Retropex/raspiblitz
1
0
Fork 0
mirror of https://github.com/Retropex/raspiblitz.git synced 2025-05-12 19:20:48 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

Git verify everywhere + updates (#2708)

Browse Source
This commit is contained in:
openoms 2021-11-30 11:43:52 +00:00 committed by GitHub
parent 3762406fe5
commit 3a09f3a3e5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
20 changed files with 351 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
CHANGES.md
View File

@ -1,7 +1,19 @@
# CHANGES between Releases
## What's new in Version 1.7.2 of RaspiBlitz?
- New: Verify git commits and tags everywhere possible [issue](https://github.com/rootzoll/raspiblitz/issues/2686)
- Update: BTCPayServer v1.3.3 with UPDATE option [details](https://github.com/btcpayserver/btcpayserver/releases/tag/v1.3.3)
- Update: Electrum Server in Rust (electrs) v0.9.2 [details](https://github.com/romanz/electrs/blob/v0.9.2/RELEASE-NOTES.md)
- Update: JoinMarket v0.9.3 [details](https://github.com/JoinMarket-Org/joinmarket-clientserver/releases/tag/v0.9.2)
- Update: JoininBox v0.6.3 [details](https://github.com/openoms/joininbox/releases/tag/v0.6.1)
- Update: Thunderhub v0.12.31 [details](https://github.com/apotdevin/thunderhub/releases/tag/v0.12.31)
- Update: C-lightningREST v0.5.2 [details](https://github.com/Ride-The-Lightning/c-lightning-REST/releases/tag/v0.5.2)
## What's new in Version 1.7.1 of RaspiBlitz?
There was a small patch-update with raspiblitz-v1.7.1-2021-10-28.img.gz to fix a restart-loop after blockchain was self-synced.
- New: C-lightning v0.10.1 [details](https://github.com/ElementsProject/lightning/releases/tag/v0.10.1)
- New: C-lightningREST v0.5.1 [details](https://github.com/Ride-The-Lightning/c-lightning-REST/releases/tag/v0.5.1)
- New: CL Spark Wallet v0.3.0rc with BOLT12 offers [details](https://github.com/shesek/spark-wallet/releases)

13
FAQ.cl.md
View File

@ -38,6 +38,7 @@
- [Update](#update)
- [Update to a new C-lightning release](#update-to-a-new-c-lightning-release)
- [Experimental update to the latest master](#experimental-update-to-the-latest-master)
- [sqlite3 queries](#sqlite3-queries)
- [Script file help list](#script-file-help-list)
---
@ -617,6 +618,18 @@ To display it as text:
config.scripts/cl.install.sh update
```
## sqlite3 queries
* Query the reasons for force closes
```
sudo -u bitcoin sqlite3 /home/bitcoin/.lightning/bitcoin/lightningd.sqlite3 'select short_channel_id, timestamp, cause, message from channel_state_changes inner join channels on channel_id = id where new_state = 7 order by timestamp'
```
* Query the reasons for cooperative channel closes
```
sudo -u bitcoin sqlite3 /home/bitcoin/.lightning/bitcoin/lightningd.sqlite3 'select short_channel_id, timestamp, cause, message from channel_state_changes inner join channels on channel_id = id where new_state = 4 order by timestamp'
```
## Script file help list
* generate a list of the help texts on a RaspiBlitz:

10
README.md
View File

@ -119,19 +119,19 @@ In the end your RaspiBlitz should look like this:
|Philosophy|Trust|Sovereignty|
|Difficulty level|Easy|Medium|
|Pros|Make Blitz accessible to everyone|You don't need to trust us, build from your own forked repository|
|Instructions|[Download 1.7.1 image](https://raspiblitz.fulmo.org/images/raspiblitz-v1.7.1-2021-10-12.img.gz) and [Flash the sd card](README.md#write-the-sd-card-image-to-your-sd-card)|[Build your own sd card image](#build-the-sd-card-image)|
|Verify what?|[Signature file](https://raspiblitz.fulmo.org/images/raspiblitz-v1.7.1-2021-10-12.img.gz.sig) and [verify the Sig](FAQ.md#how-to-verify-the-sd-card-image-after-download) OR SHA-256 (below)|All of the code, don't trust, verify|
|Instructions|[Download 1.7.1 image](https://raspiblitz.fulmo.org/images/raspiblitz-v1.7.1-2021-10-28.img.gz) and [Flash the sd card](README.md#write-the-sd-card-image-to-your-sd-card)|[Build your own sd card image](#build-the-sd-card-image)|
|Verify what?|[Signature file](https://raspiblitz.fulmo.org/images/raspiblitz-v1.7.1-2021-10-28.img.gz.sig) and [verify the Sig](FAQ.md#how-to-verify-the-sd-card-image-after-download) OR SHA-256 (below)|All of the code, don't trust, verify|
If downloading the maintainer SD card image:
* GPG 64-bit: 1C73 060C 7C17 6461
* SHA-256: 4b5481e0f27afe9b5aa8bab5805f7df033f2596db29a1e47c25d2f0109d9c003
* GPG 64-bit (main): 1C73 060C 7C17 6461 & (sub): AA9D D1B5 CC56 47DA
* SHA-256: 6d06813860ccb9ba335086a0e53fb01f80c9ae699a59bfffdb8a89ae94087aad
Which verification method should I used: Hash or Signature?
* Signed file prove to you that the SD card image was actually built by the lead developer of the RaspiBlitz project. (Safest)
* Hash function checks file integrity. (Secure)
The maintainer sd card image can also be downloaded via torrent:
* [assets/raspiblitz-v1.7.1-2021-10-12.img.gz.torrent](https://github.com/rootzoll/raspiblitz/raw/dev/home.admin/assets/raspiblitz-v1.7.1-2021-10-12.img.gz.torrent)
* [assets/raspiblitz-v1.7.1-2021-10-28.img.gz.torrent](https://github.com/rootzoll/raspiblitz/raw/v1.7/home.admin/assets/raspiblitz-v1.7.1-2021-10-28.img.gz.torrent)
Useful info:
* [What's new in Version 1.7.1 of RaspiBlitz?](CHANGES.md#whats-new-in-version-171-of-raspiblitz)

21
SECURITY.md
View File

@ -39,12 +39,19 @@ curl https://keybase.io/oms/pgp_keys.asc | gpg --import
```
Ensure that you put quotes around fingerprints containing spaces if importing with other methods.
# Online Security
# Network Security
* Wi-fi and Bluetooth is disabled by default in the build script.
* UFW is active and only specific ports are open, closing ports and removing hidden services when services are uninstalled.
* Fail-2-Ban is protecting the SSH login against brute-force-attacks.
* Admin (and Joinmarket [optional]) users have passwordless sudo access to be able to perform installations and read password without much user interaction.
* Limit attack surface: Wi-fi and Bluetooth is disabled by default in the build script.
* Firewall: UFW is active and only specific ports are open, closing ports and removing hidden services when services are uninstalled.
* Password brute forcing protection: Fail-2-Ban is protecting the SSH login against brute-force-attacks.
# Software security
* The `admin` (and the `joinmarket` [optional]) users have passwordless sudo access to be able to perform installations and read password without much user interaction.
* Downloaded binaries and source code is verified with the authors' PGP keys by either:
* signed shasum files and checking the hash of each downloaded binary
* verfying the signature on the source code changes utilising the `git verify-commit` or `git verify-tag` commands
# Physical Security
@ -69,6 +76,8 @@ Some apps (like Fully Noded or JoinMarket) activate the bitcoin core wallet and
# Off-chain Funds (Lightning Channels)
Please note that there is no perfect backup concept for the funds in your lightning channels yet. We strongly recommend using the `Static Channel Backup` provided by LND and consider off-line location backup of that file to have the best chances to recover Lightning funds in a case of recoverying from a disaster.
Please note that there is no perfect backup concept for the funds in your lightning channels yet. We strongly recommend using the `Static Channel Backup` provided by LND and consider off-line location backup of that file to have the best chances to recover Lightning funds in a case of recovering from a disaster.
The C-ligthning lightning.sqlite3 is replicated on the SDcard from the disk in real time. See more details in the [C-lightning FAQ](FAQ.cl.md#backups)
For more practical information on this topic see: [Backup Channel Funds](README.md#backup-for-on-chain---channel-funds)

7
home.admin/99updateMenu.sh
View File

@ -468,6 +468,10 @@ if [ "${specter}" == "on" ]; then
OPTIONS+=(SPECTER "Update Specter Desktop")
fi
if [ "${BTCPayServer}" == "on" ]; then
OPTIONS+=(BTCPAY "Update BTCPayServer")
fi
if [ "${sphinxrelay}" == "on" ]; then
OPTIONS+=(SPHINX "Update Sphinx Server Relay")
fi
@ -521,6 +525,9 @@ case $CHOICE in
SPECTER)
/home/admin/config.scripts/bonus.specter.sh update
;;
BTCPAY)
/home/admin/config.scripts/bonus.btcpayserver.sh update
;;
SPHINX)
/home/admin/config.scripts/bonus.sphinxrelay.sh update
;;

BIN
home.admin/assets/raspiblitz-v1.7.1-2021-10-28.img.gz.torrent Normal file
View File

Binary file not shown.

6
home.admin/config.scripts/blitz.display.sh
View File

@ -254,6 +254,8 @@ function install_lcd() {
sudo -u admin chown -R admin:admin wavesharelcd-64bit-rpi
cd /home/admin/wavesharelcd-64bit-rpi
sudo -u admin git reset --hard 5a206a7 || exit 1
sudo -u admin /home/admin/config.scripts/blitz.git-verify.sh \
'GitHub' 'https://github.com/web-flow.gpg' '4AEE18F83AFDEB23' || exit 1
# customized from https://github.com/tux1c/wavesharelcd-64bit-rpi/blob/master/install.sh
# prepare X11
@ -366,6 +368,7 @@ function install_lcd_legacy() {
sudo -u admin chmod -R 755 LCD-show
sudo -u admin chown -R admin:admin LCD-show
cd LCD-show/
# not signed
sudo -u admin git reset --hard 53dd0bf || exit 1
# install xinput calibrator package
echo "--> install xinput calibrator package"
@ -395,7 +398,8 @@ function install_lcd_legacy() {
sudo -u admin chown -R admin:admin wavesharelcd-64bit-rpi
cd /home/admin/wavesharelcd-64bit-rpi
sudo -u admin git reset --hard 5a206a7 || exit 1
sudo -u admin /home/admin/config.scripts/blitz.git-verify.sh \
'GitHub' 'https://github.com/web-flow.gpg' '4AEE18F83AFDEB23' || exit 1
# from https://github.com/tux1c/wavesharelcd-64bit-rpi/blob/master/install.sh
# prepare X11
sudo rm -rf /etc/X11/xorg.conf.d/40-libinput.conf

77
home.admin/config.scripts/blitz.git-verify.sh Normal file
View File

@ -0,0 +1,77 @@
#!/bin/bash
# command info
if [ $# -lt 3 ] || [ "$1" = "-h" ] || [ "$1" = "-help" ]; then
echo "script use to verify a git commit or tag"
echo "Usage:"
echo "Run after 'git reset --hard VERSION' with the user running the installation"
echo "To verify the checked out commit:"
echo "blitz.git-verify.sh [PGPsigner] [PGPpubkeyLink] [PGPpubkeyFingerprint]"
echo "To use 'git verify-tag' add the 'tag':"
echo "blitz.git-verify.sh [PGPsigner] [PGPpubkeyLink] [PGPpubkeyFingerprint] <tag>"
exit 1
fi
# Example for commits created on GitHub:
# PGPsigner="web-flow"
# PGPpubkeyLink="https://github.com/${PGPsigner}.gpg"
# PGPpubkeyFingerprint="4AEE18F83AFDEB23"
# Example for commits signed with a personal PGP key:
# PGPsigner="janoside"
# PGPpubkeyLink="https://github.com/${PGPsigner}.gpg"
# PGPpubkeyFingerprint="F579929B39B119CC7B0BB71FB326ACF51F317B69"
# Run with the insatting user to clear permissions:
# sudo -u btcrpcexplorer /home/admin/config.scripts/blitz.git-verify.sh \
# "${PGPsigner}" "${PGPpubkeyLink}" "${PGPpubkeyFingerprint}" || exit 1
PGPsigner="$1"
PGPpubkeyLink="$2"
PGPpubkeyFingerprint="$3"
wget -O pgp_keys.asc "${PGPpubkeyLink}"
gpg --import --import-options show-only ./pgp_keys.asc
fingerprint=$(gpg pgp_keys.asc 2>/dev/null | grep "${PGPpubkeyFingerprint}" -c)
if [ "${fingerprint}" -lt 1 ]; then
echo
echo "# !!! WARNING --> the PGP fingerprint is not as expected for ${PGPsigner}" >&2
echo "# Should contain PGP: ${PGPpubkeyFingerprint}" >&2
echo "# Exiting" >&2
exit 7
fi
gpg --import ./pgp_keys.asc
trap 'rm -f "$_temp"' EXIT
_temp="$(mktemp -p /dev/shm/)"
if [ $# -eq 3 ]; then
commitHash="$(git log --oneline | head -1 | awk '{print $1}')"
gitCommand="git verify-commit $commitHash"
elif [ $# -eq 4 ]; then
gitCommand="git verify-tag $4"
fi
if ${gitCommand} 2>&1 >&"$_temp"; then
goodSignature=1
else
goodSignature=0
fi
echo
cat $_temp
echo "# goodSignature(${goodSignature})"
correctKey=$(tr -d " \t\n\r" < "$_temp" | grep "${PGPpubkeyFingerprint}" -c)
echo "# correctKey(${correctKey})"
if [ "${correctKey}" -lt 1 ] || [ "${goodSignature}" -lt 1 ]; then
echo
echo "# !!! BUILD FAILED --> PGP verification not OK / signature(${goodSignature}) verify(${correctKey})"
exit 1
else
echo
echo "##########################################################################"
echo "# OK --> the PGP signature of the checked out $commitHash commit is correct"
echo "##########################################################################"
echo
exit 0
fi

6
home.admin/config.scripts/bonus.btc-rpc-explorer.sh
View File

@ -12,6 +12,10 @@ if [ $# -eq 0 ] || [ "$1" = "-h" ] || [ "$1" = "-help" ]; then
exit 1
fi
PGPsigner="janoside"
PGPpubkeyLink="https://github.com/janoside.gpg"
PGPpubkeyFingerprint="F579929B39B119CC7B0BB71FB326ACF51F317B69"
source /mnt/hdd/raspiblitz.conf
##########################
@ -193,6 +197,8 @@ if [ "$1" = "1" ] || [ "$1" = "on" ]; then
sudo -u btcrpcexplorer git clone https://github.com/janoside/btc-rpc-explorer.git
cd btc-rpc-explorer
sudo -u btcrpcexplorer git reset --hard v3.2.0
sudo -u btcrpcexplorer /home/admin/config.scripts/blitz.git-verify.sh \
"${PGPsigner}" "${PGPpubkeyLink}" "${PGPpubkeyFingerprint}" || exit 1
sudo -u btcrpcexplorer npm install
if ! [ $? -eq 0 ]; then
echo "FAIL - npm install did not run correctly, aborting"

116
home.admin/config.scripts/bonus.btcpayserver.sh
View File

@ -2,16 +2,24 @@
# Based on: https://gist.github.com/normandmickey/3f10fc077d15345fb469034e3697d0d0
# https://github.com/dgarage/NBXplorer/releases
NBXplorerVersion="v2.2.8"
# https://github.com/dgarage/NBXplorer/tags
NBXplorerVersion="v2.2.16"
# https://github.com/btcpayserver/btcpayserver/releases
BTCPayVersion="v1.2.3"
BTCPayVersion="v1.3.3"
PGPsigner="nicolasdorier"
PGPpubkeyLink="https://keybase.io/nicolasdorier/pgp_keys.asc"
PGPpubkeyFingerprint="AB4CFA9895ACA0DBE27F6B346618763EF09186FE"
# command info
if [ $# -eq 0 ] || [ "$1" = "-h" ] || [ "$1" = "-help" ]; then
echo "# config script to switch BTCPay Server on or off"
echo "# bonus.btcpayserver.sh [on|off|menu|write-tls-macaroon]"
echo "# installs BTCPayServer $BTCPayVersion with NBXplorer $NBXplorerVersion"
echo "Config script to switch BTCPay Server on or off"
echo "Usage:"
echo "bonus.btcpayserver.sh [on|off|menu|write-tls-macaroon]"
echo "installs BTCPayServer $BTCPayVersion with NBXplorer $NBXplorerVersion"
echo "To update to the latest release published on github run:"
echo "bonus.btcpayserver.sh update"
echo
exit 1
fi
@ -331,6 +339,9 @@ if [ "$1" = "1" ] || [ "$1" = "on" ]; then
sudo -u btcpay git clone https://github.com/dgarage/NBXplorer.git 2>/dev/null
cd NBXplorer || exit 1
sudo -u btcpay git reset --hard $NBXplorerVersion
# PGP verify
sudo -u btcpay /home/admin/config.scripts/blitz.git-verify.sh \
"${PGPsigner}" "${PGPpubkeyLink}" "${PGPpubkeyFingerprint}" || exit 1
echo "# Build NBXplorer ..."
# from the build.sh with path
sudo -u btcpay /home/btcpay/dotnet/dotnet build -c Release NBXplorer/NBXplorer.csproj
@ -399,7 +410,17 @@ btc.rpc.password=$PASSWORD_B
sudo chmod 600 /home/btcpay/.nbxplorer/Main/settings.config
sudo chown btcpay:btcpay /home/btcpay/.nbxplorer/Main/settings.config
# whitelist localhost in bitcoind
if ! sudo grep -Eq "^whitelist=127.0.0.1" /mnt/hdd/bitcoin/bitcoin.conf;then
echo "whitelist=127.0.0.1" | sudo tee -a /mnt/hdd/bitcoin/bitcoin.conf
bitcoindRestart=yes
fi
if [ "${state}" == "ready" ]; then
if [ "${bitcoindRestart}" == "yes" ]; then
echo "# Restarting bitcoind"
sudo systemctl restart bitcoind
fi
sudo systemctl restart nbxplorer
fi
@ -412,6 +433,8 @@ btc.rpc.password=$PASSWORD_B
sudo -u btcpay git clone https://github.com/btcpayserver/btcpayserver.git 2>/dev/null
cd btcpayserver
sudo -u btcpay git reset --hard $BTCPayVersion
sudo -u btcpay /home/admin/config.scripts/blitz.git-verify.sh \
"${PGPsigner}" "${PGPpubkeyLink}" "${PGPpubkeyFingerprint}" || exit 1
echo "# Build BTCPayServer ..."
# from the build.sh with path
sudo -u btcpay /home/btcpay/dotnet/dotnet build -c Release /home/btcpay/btcpayserver/BTCPayServer/BTCPayServer.csproj
@ -556,5 +579,86 @@ if [ "$1" = "0" ] || [ "$1" = "off" ]; then
exit 0
fi
if [ "$1" = "update" ]; then
echo "# Update NBXplorer"
cd /home/btcpay || exit 1
cd NBXplorer || exit 1
# fetch latest master
if [ "$(sudo -u btcpay git fetch 2>&1 | grep -c "Please tell me who you are")" -gt 0 ]; then
sudo -u btcpay git config user.email "you@example.com"
sudo -u btcpay git config user.name "Your Name"
fi
sudo -u btcpay git fetch
# unset $1
set --
UPSTREAM=${1:-'@{u}'}
LOCAL=$(git rev-parse @)
REMOTE=$(git rev-parse "$UPSTREAM")
if [ $LOCAL = $REMOTE ]; then
TAG=$(git tag | sort -V | tail -1)
echo "# Up-to-date on version $TAG"
else
echo "# Pulling latest changes..."
sudo -u btcpay git pull -p
TAG=$(git tag | sort -V | tail -1)
echo "# Reset to the latest release tag: $TAG"
sudo -u btcpay git reset --hard $TAG
sudo -u btcpay /home/admin/config.scripts/blitz.git-verify.sh \
"${PGPsigner}" "${PGPpubkeyLink}" "${PGPpubkeyFingerprint}" || exit 1
echo "# Build NBXplorer ..."
# from the build.sh with path
sudo systemctl stop nbxplorer
sudo -u btcpay /home/btcpay/dotnet/dotnet build -c Release NBXplorer/NBXplorer.csproj
# whitelist localhost in bitcoind
if ! sudo grep -Eq "^whitelist=127.0.0.1" /mnt/hdd/bitcoin/bitcoin.conf;then
echo "whitelist=127.0.0.1" | sudo tee -a /mnt/hdd/bitcoin/bitcoin.conf
echo "# Restarting bitcoind"
sudo systemctl restart bitcoind
fi
sudo systemctl start nbxplorer
echo "# Updated NBXplorer to $TAG"
fi
echo "# Update BTCPayServer"
cd /home/btcpay || exit 1
cd btcpayserver || exit 1
# fetch latest master
if [ "$(sudo -u btcpay git fetch 2>&1 | grep -c "Please tell me who you are")" -gt 0 ]; then
sudo -u btcpay git config user.email "you@example.com"
sudo -u btcpay git config user.name "Your Name"
fi
sudo -u btcpay git fetch
# unset $1
set --
UPSTREAM=${1:-'@{u}'}
LOCAL=$(git rev-parse @)
REMOTE=$(git rev-parse "$UPSTREAM")
if [ $LOCAL = $REMOTE ]; then
TAG=$(git tag | grep v1 | sort -V | tail -1)
echo "# Up-to-date on version $TAG"
else
echo "# Pulling latest changes..."
sudo -u btcpay git pull -p
TAG=$(git tag | grep v1 | sort -V | tail -1)
echo "# Reset to the latest release tag: $TAG"
sudo -u btcpay git reset --hard $TAG
# PGP verify
sudo -u btcpay /home/admin/config.scripts/blitz.git-verify.sh \
"${PGPsigner}" "${PGPpubkeyLink}" "${PGPpubkeyFingerprint}" || exit 1
echo "# Build BTCPayServer ..."
# from the build.sh with path
sudo systemctl stop btcpayserver
sudo -u btcpay /home/btcpay/dotnet/dotnet build -c Release /home/btcpay/btcpayserver/BTCPayServer/BTCPayServer.csproj
sudo systemctl start btcpayserver
echo "# Updated BTCPayServer to $TAG"
fi
exit 0
fi
echo "# FAIL - Unknown Parameter $1"
exit 1

1
home.admin/config.scripts/bonus.circuitbreaker.sh
View File

@ -2,6 +2,7 @@
# https://github.com/lightningequipment/circuitbreaker/releases
pinnedVersion="v0.3.0"
# the commits are not signed
# command info
if [ $# -eq 0 ] || [ "$1" = "-h" ] || [ "$1" = "-help" ]; then

9
home.admin/config.scripts/bonus.electrs.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
# https://github.com/romanz/electrs/releases
ELECTRSVERSION="v0.9.0"
ELECTRSVERSION="v0.9.2"
# https://github.com/romanz/electrs/commits/master
# ELECTRSVERSION="3041e89cd2fb377541b929d852ef6298c2d4e60a"
@ -14,6 +14,10 @@ if [ $# -eq 0 ] || [ "$1" = "-h" ] || [ "$1" = "-help" ]; then
exit 1
fi
PGPsigner="romanz"
PGPpubkeyLink="https://github.com/${PGPsigner}.gpg"
PGPpubkeyFingerprint="87CAE5FA46917CBB"
source /mnt/hdd/raspiblitz.conf
# get local and global internet info
@ -280,7 +284,8 @@ if [ "$1" = "1" ] || [ "$1" = "on" ]; then
sudo -u electrs git clone https://github.com/romanz/electrs
cd /home/electrs/electrs || exit 1
sudo -u electrs git reset --hard $ELECTRSVERSION
sudo -u electrs /home/admin/config.scripts/blitz.git-verify.sh \
"${PGPsigner}" "${PGPpubkeyLink}" "${PGPpubkeyFingerprint}" || exit 1
sudo -u electrs /home/electrs/.cargo/bin/cargo build --locked --release || exit 1
echo

41
home.admin/config.scripts/bonus.joinmarket.sh
View File

@ -5,10 +5,7 @@
# https://github.com/openoms/bitcoin-tutorials/tree/master/joinmarket
# https://github.com/openoms/joininbox
JBVERSION="v0.6.1" # with JoinMarket v0.9.2
PGPsigner="openoms"
PGPpkeys="https://keybase.io/oms/pgp_keys.asc"
PGPcheck="13C688DB5B9C745DE4D2E4545BFB77609B081B65"
JBVERSION="v0.6.3" # with JoinMarket v0.9.3
# command info
if [ $# -eq 0 ] || [ "$1" = "-h" ] || [ "$1" = "-help" ]; then
@ -18,6 +15,10 @@ if [ $# -eq 0 ] || [ "$1" = "-h" ] || [ "$1" = "-help" ]; then
exit 1
fi
PGPsigner="openoms"
PGPpubkeyLink="https://github.com/openoms.gpg"
PGPpubkeyFingerprint="13C688DB5B9C745DE4D2E4545BFB77609B081B65"
# check if sudo
if [ "$EUID" -ne 0 ]
then echo "Please run as root (with sudo)"
@ -103,36 +104,8 @@ if [ "$1" = "1" ] || [ "$1" = "on" ]; then
cd /home/joinmarket/joininbox || exit 1
# https://github.com/openoms/joininbox/releases/
sudo -u joinmarket git reset --hard $JBVERSION
sudo -u joinmarket wget -O "pgp_keys.asc" ${PGPpkeys}
gpg --import --import-options show-only ./pgp_keys.asc
fingerprint=$(gpg "pgp_keys.asc" 2>/dev/null | grep "${PGPcheck}" -c)
if [ ${fingerprint} -lt 1 ]; then
echo
echo "# !!! WARNING --> the PGP fingerprint is not as expected for ${PGPsigner}"
echo "# Should contain PGP: ${PGPcheck}"
echo "# PRESS ENTER to TAKE THE RISK if you think all is OK"
read key
fi
gpg --import ./pgp_keys.asc
verifyResult=$(git verify-commit $JBVERSION 2>&1)
goodSignature=$(echo ${verifyResult} | grep 'Good signature' -c)
echo "# goodSignature(${goodSignature})"
correctKey=$(echo ${verifyResult} | tr -d " \t\n\r" | grep "${PGPcheck}" -c)
echo "# correctKey(${correctKey})"
if [ ${correctKey} -lt 1 ] || [ ${goodSignature} -lt 1 ]; then
echo
echo "# !!! BUILD FAILED --> PGP verification not OK / signature(${goodSignature}) verify(${correctKey})"
exit 1
else
echo
echo "########################################################################"
echo "# OK --> the PGP signature of the checked out $JBVERSION commit is correct #"
echo "########################################################################"
echo
fi
sudo -u joinmarket /home/admin/config.scripts/blitz.git-verify.sh \
"${PGPsigner}" "${PGPpubkeyLink}" "${PGPpubkeyFingerprint}" || exit 1
# copy the scripts in place
sudo -u joinmarket cp /home/joinmarket/joininbox/scripts/* /home/joinmarket/

16
home.admin/config.scripts/bonus.loop.sh
View File

@ -5,7 +5,7 @@
# but main focus for the future development should be on LIT
# https://github.com/lightninglabs/loop/releases-
pinnedVersion="v0.11.2-beta"
pinnedVersion="v0.15.0-beta"
# command info
if [ $# -eq 0 ] || [ "$1" = "-h" ] || [ "$1" = "-help" ]; then
@ -32,6 +32,16 @@ Type 'loop' again to see the available options.
exit 0
fi
# releases are creatd on GitHub
PGPsigner="web-flow"
PGPpubkeyLink="https://github.com/${PGPsigner}.gpg"
PGPpubkeyFingerprint="4AEE18F83AFDEB23"
# TODO download with .tar.gz
#PGPsigner="alexbosworth"
#PGPpubkeyLink="https://github.com/${PGPsigner}.gpg"
#PGPpubkeyFingerprint="E80D2F3F311FD87E"
# stop services
echo "making sure the loopd.service is not running"
sudo systemctl stop loopd 2>/dev/null
@ -75,6 +85,8 @@ if [ "$1" = "1" ] || [ "$1" = "on" ]; then
sudo -u loop git clone https://github.com/lightninglabs/loop.git
cd /home/loop/loop
sudo -u loop git reset --hard $pinnedversion
sudo -u loop /home/admin/config.scripts/blitz.git-verify.sh \
"${PGPsigner}" "${PGPpubkeyLink}" "${PGPpubkeyFingerprint}" || exit 1
cd /home/loop/loop/cmd
sudo -u loop /usr/local/go/bin/go install ./... || exit 1
@ -198,6 +210,8 @@ if [ "$1" = "update" ]; then
echo "# Reset to the latest release tag"
TAG=$(git tag | sort -V | tail -1)
sudo -u loop git reset --hard $TAG
sudo -u loop /home/admin/config.scripts/blitz.git-verify.sh \
"${PGPsigner}" "${PGPpubkeyLink}" "${PGPpubkeyFingerprint}" || exit 1
echo "# Updating ..."
# install to /home/loop/go/bin/
cd /home/loop/loop/cmd

6
home.admin/config.scripts/bonus.mempool.sh
View File

@ -12,6 +12,10 @@ if [ $# -eq 0 ] || [ "$1" = "-h" ] || [ "$1" = "-help" ]; then
exit 1
fi
PGPsigner="wiz"
PGPpubkeyLink="https://github.com/${PGPsigner}.gpg"
PGPpubkeyFingerprint="A394E332255A6173"
source /mnt/hdd/raspiblitz.conf
# show info menu
@ -120,6 +124,8 @@ if [ "$1" = "1" ] || [ "$1" = "on" ]; then
sudo -u mempool git clone https://github.com/mempool/mempool.git
cd mempool
sudo -u mempool git reset --hard $pinnedVersion
sudo -u mempool /home/admin/config.scripts/blitz.git-verify.sh \
"${PGPsigner}" "${PGPpubkeyLink}" "${PGPpubkeyFingerprint}" || exit 1
# modify an
#echo "# try to suppress question on statistics report .."

7
home.admin/config.scripts/bonus.rtl.sh
View File

@ -151,6 +151,11 @@ if [ "$1" = "1" ] || [ "$1" = "on" ]; then
cd /home/rtl/RTL
# check https://github.com/Ride-The-Lightning/RTL/releases/
sudo -u rtl git reset --hard $RTLVERSION
PGPsigner="saubyk"
PGPpubkeyLink="https://github.com/${PGPsigner}.gpg"
PGPpubkeyFingerprint="00C9E2BC2E45666F"
sudo -u rtl /home/admin/config.scripts/blitz.git-verify.sh \
"${PGPsigner}" "${PGPpubkeyLink}" "${PGPpubkeyFingerprint}" "${RTLVERSION}" || exit 1
# from https://github.com/Ride-The-Lightning/RTL/commits/master
# git checkout 917feebfa4fb583360c140e817c266649307ef72
if [ -f /home/rtl/RTL/LICENSE ]; then
@ -469,7 +474,7 @@ if [ "$1" = "0" ] || [ "$1" = "off" ]; then
fi
# DEACTIVATED FOR NOW:
# - parameter scheme is conflicting with setting all perfixes etc
# - parameter scheme is conflicting with setting all prefixes etc
# - also just updating to latest has high change of breaking
#if [ "$1" = "update" ]; then
# echo "# UPDATING RTL"

27
home.admin/config.scripts/bonus.suez.sh
View File

@ -1,16 +1,20 @@
#!/bin/bash
# https://github.com/prusnak/suez/commits/master
SUEZVERSION="c19cedb715317a843d09a1347dcfaef4013f589b"
SUEZVERSION="335d43029cdb9da42b5ad55ad2df4cdfeafe0405"
# command info
if [ $# -eq 0 ] || [ "$1" = "-h" ] || [ "$1" = "-help" ]; then
echo "config script to install, update or uninstall Suez"
echo "bonus.suez.sh [on|off|menu|update]"
echo "installs the version $SUEZVERSION by default"
exit 1
echo "config script to install, update or uninstall Suez"
echo "bonus.suez.sh [on|off|menu|update]"
echo "installs the version $SUEZVERSION by default"
exit 1
fi
PGPsigner="prusnak"
PGPpubkeyLink="https://github.com/${PGPsigner}.gpg"
PGPpubkeyFingerprint="91F3B339B9A02A3D"
source /mnt/hdd/raspiblitz.conf
# add default value to raspi config if needed
@ -43,12 +47,13 @@ if [ "$1" = "1" ] || [ "$1" = "on" ]; then
sudo -u bitcoin git clone https://github.com/prusnak/suez.git
cd suez || exit 1
sudo -u bitcoin git reset --hard $SUEZVERSION
sudo -u bitcoin /home/admin/config.scripts/blitz.git-verify.sh \
"${PGPsigner}" "${PGPpubkeyLink}" "${PGPpubkeyFingerprint}" || exit 1
sudo -u bitcoin /home/bitcoin/.local/bin/poetry install
echo "# Adding alias"
echo "alias suez='cd /home/bitcoin/suez && sudo -u bitcoin /home/bitcoin/.local/bin/poetry run ./suez'"\
| sudo tee -a /home/admin/_aliases
| sudo tee -a /home/admin/_aliases
# setting value in raspi blitz config
sudo sed -i "s/^suez=.*/suez=on/g" /mnt/hdd/raspiblitz.conf
@ -66,7 +71,7 @@ fi
if [ "$1" = "0" ] || [ "$1" = "off" ]; then
echo "# REMOVING SUEZ"
sudo userdel -rf suez
sudo rm -rf /home/bitcoin/suez
echo "# OK, suez is removed."
# setting value in raspi blitz config
@ -84,9 +89,13 @@ if [ "$1" = "update" ]; then
sudo -u bitcoin curl -sSL https://raw.githubusercontent.com/python-poetry/poetry/master/install-poetry.py\
| sudo -u bitcoin python -
# download source code
sudo -u bitcoin git clone https://github.com/prusnak/suez.git
if [ -d suez ]; then
sudo -u bitcoin git clone https://github.com/prusnak/suez.git
fi
cd suez || exit 1
sudo -u bitcoin git pull
sudo -u bitcoin /home/admin/config.scripts/blitz.git-verify.sh \
"${PGPsigner}" "${PGPpubkeyLink}" "${PGPpubkeyFingerprint}" || exit 1
sudo -u bitcoin /home/bitcoin/.local/bin/poetry install
echo "# Updated to the latest in https://github.com/prusnak/suez/commits/master"
exit 0

25
home.admin/config.scripts/bonus.thunderhub.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
# https://github.com/apotdevin/thunderhub
THUBVERSION="v0.12.30"
THUBVERSION="v0.12.31"
# command info
if [ $# -eq 0 ] || [ "$1" = "-h" ] || [ "$1" = "-help" ]; then
@ -11,6 +11,10 @@ if [ $# -eq 0 ] || [ "$1" = "-h" ] || [ "$1" = "-help" ]; then
exit 1
fi
PGPsigner="apotdevin"
PGPpubkeyLink="https://github.com/${PGPsigner}.gpg"
PGPpubkeyFingerprint="4403F1DFBE779457"
# check and load raspiblitz config
# to know which network is running
source /home/admin/raspiblitz.info
@ -86,11 +90,16 @@ if [ "$1" = "1" ] || [ "$1" = "on" ]; then
cd /home/thunderhub/thunderhub || exit 1
# https://github.com/apotdevin/thunderhub/releases
sudo -u thunderhub git reset --hard $THUBVERSION
sudo -u thunderhub /home/admin/config.scripts/blitz.git-verify.sh \
"${PGPsigner}" "${PGPpubkeyLink}" "${PGPpubkeyFingerprint}" || exit 1
# opt out of telemetry
sudo -u thunderhub npx next telemetry disable
echo "Running npm install and run build..."
sudo -u thunderhub npm install
if ! [ $? -eq 0 ]; then
echo "FAIL - npm install did not run correctly, aborting"
exit 1
if ! sudo -u thunderhub npm install; then
echo "FAIL - npm install did not run correctly, aborting"
exit 1
fi
sudo -u thunderhub npm run build
@ -312,8 +321,12 @@ if [ "$1" = "update" ]; then
echo "# Reset to the latest release tag"
TAG=$(git tag | sort -V | tail -1)
sudo -u thunderhub git reset --hard $TAG
sudo -u thunderhub /home/admin/config.scripts/blitz.git-verify.sh \
"${PGPsigner}" "${PGPpubkeyLink}" "${PGPpubkeyFingerprint}" || exit 1
# install deps
# opt out of telemetry
sudo -u thunderhub npx next telemetry disable
echo "# Installing dependencies..."
sudo -u thunderhub npm install --quiet
if ! [ $? -eq 0 ]; then
@ -329,7 +342,7 @@ if [ "$1" = "update" ]; then
fi
echo "# Updated to the release in https://github.com/apotdevin/thunderhub"
echo ""
echo
echo "# Starting the ThunderHub service ... *** "
sudo systemctl start thunderhub
exit 0

16
home.admin/config.scripts/cl-plugin.http.sh
View File

@ -15,6 +15,10 @@ if [ $# -lt 1 ] || [ "$1" = "-h" ] || [ "$1" = "-help" ];then
exit 1
fi
PGPsigner="web-flow"
PGPpubkeyLink="https://github.com/${PGPsigner}.gpg"
PGPpubkeyFingerprint="4AEE18F83AFDEB23"
# source <(/home/admin/config.scripts/network.aliases.sh getvars cl <mainnet|testnet|signet>)
source <(/home/admin/config.scripts/network.aliases.sh getvars cl mainnet)
@ -81,7 +85,7 @@ $url
fi
if [ "$1" = "on" ];then
echo
echo "# Installing Rust for the bitcoin user"
echo
@ -93,6 +97,10 @@ if [ "$1" = "on" ];then
sudo -u bitcoin git clone https://github.com/Start9Labs/c-lightning-http-plugin.git
cd c-lightning-http-plugin || exit 1
sudo -u bitcoin git reset --hard ${clHTTPpluginVersion} || exit 1
sudo -u bitcoin /home/admin/config.scripts/blitz.git-verify.sh \
"${PGPsigner}" "${PGPpubkeyLink}" "${PGPpubkeyFingerprint}" || exit 1
echo
echo "# change CL REST port to 9080"
sudo sed -i "s/8080/9080/g" src/rpc.rs
@ -137,19 +145,19 @@ http-pass=${PASSWORD_B}
echo "# Monitor with:"
echo "sudo journalctl | grep clHTTPplugin | tail -n5"
echo "sudo tail -n 100 -f /home/bitcoin/.lightning/${CLNETWORK}/cl.log | grep clHTTPplugin"
fi
if [ "$1" = "off" ];then
# delete symlink
sudo rm -rf /home/bitcoin/cl-plugins-enabled/c-lightning-http-plugin
echo "# Editing ${CLCONF}"
sudo sed -i "/^http-pass/d" ${CLCONF}
echo "# Restart the lightningd.service to deactivate clHTTPplugin"
sudo systemctl restart lightningd
/home/admin/config.scripts/internet.hiddenservice.sh off clHTTPplugin
# purge

13
home.admin/config.scripts/cl.rest.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
# https://github.com/Ride-The-Lightning/c-lightning-REST/releases/
CLRESTVERSION="v0.5.1"
CLRESTVERSION="v0.5.2"
# help
if [ $# -eq 0 ]||[ "$1" = "-h" ]||[ "$1" = "--help" ];then
@ -21,7 +21,7 @@ source <(/home/admin/config.scripts/network.aliases.sh getvars cl $2)
echo "# Running 'cl.rest.sh $*'"
if [ $1 = connect ];then
if [ "$1" = connect ];then
echo "# Allowing port ${portprefix}6100 through the firewall"
sudo ufw allow "${portprefix}6100" comment "${netprefix}clrest"
localip=$(ip addr | grep 'state UP' -A2 | grep -E -v 'docker0|veth' | grep 'eth0\|wlan0\|enp0' | tail -n1 | awk '{print $2}' | cut -f1 -d'/')
@ -72,7 +72,7 @@ if [ $1 = connect ];then
exit 0
fi
if [ $1 = on ];then
if [ "$1" = on ];then
echo "# Setting up c-lightning-REST for $CHAIN"
sudo systemctl stop ${netprefix}clrest
@ -83,6 +83,13 @@ if [ $1 = on ];then
sudo -u bitcoin git clone https://github.com/saubyk/c-lightning-REST
cd c-lightning-REST || exit 1
sudo -u bitcoin git reset --hard $CLRESTVERSION
PGPsigner="saubyk"
PGPpubkeyLink="https://github.com/${PGPsigner}.gpg"
PGPpubkeyFingerprint="00C9E2BC2E45666F"
sudo -u bitcoin /home/admin/config.scripts/blitz.git-verify.sh \
"${PGPsigner}" "${PGPpubkeyLink}" "${PGPpubkeyFingerprint}" || exit 1
sudo -u bitcoin npm install
fi