Prepare logic

2026-06-08 08:12:15 -04:00 · 2019-11-12 00:00:26 +01:00 · 2019-11-12 00:00:26 +01:00 · 7cc0a02a7c
commit 7cc0a02a7c
parent d290fe464e
7 changed files with 126 additions and 30 deletions
--- a/windows-installer/auto-update.ps1
+++ b/windows-installer/auto-update.ps1
@ -0,0 +1,81 @@
+#Requires -RunAsAdministrator
+
+Param(
+    [Parameter(Mandatory=$true)]
+    [string]$InstallDir
+)
+
+Start-Transcript -Path "C:\Certbot\log\auto-update.log"
+trap {
+    Stop-Transcript
+}
+
+$ErrorActionPreference = 'Stop'
+
+$installerAuthenticodeCertificateThumbprint = "74B2E146A82F2B71F8EB4B13EBBB6F951757D8C2"
+
+# Get current local certbot version
+try {
+    $currentVersion = certbot --version
+    $currentVersion = $currentVersion -replace '^certbot (\d+\.\d+\.\d+).*$', '$1'
+} catch {
+    "An error occured while fetching the current local certbot version:"
+    $_.Exception
+    "Assuming Certbot is not up-to-date."
+    $currentVersion = "0.0.0"
+}
+
+# Get latest remote certbot version
+try {
+    $result = Invoke-RestMethod -Uri https://api.github.com/repos/certbot/certbot/releases/latest
+    $latestVersion = $result.tag_name -replace '^v(\d+\.\d+\.\d+).*$', '$1'
+} catch {
+    "Could not get the latest remote certbot version. Error was:"
+    $_.Exception
+    throw "Aborting auto-upgrade process."
+}
+
+if ([System.Version]"$currentVersion" -ge [System.Version]"$latestVersion") {
+    "No upgrade is needed, Certbot is already at the latest version ($currentVersion)."
+} else {
+    # Search for the Windows installer asset
+    $installerUrl = $null
+    foreach ($asset in $result.assets) {
+        if ($asset.name -match '^certbot-.*installer-win32\.exe$') {
+            $installerUrl = $asset.browser_download_url
+        }
+    }
+
+    if ($null -eq $installerUrl) {
+        throw "Could not find the URL for the latest Certbot for Windows installer."
+    }
+
+    "Starting Certbot auto-upgrade from $currentVersion to $latestVersion ..."
+
+    $installerPath = "$env:TMP/certbot-installer-win32.exe"
+    try {
+        # Download the installer
+        "Downloading the installer ..."
+        $webClient = New-Object System.Net.WebClient
+        $webClient.DownloadFile($installerUrl, $installerPath)
+
+        # Check installer has a valid signature from the Certbot release team
+        $signature = Get-AuthenticodeSignature "C:\Dev\Firefox Installer.exe"
+        
+        if ($signature.Status -ne 'Valid') {
+            throw "Downloaded installer has no or invalid Authenticode signature."
+        }
+
+        if ($signature.SignerCertificate.Thumbprint -ne $installerAuthenticodeCertificateThumbprint) {
+            throw "Downloaded installer has not been signed by Certbot development team."
+        }
+
+        # Install new version of Certbot
+        "Running the installer ..."
+        Start-Process -FilePath $installerPath -ArgumentList "/S /D=$InstallDir"
+
+        "Certbot $latestVersion is installed."
+    } finally {
+        Remove-Item $installerPath -ErrorAction 'Ignore'
+    }
+}
--- a/windows-installer/construct.py
+++ b/windows-installer/construct.py
@ -84,8 +84,9 @@ def _copy_assets(build_path, repo_path):
    shutil.copy(os.path.join(repo_path, 'windows-installer', 'certbot.ico'), build_path)
    shutil.copy(os.path.join(repo_path, 'windows-installer', 'run.bat'), build_path)
    shutil.copy(os.path.join(repo_path, 'windows-installer', 'template.nsi'), build_path)
-    shutil.copy(os.path.join(repo_path, 'windows-installer', 'renew-up.ps1'), build_path)
-    shutil.copy(os.path.join(repo_path, 'windows-installer', 'renew-down.ps1'), build_path)
+    shutil.copy(os.path.join(repo_path, 'windows-installer', 'tasks-up.ps1'), build_path)
+    shutil.copy(os.path.join(repo_path, 'windows-installer', 'tasks-down.ps1'), build_path)
+    shutil.copy(os.path.join(repo_path, 'windows-installer', 'auto-update.ps1'), build_path)


 def _generate_pynsist_config(repo_path, build_path):
@ -143,8 +144,9 @@ bitness={python_bitness}
 [Include]
 local_wheels=wheels\\*.whl
 files=run.bat
-      renew-up.ps1
-      renew-down.ps1
+      tasks-up.ps1
+      tasks-down.ps1
+      auto-update.ps1

 [Command certbot]
 entry_point=certbot._internal.main:main
--- a/windows-installer/renew-down.ps1
+++ b/windows-installer/renew-down.ps1
@ -1,6 +0,0 @@
-$taskName = "Certbot Renew Task"
-
-$exists = Get-ScheduledTask | Where-Object {$_.TaskName -like $taskName}
-if ($exists) {
-    Unregister-ScheduledTask -TaskName $taskName -Confirm:$false
-}
--- a/windows-installer/renew-up.ps1
+++ b/windows-installer/renew-up.ps1
@ -1,15 +0,0 @@
-function Get-ScriptDirectory { Split-Path $MyInvocation.ScriptName }
-$down = Join-Path (Get-ScriptDirectory) 'renew-down.ps1'
-& $down
-
-$taskName = "Certbot Renew Task"
-
-$action = New-ScheduledTaskAction -Execute 'Powershell.exe' -Argument '-NoProfile -WindowStyle Hidden -Command "certbot renew"'
-$delay = New-TimeSpan -Hours 12
-$triggerAM = New-ScheduledTaskTrigger -Daily -At 12am -RandomDelay $delay
-$triggerPM = New-ScheduledTaskTrigger -Daily -At 12pm -RandomDelay $delay
-# NB: For now scheduled task is set up under SYSTEM account because Certbot Installer installs Certbot for all users.
-# If in the future we allow the Installer to install Certbot for one specific user, the scheduled task will need to
-# switch to this user, since Certbot will be available only for him.
-$principal = New-ScheduledTaskPrincipal -UserId SYSTEM -LogonType ServiceAccount -RunLevel Highest
-Register-ScheduledTask -Action $action -Trigger $triggerAM,$triggerPM -TaskName $taskName -Description "Execute twice a day the 'certbot renew' command, to renew managed certificates if needed." -Principal $principal
--- a/windows-installer/tasks-down.ps1
+++ b/windows-installer/tasks-down.ps1
@ -0,0 +1,8 @@
+$tasks = "Certbot Renew & Auto-Update Task", "Certbot Renew Task"
+
+foreach ($task in $tasks) {
+    $exists = Get-ScheduledTask | Where-Object {$_.TaskName -like $task}
+    if ($exists) {
+        Unregister-ScheduledTask -TaskName $task -Confirm:$false
+    }
+}
--- a/windows-installer/tasks-up.ps1
+++ b/windows-installer/tasks-up.ps1
@ -0,0 +1,26 @@
+Param(
+    [Parameter(Mandatory=$true)]
+    [string]$InstallDir
+)
+
+Function Get-ScriptDirectory { Split-Path $MyInvocation.ScriptName }
+$down = Join-Path (Get-ScriptDirectory) 'tasks-down.ps1'
+& $down
+
+$taskName = "Certbot Renew & Auto-Update Task"
+
+$actionRenew = New-ScheduledTaskAction -Execute 'Powershell.exe' -Argument '-NoProfile -WindowStyle Hidden -Command "certbot renew"'
+$actionPreUpgrade = New-ScheduledTaskAction -Execute 'Powershell.exe' -Argument "-NoProfile -WindowStyle Hidden -Command ""Copy-Item '$InstallDir\auto-update.ps1' ""`$env:TMP\auto-update.ps1"""""
+$actionUpgrade = New-ScheduledTaskAction -Execute 'Powershell.exe' -Argument "-NoProfile -WindowStyle Hidden -File ""`$env:TMP\auto-update.ps1"" -InstallDir '$InstallDir'"
+$actionPostUpgrade = New-ScheduledTaskAction -Execute 'Powershell.exe' -Argument '-NoProfile -WindowStyle Hidden -Command "Remove-Item "$env:TMP\auto-update.ps1" -ErrorAction "Ignore""'
+
+$delay = New-TimeSpan -Hours 12
+$triggerAM = New-ScheduledTaskTrigger -Daily -At 12am -RandomDelay $delay
+$triggerPM = New-ScheduledTaskTrigger -Daily -At 12pm -RandomDelay $delay
+# NB: For now scheduled task is set up under Administrators account because Certbot Installer installs Certbot for all users.
+# If in the future we allow the Installer to install Certbot for one specific user, the scheduled task will need to
+# switch to this user, since Certbot will be available only for him.
+$adminSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544")
+$adminGroupID = $adminSID.Translate([System.Security.Principal.NTAccount]).Value
+$principal = New-ScheduledTaskPrincipal -GroupId $adminGroupID -RunLevel Highest
+Register-ScheduledTask -Action $actionRenew,$actionPreUpgrade,$actionUpgrade,$actionPostUpgrade -Trigger $triggerAM,$triggerPM -TaskName $taskName -Description "Execute twice a day the 'certbot renew' command, to renew managed certificates if needed." -Principal $principal
--- a/windows-installer/template.nsi
+++ b/windows-installer/template.nsi
@ -165,9 +165,9 @@ Section "!${PRODUCT_NAME}" sec_app
                   "NoRepair" 1

  ; CERTBOT CUSTOM BEGIN
-  ; Execute ps script to create the certbot renew task
-  DetailPrint "Setting up certbot renew scheduled task"
-  nsExec::ExecToStack 'powershell -inputformat none -ExecutionPolicy RemoteSigned -File "$INSTDIR\renew-up.ps1"'
+  ; Execute ps script to create the certbot renew & auto-update task
+  DetailPrint "Setting up certbot renew & auto-update scheduled task"
+  nsExec::ExecToStack 'powershell -inputformat none -ExecutionPolicy RemoteSigned -File "$INSTDIR\tasks-up.ps1" -InstallDir "$INSTDIR"'
  ; CERTBOT CUSTOM END

  ; Check if we need to reboot
@ -180,8 +180,8 @@ SectionEnd

 Section "Uninstall"
  ; CERTBOT CUSTOM BEGIN
-  ; Execute ps script to remove the certbot renew task
-  nsExec::ExecToStack 'powershell -inputformat none -ExecutionPolicy RemoteSigned -File "$INSTDIR\renew-down.ps1"'
+  ; Execute ps script to remove the certbot renew & auto-update task
+  nsExec::ExecToStack 'powershell -inputformat none -ExecutionPolicy RemoteSigned -File "$INSTDIR\tasks-down.ps1"'
  ; CERTBOT CUSTOM END

  SetRegView [[ib.py_bitness]]