lbu encrypt fixes

lbu

@@ -20,12 +20,17 @@ COMMITED_TDB="$APK_DATA/commited.tdb"
 EXCLUDE_LIST=/etc/lbu/exclude
 INCLUDE_LIST=/etc/lbu/include
 
+PACKAGES_LIST=/etc/lbu/packages.list
+
+DEFAULT_CIPHER="aes-256-cbc"
+
 MASK="Npugsh"
 
 LBUDIRS=`echo "$APK_LBUDIRS" | sed 's/:/ /g'`
 
-if [ -f /etc/lbu/lbu.conf ]; then
-	. /etc/lbu/lbu.conf
+LBU_CONF=/etc/lbu/lbu.conf
+if [ -f "$LBU_CONF" ]; then
+	. "$LBU_CONF"
 fi
 
 retcode=0
@@ -50,7 +55,7 @@ Common options:
 	exit 1
 }
 
-# verify we have openssl is we want to encrypt
+# verify we have openssl if we want to encrypt
 check_openssl() {
 	[ -z "$ENCRYPTION" ] && return 0
 	OPENSSL=$(which openssl 2>/dev/null) || die "openssl was not found"
@@ -171,8 +176,10 @@ cmd_package() {
 	local rc=0
 	local owd="$PWD"
 	local suff="apkovl.tar.gz"
+	local tmpdir tmppkg
 
 	check_openssl
+	init_tmpdir tmpdir
 
 	[ -n "$ENCRYPTION" ] && suff="$suff.$ENCRYPTION"
 
@@ -183,15 +190,18 @@ cmd_package() {
 		pkg="$PWD/$(hostname).$suff"
 	fi
 
+	tmppkg="$tmpdir/$(basename $pkg)"
+
 	# generate the packages.list
 	cd "$ROOT"
-	mkdir -p /etc/lbu
-	echo "#This file is generated by 'lbu package'" > /etc/lbu/packages.list
+	mkdir -p $(dirname $PACKAGES_LIST)
+	echo "#This file is generated by 'lbu package' (lbu $VERSION)" \
+		> $PACKAGES_LIST
 	for i in $(apk_glob '*') ; do
 		reqby=$(apk_info -qr $i);
 		# only add the packages who has no REQUIRED_BY
 		[ -z "$reqby" ] && echo $i
-	done | sed 's/-[0-9].*//' >> /etc/lbu/packages.list
+	done | sed 's/-[0-9].*//' >> $PACKAGES_LIST
 
 	# Automatically add list and modified files
 	currentlist=`VERBOSE="" USE_DEFAULT="-a" cmd_status -a | grep -v ^D | awk '{print $2}'`
@@ -203,22 +213,31 @@ cmd_package() {
 	# create tar archive
 	[ -f "$EXCLUDE_LIST" ] && excl="-X $EXCLUDE_LIST"
 	[ -f "$INCLUDE_LIST" ] && incl="-T $INCLUDE_LIST"
-
 	if [ -z "$ENCRYPTION" ]; then
-		if ! tar $VERBOSE $excl $incl -c $currentlist \
-			| gzip -c  >"$pkg" ; then
-			rm -f "$CURRENT_TDB"
-			rc=1
-		fi
+		tar $VERBOSE $excl $incl -c $currentlist \
+			| gzip -c  >"$tmppkg"
+		rc=$?
 	else
-		if ! tar $VERBOSE $excl $incl -c $currentlist \
-			| gzip -c \
-			| $OPENSSL enc "-$ENCRYPTION" -salt > "$pkg"
-		then
-			rm -f "$CURRENT_TDB"
-			rc=1
+		if [ -n "$VERBOSE" ]; then
+			echo "Archiving the following files:" >&2
+			# we dont want to mess the tar output with the
+			# password prompt. Lets get the tar output first.
+			tar  $excl $incl -c -v $currentlist > /dev/null
+			rc=$?
+		fi
+		if [ $rc -eq 0 ]; then
+			tar $excl $incl -c $currentlist | gzip -c \
+				| $OPENSSL enc "-$ENCRYPTION" -salt > "$tmppkg"
+			rc=$?
 		fi
 	fi
+
+	if [ $rc -eq 0 ]; then
+		[ -z "$DRYRUN" ] && cp "$tmppkg" "$pkg"
+	else
+		rm -f "$CURRENT_TDB"
+	fi
+
 	cd "$owd"
 	return $rc
 }
@@ -250,13 +269,19 @@ Create a backup of config to writeable media.
 usage: $PROGRAM commit|ci [-nv] [<media>]
 
 Options:
-  -d	Remove old configuration files.
+  -d	Remove old apk overlay files.
   -e	Protect configuration with a password.
   -n	Don't commit, just show what would have been commited.
   -v	Verbose mode.
 
 The following values for <media> is supported: floppy usb
 If <media> is not specified, the environment variable LBU_MEDIA will be used.
+
+Passows protection will use $DEFAULT_CIPHER encryption. Other ciphers can be
+used by setting the DEFAULT_CIPHER or ENCRYPTION environment variables.
+For possible ciphers, try: openssl -v
+
+The environment varialbes can also be set in $LBU_CONF
 "
 	exit 1
 }
@@ -267,6 +292,9 @@ cmd_commit() {
 
 	check_openssl
 
+	# turn on verbose mode if dryrun
+	[ -n "$DRYRUN" ] && VERBOSE="-v"
+
 	# find what media to use
 	if [ "$1" ] ; then
 		media="$1"
@@ -277,39 +305,36 @@ cmd_commit() {
 
 	# mount media unles its already mounted
 	mnt=/media/$media
-	[ -d $mnt ] || usage
+	[ -d "$mnt" ] || usage
 	was_mounted=`grep $mnt /proc/mounts`
 	if [ -z "$was_mounted" ]; then
 		mount $mnt || die "failed to mount $mnt."
 	fi
 
+	# find the outfile
+	outfile="$mnt/$(hostname).apkovl.tar.gz"
+	if [ -n "$ENCRYPTION" ]; then
+		outfile="$outfile.$ENCRYPTION"
+	fi
+
+	# remove old config files
 	if [ -n "$DELETEOLDCONFIGS" ] ; then
-		if [ -n "$DRYRUN" ] ; then
-			local rmfiles=$(ls "$mnt/*.apkovl.*" 2>/dev/null)
-			if [ -n "$rmfiles" ] ; then
-				echo "I would have removed:"
+		local rmfiles=$(ls "$mnt/"*.apkovl.tar.gz* 2>/dev/null)
+		if [ -n "$rmfiles" ] ; then
+			if [ -n "$VERBOSE" ]; then
+				echo "Removing old apk overlay files:" >&2
 				echo "$rmfiles"
+				echo "" >&2
 			fi
-		else
-			[ -n "$VERBOSE" ] && echo "Removing old config files"
-			rm "$mnt/*.apkovl.*" 2>/dev/null
+			[ -z "$DRYRUN" ] && rm "$mnt/"*.apkovl.tar.gz*
 		fi
 	else
-       		lines=$(ls -1 "$mnt"/*.apkovl.tar.gz* 2>/dev/null | wc -l )
-	       	if [ $lines -gt 1 ] ; then
+       		lines=$(ls -1 "$mnt"/*.apkovl.tar.gz* 2>/dev/null)
+		if [ -n "$lines" ] && [ "$lines" != "$outfile" ]; then
 	               	# More then one apkovl, this is a security concern
-	               	die "More than one apkovl file was found. Please use -d to erase old configs."
-		fi
-	fi
-
-	# commit files to archive
-	if [ "$DRYRUN" ] ; then
-		outfile=/dev/null
-		VERBOSE="-v"
-	else
-		outfile="$mnt/$(hostname).apkovl.tar.gz"
-		if [ -n "$ENCRYPTION" ]; then
-			outfile="$outfile.$ENCRYPTION"
+			[ -z "$was_mounted" ] && umount "$mnt"
+			[ -n "$VERBOSE" ] && echo "$lines"
+	               	die "Found multiple apkovl files. Please use -d to replace them all."
 		fi
 	fi
 
@@ -320,17 +345,18 @@ cmd_commit() {
 		die "Problems creating archive. aborting"
 	fi
 
-	# remove obsolete file
+	# remove obsolete file. some older version of alpine needs this
+	# to be ble to upgrade
 	if [ -z "$DRYRUN" ] && [ -f $mnt/packages.list ]; then
 		echo "Note: Removing packages.list from $(basename $mnt)."
-		echo "      /etc/lbu/packages.list will be used."
+		echo "      $PACKAGES_LIST will be used."
 		rm -f $mnt/packages.list
 	fi
 
 	# make sure data is written and unmount the media
 	sync
 	sleep 1
-	[ -z "$was_mounted" ] && umount $mnt
+	[ -z "$was_mounted" ] && umount "$mnt"
 
 	# move current to commited.
 	[ "$DRYRUN" ] || mv "$CURRENT_TDB" "$COMMITED_TDB"
@@ -476,9 +502,7 @@ while getopts "adehlM:nqrv" opt ; do
 			;;
 		d)	DELETEOLDCONFIGS="yes"
 			;;
-		e)	ENCRYPTION="aes-256-cbc" #hardcoded cyper for ssl, this can be expanded
-						 # to use different cyphers, the lbu_commit code
-						 # does not need to be changed
+		e)	ENCRYPTION="$DEFAULT_CIPHER"
 			;;
 		h) 	usage_$SUBCMD
 			;;