diff options
Diffstat (limited to 'dotfiles/system/.local/bin/get-arch-iso.sh')
| -rwxr-xr-x | dotfiles/system/.local/bin/get-arch-iso.sh | 78 | 
1 files changed, 78 insertions, 0 deletions
| diff --git a/dotfiles/system/.local/bin/get-arch-iso.sh b/dotfiles/system/.local/bin/get-arch-iso.sh new file mode 100755 index 0000000..635034a --- /dev/null +++ b/dotfiles/system/.local/bin/get-arch-iso.sh @@ -0,0 +1,78 @@ +#!/usr/bin/env bash +# fetch-arch-iso.sh +# Downloads the latest Arch ISO + signature, checks GPG key, verifies the download. + +set -u +set -o pipefail + +# CONFIGURATION +BASE_DIR="${HOME}/downloads/isos" +ISO_NAME="archlinux-x86_64.iso" +SIG_NAME="${ISO_NAME}.sig" +ISO_URL="https://geo.mirror.pkgbuild.com/iso/latest/${ISO_NAME}" +SIG_URL="https://geo.mirror.pkgbuild.com/iso/latest/${SIG_NAME}" +# The “Arch Linux Master Key” is what signs the ISO. We look for its name in your keyring. +ARCH_KEY_SEARCH="Arch Linux Master Key" + +# 1) Build target directory, e.g. ~/downloads/isos/archlinux.2025.08.22 +today=$(date +%Y.%m.%d) +TARGET_DIR="${BASE_DIR}/archlinux.${today}" + +mkdir -p "${TARGET_DIR}" || { +  echo "Error: could not create ${TARGET_DIR}" >&2 +  exit 1 +} + +# 2) A small helper to download with one retry +download_with_retry() { +  local url=$1 out=$2 +  echo " -> Downloading ${url} to ${out}" +  if ! wget -q --show-progress -O "${out}" "${url}"; then +    echo "   First attempt failed; retrying once..." +    if ! wget -q --show-progress -O "${out}" "${url}"; then +      echo "Error: failed to download ${url} after 2 tries." +      echo "       Please check your network connectivity." +      exit 1 +    fi +  fi +} + +# 3) Make sure GPG is installed (we assume gpg binary exists) +if ! command -v gpg >/dev/null; then +  echo "Error: gpg is not installed. Please install it and re-run." +  exit 1 +fi + +# 4) Check for the Arch Linux signing key +if ! gpg --list-keys "${ARCH_KEY_SEARCH}" >/dev/null 2>&1; then +  echo "Warning: Arch Linux signing key not found in your keyring." +  read -p "Install archlinux-keyring package now? [y/N] " ans +  ans=${ans,,}  # tolower +  if [[ "${ans}" == "y" || "${ans}" == "yes" ]]; then +    sudo pacman -Sy --needed archlinux-keyring || { +      echo "Error: could not install archlinux-keyring." >&2 +      exit 1 +    } +  else +    echo "Cannot verify ISO without the Arch key. Aborting." +    exit 1 +  fi +fi + +# 5) Download the ISO and its .sig +download_with_retry "${ISO_URL}" "${TARGET_DIR}/${ISO_NAME}" +download_with_retry "${SIG_URL}" "${TARGET_DIR}/${SIG_NAME}" + +# 6) Verify the ISO against the signature +echo " -> Verifying the ISO with GPG..." +if gpg --verify "${TARGET_DIR}/${SIG_NAME}" "${TARGET_DIR}/${ISO_NAME}"; then +  echo +  echo "SUCCESS: The ISO signature is valid." +  echo "You can now burn or mount ${TARGET_DIR}/${ISO_NAME} with confidence." +  exit 0 +else +  echo +  echo "ERROR: GPG signature verification failed!" +  echo "       The downloaded ISO may be corrupted or tampered with." +  exit 1 +fi | 
