jaybrown / superbackeddownloader Goto Github PK

Superbacked Downloader (sbdl)

macOS shell script and LaunchAgent to automatically download and verify Superbacked updates and auxiliary files

Current version: 0.7.0

SUPERBACKED INFORMATION

Superbacked website: https://superbacked.com/
Superbacked on GitHub: https://github.com/superbacked/superbacked
Superbacked developer on GitHub: https://github.com/sunknudsen
Developer GPG public key fingerprint: E786 274B C92B 47C2 3C1C F44B 8C9C A674 C47C A060

NOTES

For Superbacked Downloader to work, the Superbacked application itself needs to be installed on the same Mac as Superbacked Downloader. If Superbacked is not installed, Superbacked Downloader will just download the latest release over and over again.

If you are using your main instance of Superbacked on an air-gapped or factory-reset Mac, you should run this script/agent on your daily-driver Mac containing a placeholder installation of Superbacked.

When a new update has been released, the shell script will download and verify the following files:

* GPG .asc signature file for the checksums file (download only)
* SHA256 hashes file
* release notes (.txt)
* main distribution file (macOS DMG or Linux AppImage)
* Superbacked application (verification & macOS .app only)

SECURITY NOTES

DON'T TRUST, VERIFY! Superbacked Downloader is set up to automatically verify the SHA-256 hashes file using the GPG signature file and the developer's GPG public key, and then verify all downloaded files using the SHA-256 hashes. It will also verify the internal checksum of the distribution DMG as well as the code signature integrity of the macOS .app bundle. Please be mindful that all this amounts to convenience over security, so it would be wise to always manually verify the downloads yourself.

SCRIPT INSTALLATION

* download or clone this repository
* `chmod +x ./sbdl` (if necessary)
* downloaded repo: `cp ./sbdl /usr/local/bin/sbdl` (use sudo if you receive a permissions error)
* cloned repo: `ln -s ./sbdl /usr/local/bin/sbdl` (use sudo if you receive a permissions error)
* if you use a different path, you need to modify the agent's plist file accordingly (see below)

VERIFICATION

* cosign public key: https://github.com/JayBrown/JayBrown-github.com-cosign-public-key
* `cosign verify-blob --signature ./sbdl.cosign.sig --key "$HOME/.cosign/[email protected]" ./sbdl`

AGENT MODIFICATION

* rename file: replace '$USER' with your local macOS user name, i.e. with the output of `id -un` or of `echo $USER`
* open the agent's plist file in a text editor
* replace all instances of '$USER' with your local macOS user name
* OPTIONAL: modify the 'Program' key if you have installed the script into a different path than /usr/local/bin
* OPTIONAL: modify the 'StartInterval' key to execute sbdl more often, e.g. '14400' for every 4 hours
* save & close

AGENT INSTALLATION

* `cp ./local.$USER.sbdl.plist ~/Library/LaunchAgents/local.$USER.sbdl.plist`
* `launchctl load ~/Library/LaunchAgents/local.$USER.sbdl.plist`
* `launchctl start local.$USER.sbdl.plist`

FILES CREATED

(1) Log: ~/Library/Logs/local.$USER.sbdl.log
(2a) Configuration directory: ~/Library/Application Support/SuperbackedDownloader
(2b) Configuration file: ~/Library/Application Support/SuperbackedDownloader/sbdl.cfg
(3) stdout & stderr created by the agent in /tmp
(4) SBDL_DISCLAIMER.txt in the user's downloads directory

ERROR AT FIRST RUN

The initial run of the LaunchAgent will fail with an error, because the configuration file is still missing your personal software license key. You need to enter your license key manually. (The script will automatically open the configuration folder in Finder.)

MANDATORY CONFIGURATION

* please import the developer's public key (see above) into your GPG keyring (or the GUI-based GPG Keychain)
* open the file sbdl.cfg in a text editor
* License: replace '<yourLicenseKey>' with your actual Superbacked software license key which you received from the developer after purchase
* save & close

OPTIONAL CONFIGURATION

* open the file sbdl.cfg in a text editor
* DownloadPath: enter a download directory (full path) to avoid downloading to ~/Downloads
* LinuxDownload: enter 'y' or 'yes' etc. to additionally download the Linux AppImage
* ReleaseLabel: enter 'op' as the software label if you are not using the default 'std' release
* Platform (Linux only): enter 'x64' or 'arm64' (defaults to 'x64')
* save & close

MANDATORY DEPENDENCIES

* gpg: install e.g. with Homebrew or MacPorts etc. (gnupg), or as part of the GPG Suite: https://gpgtools.org
NOTE: if you have not installed gpg, Superbacked Downloader will still work and download all related files and updates, but you will receive verification warnings.

OPTIONAL DEPENDENCIES

* lynx: install e.g. with Homebrew or MacPorts etc.
NOTE: slightly more efficient than macOS' built-in cURL for extracting the latest version number from Superbacked's GitHub repo
* 7z: install e.g. with Homebrew or MacPorts etc. (p7zip)
NOTE: the 7z command is only used to coarsely verify the integrity of an already downloaded Linux AppImage

DISCLAIMER

SUPERBACKED DOWNLOADER ('THE SOFTWARE') IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, ESPECIALLY LOST OR STOLEN SECRETS AND ASSOCIATED DATA OR VALUE, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.