|
apt-get install -y aptitude
|
||
|
|
|
||
|
|
log "Starting system upgrade..."
|
||
|
|
apt-get -y update && apt-get -y upgrade && apt-get -y dist-upgrade
|
||
|
|
apt-get -y autoremove
|
||
|
|
aptitude -y update && aptitude -y safe-upgrade && aptitude -y dist-upgrade
|
||
|
|
|
||
|
|
log "Upgrade complete."
|