fixup! Add tix-upgrade(8).

tix/tix-fetch

@@ -52,6 +52,7 @@ url_mirror=false
 url_mirror_release=false
 url_release_sig=false
 url_sha256sum=false
+upgrade=false
 # TODO: Option to select this default:
 # TODO: This hides errors. Fix wget so it has a quiet, but errors, mode.
 wget_options="-q --show-progress"
@@ -112,6 +113,8 @@ for argument do
   --output-release-sig-file) previous_option=output_release_sig_file ;;
   --output-sha256sum=*) output_sha256sum=$parameter ;;
   --output-sha256sum) previous_option=output_sha256sum ;;
+  --output-upgrade-file=*) output_upgrade_file=$parameter ;;
+  --output-upgrade-file) previous_option=output_upgrade_file ;;
   --patch) patch=true ;;
   --port) port=true ;;
   --porttix) porttix=true ;;
@@ -124,6 +127,7 @@ for argument do
   --sysroot) previous_option=sysroot ;;
   --sysroot=*) sysroot=$parameter ;;
   --toolchain) toolchain=true ;;
+  --upgrade) upgrade=true ;;
   --url) url=true ;;
   --url-main) url_main=true ;;
   --url-mirror) url_mirror=true ;;
@@ -158,6 +162,7 @@ tmpdir=$(mktemp -dt tix-fetch-port.XXXXXX)
 trap 'rm -rf -- "$tmpdir"' EXIT HUP INT QUIT TERM
 
 upgrade_conf="${collection%/}/etc/upgrade.conf"
+CHANNEL=$(conf -d '' "$upgrade_conf" CHANNEL)
 RELEASE_KEY=$(conf -d '' "$upgrade_conf" RELEASE_KEY)
 RELEASE_SIG_URL=$(conf -d '' "$upgrade_conf" RELEASE_SIG_URL)
 PREFERRED_MIRROR=$(conf -d '' "$upgrade_conf" PREFERRED_MIRROR)
@@ -203,17 +208,32 @@ do_wget() {
 }
 
 # Fetch signed release description.
-if [ -z "$input_release_file" ]; then
-  if [ -z "$input_release_sig_file" ]; then
-    (cd "$tmpdir" &&
-     do_wget -U "$USER_AGENT" $wget_options -O release.sh.sig \
-             -- "$RELEASE_SIG_URL")
-  else
-    cp -T -- "$input_release_sig_file" "$tmpdir/release.sh.sig"
-  fi
+download_release_sh() {
+  (cd "$tmpdir" &&
+   do_wget -U "$USER_AGENT" $wget_options -O release.sh.sig \
+           -- "$RELEASE_SIG_URL")
   signify -Vq -p "$RELEASE_KEY" -em "$tmpdir/release.sh"
-else
+}
+
+true > "$tmpdir/upgrade.sh"
+
+if [ -z "$input_release_file" -a -z "$input_release_sig_file" ]; then
+  download_release_sh
+  tix-vars "$tmpdir/release.sh" | \
+  grep -E '^UPGRADE_=' | \
+  cat > "$tmpdir/upgrade.sh"
+  UPGRADE_SIG_URL=$(tix-vars -d '' "$tmpdir/upgrade.sh" UPGRADE_SIG_URL)
+  if $upgrade && [ -n "$UPGRADE_SIG_URL" ]; then
+    RELEASE_SIG_URL="$UPGRADE_SIG_URL"
+    RELEASE_KEY=$(tix-vars "$tmpdir/upgrade.sh" UPGRADE_KEY)
+    download_release_sh
+  fi
+fi
+
+if [ -n "$input_release_file" ]; then
   cp -T -- "$input_release_file" "$tmpdir/release.sh"
+elif [ -n "$input_release_sig_file" ]; then
+  signify -Vq -p "$RELEASE_KEY" -em "$tmpdir/release.sh"
 fi
 
 # Store the signed release file if requested.
@@ -226,6 +246,11 @@ if [ -n "$output_release_file" ]; then
   cp -T -- "$tmpdir/release.sh" "$output_release_file"
 fi
 
+# Store the upgrade file if requested.
+if [ -n "$output_upgrade_file" ]; then
+  cp -T -- "$tmpdir/upgrade.sh" "$output_upgrade_file"
+fi
+
 # Load the release description.
 # TODO: SECURITY: Protect against responding with older release.sh.
 
@@ -306,11 +331,6 @@ escape_extended_regex() {
   printf "%s\n" "$1" | sed -E -e 's/[[$()*?\+.^{|}]/\\\0/g'
 }
 
-# TODO: Remove:
-#escape_extended_regex_test_self() {
-#  printf "%s\n" "$1" | grep -E "^$(escape_extended_regex "$1")\$"
-#}
-
 request() {
   REQUEST="$1"
   REQUESTDIR="$2"

tix/tix-upgrade

@@ -26,6 +26,7 @@ download_only=false
 fetch_options=
 ports_only=false
 sysroot=""
+upgrade=--upgrade
 upgrade_ports=false
 upgrade_system=false
 wait=""
@@ -60,6 +61,7 @@ for argument do
   --fetch-options) previous_option=fetch_options ;;
   --insecure-downgrade-to-http) fetch_options="$fetch_options $argument" ;;
   --insecure-no-check-certificate) fetch_options="$fetch_options $argument" ;;
+  --no-upgrade) upgrade= ;;
   --ports) upgrade_ports=true ;;
   --system) upgrade_system=true ;;
   --sysroot) previous_option=sysroot ;;
@@ -122,37 +124,49 @@ fi
 mkdir -p -- "$cachedir"
 mkdir -p -- "$cachedir/new"
 
-# Fetch the latest official release.sig.sh and its matching sha256sum file.
+# Fetch the latest official signed release.sh and its matching sha256sum file.
 tix-fetch $fetch_options \
           --collection="$collection" \
           --output-release-file="$cachedir/new/release.sh" \
-          --output-release-sig-file="$cachedir/new/release.sh.sig" \
-          --output-sha256sum="$cachedir/new/sha256sum"
+          --output-sha256sum="$cachedir/new/sha256sum" \
+          --output-upgrade-file="$cachedir/new/upgrade.sh" \
+          $upgrade
 
-# If release.sig.sh or sha256sum changed, clean the cache directory of downloads
+# If release.sh or sha256sum changed, clean the cache directory of downloads
 # that were currently in progress as they might not have the right checksums.
 if [ ! -e "$cachedir/release.sh" ] ||
-   [ ! -e "$cachedir/release.sh.sig" ] ||
    [ ! -e "$cachedir/sha256sum" ] ||
-   ! (cd "$cachedir/new" && sha256sum release.sh release.sh.sig sha256sum) |
+   [ ! -e "$cachedir/upgrade.sh" ] ||
+   ! (cd "$cachedir/new" && sha256sum release.sh sha256sum upgrade.sh) |
      (cd "$cachedir" && sha256sum -cs); then
   rm -rf -- "$cachedir/boot"
   rm -rf -- "$cachedir/repository"
   rm -rf -- "$cachedir/sysroot"
 fi
 
-# Store the new release.sig.sh and sha256sum files so we can resume the download
+# Store the new release.sh and sha256sum files so we can resume the download
 # if cancelled and these files still match.
 mv -- "$cachedir/new/release.sh" "$cachedir/release.sh"
-mv -- "$cachedir/new/release.sh.sig" "$cachedir/release.sh.sig"
 mv -- "$cachedir/new/sha256sum" "$cachedir/sha256sum"
+mv -- "$cachedir/new/upgrade.sh" "$cachedir/upgrade.sh"
 rm -rf -- "$cachedir/new"
 
+# Check if we're upgrading to a new release.
+UPGRADE_SIG_URL=$(tix-vars -d '' "$cachedir/upgrade.sh" UPGRADE_SIG_URL)
+if [ -n "$UPGRADE_SIG_URL" ]; then
+  UPGRADE_CHANNEL=$(tix-vars "$cachedir/upgrade.sh" UPGRADE_CHANNEL)
+  UPGRADE_KEY=$(tix-vars "$cachedir/upgrade.sh" UPGRADE_KEY)
+  UPGRADE_NAME=$(tix-vars "$cachedir/upgrade.sh" UPGRADE_NAME)
+  if [ -n "$upgrade" ]; then
+    echo "Upgrading to $UPGRADE_NAME."
+  else
+    echo "Ignoring available upgrade to $UPGRADE_NAME."
+  fi
+fi
+
 mkdir -p -- "$cachedir/boot"
 mkdir -p -- "$cachedir/repository"
 
-# TODO: Support upgrading across releases, renamed channels, etc.
-
 # TODO: DO NOT SUBMIT: Temporary -d system compatibility until builds roll.
 SYSTEM_INITRDS=$(tix-vars -d system "$cachedir/release.sh" SYSTEM_INITRDS)
 
@@ -163,7 +177,7 @@ if $upgrade_system; then
   for initrd in $SYSTEM_INITRDS; do
     tix-fetch $fetch_options \
               --collection="$collection" \
-              --input-release-sig-file="$cachedir/release.sh.sig" \
+              --input-release-file="$cachedir/release.sh" \
               --input-sha256sum="$cachedir/sha256sum" \
               -c --initrd -O "$cachedir/boot" -- "$initrd"
   done
@@ -179,14 +193,14 @@ if $upgrade_ports; then
     # The port has a hash if if it exists upstream.
     sha256=$(tix-fetch $fetch_options \
                        --collection="$collection" \
-                       --input-release-sig-file="$cachedir/release.sh.sig" \
+                       --input-release-file="$cachedir/release.sh" \
                        --input-sha256sum="$cachedir/sha256sum" \
                        --sha256 --port -- $port)
     # If the port exists upstream, get the latest version.
     if [ -n "$sha256" ]; then
       tix-fetch $fetch_options \
                 --collection="$collection" \
-                --input-release-sig-file="$cachedir/release.sh.sig" \
+                --input-release-file="$cachedir/release.sh" \
                 --input-sha256sum="$cachedir/sha256sum" \
                 -c --port -O "$cachedir/repository" -- $port
     fi
@@ -201,6 +215,18 @@ fi
 rm -rf -- "$cachedir/sysroot"
 mkdir -p -- "$cachedir/sysroot"
 
+# Forward the upgrade metadata.
+UPGRADE_SIG_URL=$(tix-vars -d '' "$cachedir/upgrade.sh" UPGRADE_SIG_URL)
+if [ -n $upgrade ] && [ -n "$UPGRADE_SIG_URL" ]; then
+  mkdir -p -- "$cachedir/etc"
+  # TODO: More flexible and simple model.
+  cat > "$cachedir/etc/upgrade.conf" << EOF
+channel = $UPGRADE_CHANNEL
+release_key = $UPGRADE_KEY
+release_sig_url = $UPGRADE_SIG_URL
+EOF
+fi
+
 # Extract the base system into the sysroot.
 if $upgrade_system; then
   for initrd in $SYSTEM_INITRDS; do