search

kc9wwh / macOSUpgrade

Workflow for doing in-place upgrades.
Other
418 stars 103 forks source link

Feature Request: Verify checksum of installer #23

Closed redshirtdave closed 6 years ago

redshirtdave commented 7 years ago

Would a quick md5 checksum verification be useful? sha1 is a bit slower and might be unnecessary, but could be used instead.

Some code I quickly put together, which replaces version checking with md5 verification.


#Use Parameter 7 in the JSS. Get this value by running 'md5 /Applications/Install\ macOS\ Sierra.app/Contents/SharedSupport/InstallESD.dmg'
OSChecksum="$7"

##Check for existing Sierra installer and verify checksum
if [ -e "$OSInstaller" ]; then
  /bin/echo "$OSInstaller found, verifying checksum."
  OSChecksumVerify=`/sbin/md5 /Applications/Install\ macOS\ Sierra.app/Contents/SharedSupport/InstallESD.dmg | awk '{print $6}'`
  if [ $OSChecksum = $OSChecksumVerify ]; then
        /bin/echo "Checksum passed."
        downloadSierra="No"
  else
    downloadSierra="Yes"
    ##Delete old version.
    /bin/echo "Installer found, but invalid. Deleting..."
    /bin/rm -rf "$OSInstaller"
  fi
else
  /bin/echo "Installer not found, will download."
  downloadSierra="Yes"
fi
kc9wwh commented 7 years ago

Hey @redshirtdave,

So after some discussion and contemplation over this I don't believe this is something I'd add due to added complexity on the admin part and that the jamf binary should already be handling the checksum for this when the package is installed/cached.

But I am willing to re-consider. If folks want to "up vote" for this feature, just reply to this thread and if there is enough I will work on adding it.

patgmac commented 7 years ago

@kc9wwh Jamf is not always the one doing the caching. It's now looking for an existing installer (presumably from Apple) and checking the version, if it matches the version from $4, it continues.

I don't think adding this would be a bad idea. Could even make it optional by checking for the existence of $7, if that's populated, check the checksum.

redshirtdave commented 7 years ago

@patgmac yeah that was my exact reasoning for the check. i'm not terribly fussed

Hacksore commented 6 years ago

+1

I think this is a great feature to have and like @patgmac said it can be optional by default.