testsAndMisc/linux_configuration/scripts/utils/upgrade.sh

124 lines
4.3 KiB
Bash
Executable File

#!/bin/bash
# System upgrade script with automatic apt source hygiene
# Fixes common warnings/errors before running upgrades.
# All fixes are idempotent and safe to re-run.
set -euo pipefail
log() { printf '[upgrade] %s\n' "$*"; }
# =====================================================================
# Fix 1: Duplicate repository — microsoft-edge.list is a copy of
# google-chrome.list (both point to dl.google.com/linux/chrome)
# =====================================================================
fix_duplicate_chrome_edge_repo() {
local edge="/etc/apt/sources.list.d/microsoft-edge.list"
local chrome="/etc/apt/sources.list.d/google-chrome.list"
if [[ ! -f $edge ]]; then
return
fi
# Only act if edge list points to the chrome repo (the known bug)
if grep -q 'dl.google.com/linux/chrome' "$edge" 2>/dev/null; then
log "Disabling duplicate microsoft-edge.list (identical to google-chrome.list)"
mv "$edge" "${edge}.disabled"
fi
}
# =====================================================================
# Fix 2: Expired Cloudflare WARP GPG key (expired 2025-12-03)
# =====================================================================
fix_cloudflare_key() {
local keyring="/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg"
local source_list="/etc/apt/sources.list.d/cloudflare-client.list"
if [[ ! -f $source_list ]]; then
return
fi
# Check if key is expired
local expired
expired=$(gpg --no-default-keyring --keyring "$keyring" --list-keys 2>&1 | grep -c 'expired' || true)
if [[ ${expired:-0} -gt 0 ]]; then
log "Refreshing expired Cloudflare WARP GPG key..."
curl -fsSL https://pkg.cloudflareclient.com/pubkey.gpg \
| gpg --yes --dearmor -o "$keyring" 2>/dev/null \
&& log "Cloudflare key refreshed." \
|| log "WARNING: Could not refresh Cloudflare key (network issue?). Skipping."
fi
}
# =====================================================================
# Fix 3: WineHQ key in legacy trusted.gpg + repo targets focal not noble
# =====================================================================
fix_wine_legacy_key() {
local legacy_keyring="/etc/apt/trusted.gpg"
local wine_key_id="D43F640145369C51D786DDEA76F1A20FF987672F"
local modern_keyring="/usr/share/keyrings/winehq-archive.gpg"
local wine_source="/etc/apt/sources.list.d/winehq-focal.list"
# Check if wine key is in the legacy keyring
if ! gpg --no-default-keyring --keyring "$legacy_keyring" --list-keys "$wine_key_id" >/dev/null 2>&1; then
return
fi
log "Migrating WineHQ key from legacy trusted.gpg to modern keyring..."
# Export key to modern location
gpg --no-default-keyring --keyring "$legacy_keyring" \
--export "$wine_key_id" \
| gpg --yes --dearmor -o "$modern_keyring" 2>/dev/null
# Remove from legacy keyring (suppress the deprecation warning)
apt-key del "$wine_key_id" >/dev/null 2>&1 || true
# Fix the source file to use signed-by and correct distro codename
local codename
codename=$(lsb_release -cs 2>/dev/null || echo "noble")
# Find all wine source files
for src in /etc/apt/sources.list.d/*wine*.list; do
[[ -f $src ]] || continue
# Check if already using signed-by
if grep -q 'signed-by=' "$src" 2>/dev/null; then
continue
fi
local old_codename
old_codename=$(grep -oP 'ubuntu/?\s+\K\w+' "$src" | head -1)
log "Updating $src: ${old_codename:-unknown}$codename, adding signed-by"
sed -i \
-e "s|deb https://|deb [arch=amd64 signed-by=$modern_keyring] https://|" \
-e "s|deb-src https://|# deb-src [arch=amd64 signed-by=$modern_keyring] https://|" \
-e "s|ubuntu/ ${old_codename}|ubuntu/ ${codename}|g" \
-e "s|ubuntu ${old_codename}|ubuntu ${codename}|g" \
"$src"
done
log "WineHQ key migrated and source updated."
}
# =====================================================================
# Run all fixes, then upgrade
# =====================================================================
log "Running apt source hygiene checks..."
fix_duplicate_chrome_edge_repo
fix_cloudflare_key
fix_wine_legacy_key
log "Apt source checks complete."
echo ""
log "Installing aptitude if needed..."
apt-get install -y aptitude
log "Starting system upgrade..."
apt-get -y update && apt-get -y upgrade && apt-get -y dist-upgrade
apt-get -y autoremove
aptitude -y update && aptitude -y safe-upgrade && aptitude -y dist-upgrade
log "Upgrade complete."