feat(core): ✨ 新增 Homebrew 远程启动器并更新文档

新增 `brew-upgrade-manager-bootstrap.sh` 启动器脚本。该启动器支持通过 macOS Keychain 安全存储 sudo 密码，并能自动从远程拉取最新的 Homebrew 升级主脚本执行，随后清理临时文件。同步更新 `README.md`，提供了推荐的 `brewup` 函数配置方法、Keychain 密码管理说明以及 SHA256 校验等调试指南。主要变更： - 新增支持 Keychain 认证的远程启动器脚本 - 实现 sudo 凭据自动管理与安全存储 - 完善项目文档，增加详细的使用说明和配置推荐
2026-05-08 01:53:12 +08:00
parent 5d40ad44e9
commit 54a4fa7e65
2 changed files with 205 additions and 42 deletions
--- a/homebrew/brew-upgrade-manager-bootstrap.sh
+++ b/homebrew/brew-upgrade-manager-bootstrap.sh
@@ -0,0 +1,66 @@
+#!/usr/bin/env bash
+# 目标：下载远程升级脚本、执行、销毁临时文件
+set -euo pipefail
+
+REMOTE="https://git.orionc.me/orion/script/raw/branch/main/homebrew/brew-upgrade-manager.sh"
+TEMP="$(mktemp "${TMPDIR:-/tmp}/brew-upgrade-manager.XXXXXX.sh")"
+KEYCHAIN_SERVICE="${BREWUP_KEYCHAIN_SERVICE:-brewup-sudo-password}"
+ASKPASS_TEMP="$(mktemp "${TMPDIR:-/tmp}/brewup-askpass.XXXXXX.sh")"
+cleanup() {
+    rm -f "$TEMP" "$ASKPASS_TEMP"
+}
+trap cleanup EXIT INT TERM
+
+PATH="/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin"
+export PATH
+
+setup_sudo_askpass() {
+    cat > "$ASKPASS_TEMP" <<'EOF'
+#!/usr/bin/env bash
+exec /usr/bin/security find-generic-password -a "${USER:-$(id -un)}" -s "${BREWUP_KEYCHAIN_SERVICE:-brewup-sudo-password}" -w
+EOF
+    chmod 700 "$ASKPASS_TEMP"
+    export SUDO_ASKPASS="$ASKPASS_TEMP"
+    export BREWUP_KEYCHAIN_SERVICE="$KEYCHAIN_SERVICE"
+
+    if ! /usr/bin/security find-generic-password -a "$USER" -s "$KEYCHAIN_SERVICE" -w >/dev/null 2>&1; then
+        printf "首次使用：请输入一次 sudo 密码，将保存到 macOS Keychain："
+        IFS= read -r -s BREWUP_SUDO_PASSWORD
+        printf "\n"
+        /usr/bin/security add-generic-password -U -a "$USER" -s "$KEYCHAIN_SERVICE" -w "$BREWUP_SUDO_PASSWORD" >/dev/null
+        unset BREWUP_SUDO_PASSWORD
+    fi
+
+    echo "正在通过 Keychain 准备 sudo 凭据..."
+    if ! sudo -A -v; then
+        echo "Keychain 中的 sudo 密码不可用，请删除后重新保存：" >&2
+        echo "  security delete-generic-password -a \"$USER\" -s \"$KEYCHAIN_SERVICE\"" >&2
+        exit 1
+    fi
+}
+
+setup_sudo_askpass
+
+echo "正在下载远程脚本..."
+curl -f -sSL "$REMOTE" -o "$TEMP"
+chmod 600 "$TEMP"
+
+if [[ -n "${BREWUP_SHA256:-}" ]]; then
+    echo "正在校验脚本 SHA256..."
+    actual_sha256="$(shasum -a 256 "$TEMP")"
+    actual_sha256="${actual_sha256%% *}"
+    if [[ "$actual_sha256" != "$BREWUP_SHA256" ]]; then
+        echo "脚本 SHA256 不匹配，已停止执行。" >&2
+        echo "Expected: $BREWUP_SHA256" >&2
+        echo "Actual:   $actual_sha256" >&2
+        exit 1
+    fi
+fi
+
+
+if [[ "${BREWUP_DEBUG:-}" == "1" ]]; then
+    echo "Downloaded script first line:"
+    head -n 1 "$TEMP"
+fi
+
+bash "$TEMP" "$@"