#!/bin/sh # shellcheck shell=dash # shellcheck disable=SC2039 # local is non-POSIX # This is just a little script that can be downloaded from the internet to # install rustup. It just does platform detection, downloads the installer # and runs it. # It runs on Unix shells like {a,ba,da,k,z}sh. It uses the common `local` # extension. Note: Most shells limit `local` to 1 var per line, contra bash. # Some versions of ksh have no `local` keyword. Alias it to `typeset`, but # beware this makes variables global with f()-style function syntax in ksh93. # mksh has this alias by default. has_local() { # shellcheck disable=SC2034 # deliberately unused local _has_local } has_local 2>/dev/null || alias local=typeset is_zsh() { [ -n "${ZSH_VERSION-}" ] } set -u # If NMKUP_UPDATE_ROOT is unset or empty, default it. NMKUP_UPDATE_ROOT="${NMKUP_UPDATE_ROOT:-https://storage.googleapis.com/nmk.nuimk.com}" NMKUP_CHANNEL="${NMKUP_CHANNEL:-main}" # Set quiet as a global for ease of use RUSTUP_QUIET=no # NOTICE: If you change anything here, please make the same changes in setup_mode.rs usage() { cat < Specify base channel (branch name) [env: NMKUP_CHANNEL=] [possible values: main, stable] --dotfiles-channel Use alternative dotfiles channel [possible values: main, stable] --no-filter Do not filter items based on /etc/os-release data --install-launcher Install launcher to file then exit --no-cache Do not use cache --nbox Update nbox --target Specify target [possible values: amd64, arm64, armv7, armv7-hf, armv6, armv6-hf] -y Assume yes --vendor Install vendored files -v... Request verbose logging --no-verify Do not verify signature --no-verify-vendor Do not verify vendor signature --write-zsh-completion Write zsh completion then exit -h, --help Print help EOF } main() { downloader --check need_cmd uname need_cmd mktemp need_cmd chmod need_cmd mkdir need_cmd rm need_cmd rmdir get_architecture || return 1 local _arch="$RETVAL" assert_nz "$_arch" "arch" local _default_host_override="" case "$_arch" in *windows*) _default_host_override="--default-host=$_arch" ;; esac local _ext="" case "$_arch" in *windows*) _ext=".exe" ;; esac local _url case "$_arch" in x86_64-unknown-linux-*) _url="${NMKUP_UPDATE_ROOT}/channels/${NMKUP_CHANNEL}/nmkup-x86_64-unknown-linux-musl" ;; armv7-unknown-linux-*hf) _url="${NMKUP_UPDATE_ROOT}/channels/${NMKUP_CHANNEL}/nmkup-armv7-unknown-linux-musleabihf" ;; aarch64-unknown-linux-*) _url="${NMKUP_UPDATE_ROOT}/channels/${NMKUP_CHANNEL}/nmkup-aarch64-unknown-linux-musl" ;; arm-unknown-linux-* | armv7-unknown-linux-*) _url="${NMKUP_UPDATE_ROOT}/channels/${NMKUP_CHANNEL}/nmkup-arm-unknown-linux-musleabi" ;; *) err "Unsupported arch: $_arch" ;; esac local _dir if ! _dir="$(ensure mktemp -d)"; then # Because the previous command ran in a subshell, we must manually # propagate exit status. exit 1 fi local _file="${_dir}/nmkup-init${_ext}" local _ansi_escapes_are_valid=false if [ -t 2 ]; then if [ "${TERM+set}" = 'set' ]; then case "$TERM" in xterm*|rxvt*|urxvt*|linux*|vt*) _ansi_escapes_are_valid=true ;; esac fi fi # check if we have to use /dev/tty to prompt the user local need_tty=yes for arg in "$@"; do case "$arg" in --help) usage exit 0 ;; --quiet) RUSTUP_QUIET=yes ;; *) OPTIND=1 if [ "${arg%%--*}" = "" ]; then # Long option (other than --help); # don't attempt to interpret it. continue fi while getopts :hqy sub_arg "$arg"; do case "$sub_arg" in h) usage exit 0 ;; q) RUSTUP_QUIET=yes ;; y) # user wants to skip the prompt -- # we don't need /dev/tty need_tty=no ;; *) ;; esac done ;; esac done say 'downloading installer' ensure mkdir -p "$_dir" ensure downloader "$_url" "$_file" "$_arch" ensure chmod u+x "$_file" if [ ! -x "$_file" ]; then err "Cannot execute $_file (likely because of mounting /tmp as noexec)." err "Please copy the file to a location where you can execute binaries and run ./nmkup-init${_ext}." exit 1 fi if [ "$need_tty" = "yes" ] && [ ! -t 0 ]; then # The installer is going to want to ask for confirmation by # reading stdin. This script was piped into `sh` though and # doesn't have stdin to pass to its children. Instead we're going # to explicitly connect /dev/tty to the installer's stdin. if [ ! -t 1 ]; then err "Unable to run interactively. Run with -y to accept defaults, --help for additional options" exit 1; fi ignore "$_file" ${_default_host_override:+"$_default_host_override"} "$@" < /dev/tty else ignore "$_file" ${_default_host_override:+"$_default_host_override"} "$@" fi local _retval=$? ignore rm "$_file" ignore rmdir "$_dir" return "$_retval" } get_current_exe() { # Returns the executable used for system architecture detection # This is only run on Linux local _current_exe if test -L /proc/self/exe ; then _current_exe=/proc/self/exe else warn "Unable to find /proc/self/exe. System architecture detection might be inaccurate." if test -n "$SHELL" ; then _current_exe=$SHELL else need_cmd /bin/sh _current_exe=/bin/sh fi warn "Falling back to $_current_exe." fi echo "$_current_exe" } get_bitness() { need_cmd head # Architecture detection without dependencies beyond coreutils. # ELF files start out "\x7fELF", and the following byte is # 0x01 for 32-bit and # 0x02 for 64-bit. # The printf builtin on some shells like dash only supports octal # escape sequences, so we use those. local _current_exe=$1 local _current_exe_head _current_exe_head=$(head -c 5 "$_current_exe") if [ "$_current_exe_head" = "$(printf '\177ELF\001')" ]; then echo 32 elif [ "$_current_exe_head" = "$(printf '\177ELF\002')" ]; then echo 64 else err "unknown platform bitness" exit 1; fi } is_host_amd64_elf() { local _current_exe=$1 need_cmd head need_cmd tail # ELF e_machine detection without dependencies beyond coreutils. # Two-byte field at offset 0x12 indicates the CPU, # but we're interested in it being 0x3E to indicate amd64, or not that. local _current_exe_machine _current_exe_machine=$(head -c 19 "$_current_exe" | tail -c 1) [ "$_current_exe_machine" = "$(printf '\076')" ] } get_endianness() { local _current_exe=$1 local cputype=$2 local suffix_eb=$3 local suffix_el=$4 # detect endianness without od/hexdump, like get_bitness() does. need_cmd head need_cmd tail local _current_exe_endianness _current_exe_endianness="$(head -c 6 "$_current_exe" | tail -c 1)" if [ "$_current_exe_endianness" = "$(printf '\001')" ]; then echo "${cputype}${suffix_el}" elif [ "$_current_exe_endianness" = "$(printf '\002')" ]; then echo "${cputype}${suffix_eb}" else err "unknown platform endianness" exit 1 fi } # Detect the Linux/LoongArch UAPI flavor, with all errors being non-fatal. # Returns 0 or 234 in case of successful detection, 1 otherwise (/tmp being # noexec, or other causes). check_loongarch_uapi() { need_cmd base64 local _tmp if ! _tmp="$(ensure mktemp)"; then return 1 fi # Minimal Linux/LoongArch UAPI detection, exiting with 0 in case of # upstream ("new world") UAPI, and 234 (-EINVAL truncated) in case of # old-world (as deployed on several early commercial Linux distributions # for LoongArch). # # See https://gist.github.com/xen0n/5ee04aaa6cecc5c7794b9a0c3b65fc7f for # source to this helper binary. ignore base64 -d > "$_tmp" <&1 | grep -q 'musl'; then _clibtype="musl" fi fi if [ "$_ostype" = Darwin ]; then # Darwin `uname -m` can lie due to Rosetta shenanigans. If you manage to # invoke a native shell binary and then a native uname binary, you can # get the real answer, but that's hard to ensure, so instead we use # `sysctl` (which doesn't lie) to check for the actual architecture. if [ "$_cputype" = i386 ]; then # Handling i386 compatibility mode in older macOS versions (<10.15) # running on x86_64-based Macs. # Starting from 10.15, macOS explicitly bans all i386 binaries from running. # See: # Avoid `sysctl: unknown oid` stderr output and/or non-zero exit code. if (sysctl hw.optional.x86_64 2> /dev/null || true) | grep -q ': 1'; then _cputype=x86_64 fi elif [ "$_cputype" = x86_64 ]; then # Handling x86-64 compatibility mode (a.k.a. Rosetta 2) # in newer macOS versions (>=11) running on arm64-based Macs. # Rosetta 2 is built exclusively for x86-64 and cannot run i386 binaries. # Avoid `sysctl: unknown oid` stderr output and/or non-zero exit code. if (sysctl hw.optional.arm64 2> /dev/null || true) | grep -q ': 1'; then _cputype=arm64 fi fi fi if [ "$_ostype" = SunOS ]; then # Both Solaris and illumos presently announce as "SunOS" in "uname -s" # so use "uname -o" to disambiguate. We use the full path to the # system uname in case the user has coreutils uname first in PATH, # which has historically sometimes printed the wrong value here. if [ "$(/usr/bin/uname -o)" = illumos ]; then _ostype=illumos fi # illumos systems have multi-arch userlands, and "uname -m" reports the # machine hardware name; e.g., "i86pc" on both 32- and 64-bit x86 # systems. Check for the native (widest) instruction set on the # running kernel: if [ "$_cputype" = i86pc ]; then _cputype="$(isainfo -n)" fi fi local _current_exe case "$_ostype" in Android) _ostype=linux-android ;; Linux) _current_exe=$(get_current_exe) _ostype=unknown-linux-$_clibtype _bitness=$(get_bitness "$_current_exe") ;; FreeBSD) _ostype=unknown-freebsd ;; NetBSD) _ostype=unknown-netbsd ;; DragonFly) _ostype=unknown-dragonfly ;; Darwin) _ostype=apple-darwin ;; illumos) _ostype=unknown-illumos ;; SunOS) if [ "$_cputype" = sun4v ]; then _ostype=sun-solaris else _ostype=pc-solaris fi ;; MINGW* | MSYS* | CYGWIN* | Windows_NT) _ostype=pc-windows-gnu ;; *) err "unrecognized OS type: $_ostype" exit 1 ;; esac case "$_cputype" in i386 | i486 | i686 | i786 | x86) _cputype=i686 ;; xscale | arm) _cputype=arm if [ "$_ostype" = "linux-android" ]; then _ostype=linux-androideabi fi ;; armv6l) _cputype=arm if [ "$_ostype" = "linux-android" ]; then _ostype=linux-androideabi else _ostype="${_ostype}eabihf" fi ;; armv7l | armv8l) _cputype=armv7 if [ "$_ostype" = "linux-android" ]; then _ostype=linux-androideabi else _ostype="${_ostype}eabihf" fi ;; aarch64 | arm64) _cputype=aarch64 ;; x86_64 | x86-64 | x64 | amd64) _cputype=x86_64 ;; mips) _cputype=$(get_endianness "$_current_exe" mips '' el) ;; mips64) if [ "$_bitness" -eq 64 ]; then # only n64 ABI is supported for now _ostype="${_ostype}abi64" _cputype=$(get_endianness "$_current_exe" mips64 '' el) fi ;; ppc) _cputype=powerpc ;; ppc64) _cputype=powerpc64 ;; ppc64le) _cputype=powerpc64le ;; s390x) _cputype=s390x ;; sun4v) _cputype=sparcv9 ;; riscv64) _cputype=riscv64gc ;; loongarch64) _cputype=loongarch64 ensure_loongarch_uapi ;; *) err "unknown CPU type: $_cputype" exit 1 esac # Detect 64-bit linux with 32-bit userland if [ "${_ostype}" = unknown-linux-gnu ] && [ "${_bitness}" -eq 32 ]; then case $_cputype in x86_64) if [ -n "${RUSTUP_CPUTYPE:-}" ]; then _cputype="$RUSTUP_CPUTYPE" else { # 32-bit executable for amd64 = x32 if is_host_amd64_elf "$_current_exe"; then { err "This host is running an x32 userland, for which no native toolchain is provided." err "You will have to install multiarch compatibility with i686 or amd64." err "To do so, set the RUSTUP_CPUTYPE environment variable set to i686 or amd64 and re-run this script." err "You will be able to add an x32 target after installation by running \`rustup target add x86_64-unknown-linux-gnux32\`." exit 1 }; else _cputype=i686 fi }; fi ;; mips64) _cputype=$(get_endianness "$_current_exe" mips '' el) ;; powerpc64) _cputype=powerpc ;; aarch64) _cputype=armv7 if [ "$_ostype" = "linux-android" ]; then _ostype=linux-androideabi else _ostype="${_ostype}eabihf" fi ;; riscv64gc) err "riscv64 with 32-bit userland unsupported" exit 1 ;; esac fi # Detect armv7 but without the CPU features Rust needs in that build, # and fall back to arm. # See https://github.com/rust-lang/rustup.rs/issues/587. if [ "$_ostype" = "unknown-linux-gnueabihf" ] && [ "$_cputype" = armv7 ]; then if ! (ensure grep '^Features' /proc/cpuinfo | grep -E -q 'neon|simd') ; then # Either `/proc/cpuinfo` is malformed or unavailable, or # at least one processor does not have NEON (which is asimd on armv8+). _cputype=arm fi fi _arch="${_cputype}-${_ostype}" RETVAL="$_arch" } __print() { if $_ansi_escapes_are_valid; then printf '\33[1m%s:\33[0m %s\n' "$1" "$2" >&2 else printf '%s: %s\n' "$1" "$2" >&2 fi } warn() { __print 'warn' "$1" >&2 } say() { if [ "$RUSTUP_QUIET" = "no" ]; then __print 'info' "$1" >&2 fi } # NOTE: you are required to exit yourself # we don't do it here because of multiline errors err() { __print 'error' "$1" >&2 } need_cmd() { if ! check_cmd "$1"; then err "need '$1' (command not found)" exit 1 fi } check_cmd() { command -v "$1" > /dev/null 2>&1 } assert_nz() { if [ -z "$1" ]; then err "assert_nz $2" exit 1 fi } # Run a command that should never fail. If the command fails execution # will immediately terminate with an error showing the failing # command. ensure() { if ! "$@"; then err "command failed: $*" exit 1 fi } # This is just for indicating that commands' results are being # intentionally ignored. Usually, because it's being executed # as part of error handling. ignore() { "$@" } # This wraps curl or wget. Try curl first, if not installed, # use wget instead. downloader() { # zsh does not split words by default, Required for curl retry arguments below. is_zsh && setopt local_options shwordsplit local _dld local _ciphersuites local _err local _status local _retry if check_cmd curl; then # Check if we have a broken snap curl # https://github.com/boukendesho/curl-snap/issues/1 _curl_path=$(command -v curl) if echo "$_curl_path" | grep "/snap/" > /dev/null 2>&1; then if check_cmd wget; then _dld=wget else err "curl installed with snap cannot be used to install Rust" err "due to missing permissions. Please uninstall it and" err "reinstall curl with a different package manager (e.g., apt)." err "See https://github.com/boukendesho/curl-snap/issues/1" exit 1 fi else _dld=curl fi elif check_cmd wget; then _dld=wget else _dld='curl or wget' # to be used in error message of need_cmd fi if [ "$1" = --check ]; then need_cmd "$_dld" elif [ "$_dld" = curl ]; then check_curl_for_retry_support _retry="$RETVAL" get_ciphersuites_for_curl _ciphersuites="$RETVAL" if [ -n "$_ciphersuites" ]; then # shellcheck disable=SC2086 _err=$(curl $_retry --proto '=https' --tlsv1.2 --ciphers "$_ciphersuites" --silent --show-error --fail --location "$1" --output "$2" 2>&1) _status=$? else warn "Not enforcing strong cipher suites for TLS, this is potentially less secure" if ! check_help_for "$3" curl --proto --tlsv1.2; then warn "Not enforcing TLS v1.2, this is potentially less secure" # shellcheck disable=SC2086 _err=$(curl $_retry --silent --show-error --fail --location "$1" --output "$2" 2>&1) _status=$? else # shellcheck disable=SC2086 _err=$(curl $_retry --proto '=https' --tlsv1.2 --silent --show-error --fail --location "$1" --output "$2" 2>&1) _status=$? fi fi if [ -n "$_err" ]; then warn "$_err" if echo "$_err" | grep -q 404$; then err "installer for platform '$3' not found, this may be unsupported" exit 1 fi fi return $_status elif [ "$_dld" = wget ]; then if [ "$(wget -V 2>&1|head -2|tail -1|cut -f1 -d" ")" = "BusyBox" ]; then warn "using the BusyBox version of wget. Not enforcing strong cipher suites for TLS or TLS v1.2, this is potentially less secure" _err=$(wget "$1" -O "$2" 2>&1) _status=$? else get_ciphersuites_for_wget _ciphersuites="$RETVAL" if [ -n "$_ciphersuites" ]; then _err=$(wget --https-only --secure-protocol=TLSv1_2 --ciphers "$_ciphersuites" "$1" -O "$2" 2>&1) _status=$? else warn "Not enforcing strong cipher suites for TLS, this is potentially less secure" if ! check_help_for "$3" wget --https-only --secure-protocol; then warn "Not enforcing TLS v1.2, this is potentially less secure" _err=$(wget "$1" -O "$2" 2>&1) _status=$? else _err=$(wget --https-only --secure-protocol=TLSv1_2 "$1" -O "$2" 2>&1) _status=$? fi fi fi if [ -n "$_err" ]; then warn "$_err" if echo "$_err" | grep -q ' 404 Not Found$'; then err "installer for platform '$3' not found, this may be unsupported" exit 1 fi fi return $_status else err "Unknown downloader" # should not reach here exit 1 fi } check_help_for() { local _arch local _cmd local _arg _arch="$1" shift _cmd="$1" shift local _category if "$_cmd" --help | grep -q '"--help all"'; then _category="all" else _category="" fi case "$_arch" in *darwin*) if check_cmd sw_vers; then local _os_version local _os_major _os_version=$(sw_vers -productVersion) _os_major=$(echo "$_os_version" | cut -d. -f1) case $_os_major in 10) # If we're running on macOS, older than 10.13, then we always # fail to find these options to force fallback if [ "$(echo "$_os_version" | cut -d. -f2)" -lt 13 ]; then # Older than 10.13 warn "Detected macOS platform older than 10.13" return 1 fi ;; *) if ! { [ "$_os_major" -eq "$_os_major" ] 2>/dev/null && [ "$_os_major" -ge 11 ]; }; then # Unknown product version, warn and continue warn "Detected unknown macOS major version: $_os_version" warn "TLS capabilities detection may fail" fi ;; # We assume that macOS v11+ will always be okay. esac fi ;; esac for _arg in "$@"; do if ! "$_cmd" --help "$_category" | grep -q -- "$_arg"; then return 1 fi done true # not strictly needed } # Check if curl supports the --retry flag, then pass it to the curl invocation. check_curl_for_retry_support() { local _retry_supported="" # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc. if check_help_for "notspecified" "curl" "--retry"; then _retry_supported="--retry 3" if check_help_for "notspecified" "curl" "--continue-at"; then # "-C -" tells curl to automatically find where to resume the download when retrying. _retry_supported="--retry 3 -C -" fi fi RETVAL="$_retry_supported" } # Return cipher suite string specified by user, otherwise return strong TLS 1.2-1.3 cipher suites # if support by local tools is detected. Detection currently supports these curl backends: # GnuTLS and OpenSSL (possibly also LibreSSL and BoringSSL). Return value can be empty. get_ciphersuites_for_curl() { if [ -n "${RUSTUP_TLS_CIPHERSUITES-}" ]; then # user specified custom cipher suites, assume they know what they're doing RETVAL="$RUSTUP_TLS_CIPHERSUITES" return fi local _openssl_syntax="no" local _gnutls_syntax="no" local _backend_supported="yes" if curl -V | grep -q ' OpenSSL/'; then _openssl_syntax="yes" elif curl -V | grep -iq ' LibreSSL/'; then _openssl_syntax="yes" elif curl -V | grep -iq ' BoringSSL/'; then _openssl_syntax="yes" elif curl -V | grep -iq ' GnuTLS/'; then _gnutls_syntax="yes" else _backend_supported="no" fi local _args_supported="no" if [ "$_backend_supported" = "yes" ]; then # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc. if check_help_for "notspecified" "curl" "--tlsv1.2" "--ciphers" "--proto"; then _args_supported="yes" fi fi local _cs="" if [ "$_args_supported" = "yes" ]; then if [ "$_openssl_syntax" = "yes" ]; then _cs=$(get_strong_ciphersuites_for "openssl") elif [ "$_gnutls_syntax" = "yes" ]; then _cs=$(get_strong_ciphersuites_for "gnutls") fi fi RETVAL="$_cs" } # Return cipher suite string specified by user, otherwise return strong TLS 1.2-1.3 cipher suites # if support by local tools is detected. Detection currently supports these wget backends: # GnuTLS and OpenSSL (possibly also LibreSSL and BoringSSL). Return value can be empty. get_ciphersuites_for_wget() { if [ -n "${RUSTUP_TLS_CIPHERSUITES-}" ]; then # user specified custom cipher suites, assume they know what they're doing RETVAL="$RUSTUP_TLS_CIPHERSUITES" return fi local _cs="" if wget -V | grep -q '\-DHAVE_LIBSSL'; then # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc. if check_help_for "notspecified" "wget" "TLSv1_2" "--ciphers" "--https-only" "--secure-protocol"; then _cs=$(get_strong_ciphersuites_for "openssl") fi elif wget -V | grep -q '\-DHAVE_LIBGNUTLS'; then # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc. if check_help_for "notspecified" "wget" "TLSv1_2" "--ciphers" "--https-only" "--secure-protocol"; then _cs=$(get_strong_ciphersuites_for "gnutls") fi fi RETVAL="$_cs" } # Return strong TLS 1.2-1.3 cipher suites in OpenSSL or GnuTLS syntax. TLS 1.2 # excludes non-ECDHE and non-AEAD cipher suites. DHE is excluded due to bad # DH params often found on servers (see RFC 7919). Sequence matches or is # similar to Firefox 68 ESR with weak cipher suites disabled via about:config. # $1 must be openssl or gnutls. get_strong_ciphersuites_for() { if [ "$1" = "openssl" ]; then # OpenSSL is forgiving of unknown values, no problems with TLS 1.3 values on versions that don't support it yet. echo "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384" elif [ "$1" = "gnutls" ]; then # GnuTLS isn't forgiving of unknown values, so this may require a GnuTLS version that supports TLS 1.3 even if wget doesn't. # Begin with SECURE128 (and higher) then remove/add to build cipher suites. Produces same 9 cipher suites as OpenSSL but in slightly different order. echo "SECURE128:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS-ALL:-CIPHER-ALL:-MAC-ALL:-KX-ALL:+AEAD:+ECDHE-ECDSA:+ECDHE-RSA:+AES-128-GCM:+CHACHA20-POLY1305:+AES-256-GCM" fi } main "$@" || exit 1