#!/usr/bin/env bash # 目标:下载远程升级脚本、执行、销毁临时文件 set -euo pipefail REMOTE="https://git.orionc.me/orion/script/raw/branch/main/homebrew/brew-upgrade-manager.sh" TEMP="$(mktemp "${TMPDIR:-/tmp}/brew-upgrade-manager.XXXXXX.sh")" KEYCHAIN_SERVICE="${BREWUP_KEYCHAIN_SERVICE:-brewup-sudo-password}" ASKPASS_TEMP="$(mktemp "${TMPDIR:-/tmp}/brewup-askpass.XXXXXX.sh")" cleanup() { rm -f "$TEMP" "$ASKPASS_TEMP" } trap cleanup EXIT INT TERM PATH="/opt/homebrew/bin:/opt/homebrew/sbin:/usr/local/bin:/usr/local/sbin:/usr/bin:/bin:/usr/sbin:/sbin" export PATH setup_sudo_askpass() { cat > "$ASKPASS_TEMP" <<'EOF' #!/usr/bin/env bash exec /usr/bin/security find-generic-password -a "${USER:-$(id -un)}" -s "${BREWUP_KEYCHAIN_SERVICE:-brewup-sudo-password}" -w EOF chmod 700 "$ASKPASS_TEMP" export SUDO_ASKPASS="$ASKPASS_TEMP" export BREWUP_KEYCHAIN_SERVICE="$KEYCHAIN_SERVICE" if ! /usr/bin/security find-generic-password -a "$USER" -s "$KEYCHAIN_SERVICE" -w >/dev/null 2>&1; then printf "首次使用:请输入一次 sudo 密码,将保存到 macOS Keychain:" IFS= read -r -s BREWUP_SUDO_PASSWORD printf "\n" /usr/bin/security add-generic-password -U -a "$USER" -s "$KEYCHAIN_SERVICE" -w "$BREWUP_SUDO_PASSWORD" >/dev/null unset BREWUP_SUDO_PASSWORD fi echo "正在通过 Keychain 准备 sudo 凭据..." if ! sudo -A -v; then echo "Keychain 中的 sudo 密码不可用,请删除后重新保存:" >&2 echo " security delete-generic-password -a \"$USER\" -s \"$KEYCHAIN_SERVICE\"" >&2 exit 1 fi } setup_sudo_askpass echo "正在下载远程脚本..." curl -f -sSL "$REMOTE" -o "$TEMP" chmod 600 "$TEMP" if [[ -n "${BREWUP_SHA256:-}" ]]; then echo "正在校验脚本 SHA256..." actual_sha256="$(shasum -a 256 "$TEMP")" actual_sha256="${actual_sha256%% *}" if [[ "$actual_sha256" != "$BREWUP_SHA256" ]]; then echo "脚本 SHA256 不匹配,已停止执行。" >&2 echo "Expected: $BREWUP_SHA256" >&2 echo "Actual: $actual_sha256" >&2 exit 1 fi fi if [[ "${BREWUP_DEBUG:-}" == "1" ]]; then echo "Downloaded script first line:" head -n 1 "$TEMP" fi export COLUMNS="130" bash "$TEMP" "$@"