Help

Script for installing DMG/PKG/ZIP Via Curl

davidjess
New Contributor III

Posted on ‎05-28-2019 03:44 AM

Hi folks,

I'm looking for a script to install DMG/PKG/ZIP via curl with the URL, App name etc as variables.

Does anyone have anything like this? Or a working script for one of the file formats above I can get started with?

Thanks
David.

0 Kudos
Reply
5 REPLIES 5

dsavageED
Contributor III

Posted on ‎05-28-2019 03:54 AM

We use a script to install firefox, flash and chrome, here is an example:

#!/bin/sh

# We may want to version lock Firefox ESR or can let it upgrade from vendor derived info.
if [ -z "$4" ]; then
  #available_version="$(curl https://www.mozilla.org/en-US/firefox/organizations/all/ | grep "data-esr-versions=" | awk -F '"' '{print $10}')"
  available_version="$(curl https://www.mozilla.org/en-US/firefox/organizations/all/ | grep "data-esr-versions=" | awk -F 'data-esr-versions="' '{print $2}' | cut -d'"' -f1)"
else
  available_version="$4"
fi

DOWNLOAD_URL="http://download-origin.cdn.mozilla.net/pub/firefox/releases/${available_version}esr/mac/en-GB/Firefox ${available_version}esr.dmg"

installed_version="$(defaults read /Applications/Firefox.app/Contents/info CFBundleShortVersionString)"

install_Firefox() {
  # Create a temporary directory in which to mount the .dmg
  tmp_mount=`/usr/bin/mktemp -d /tmp/firefox.XXXX`

  # Attach the install DMG directly from Mozilla's servers (ensuring HTTPS)
  hdiutil attach "$( eval echo "${DOWNLOAD_URL}" )" -nobrowse -quiet -mountpoint "${tmp_mount}"

  rm -dfR "/Applications/Firefox.app"

  ditto "${tmp_mount}/Firefox.app" "/Applications/Firefox.app"

  # Let things settle down
  sleep 1

  # Detach the dmg and remove the temporary mountpoint
  hdiutil detach "${tmp_mount}" && /bin/rm -rf "${tmp_mount}"

  if [ -e "/Applications/Firefox.app" ]; then
    echo "******Latest version of Firefox ESR is installed on target Mac.******"
  fi
}

check_Running ()
{
# To find if the app is running, use:
ps -A | grep "Firefox.app" | grep -v "grep" > /tmp/RunningApps.txt

if grep -q "Firefox.app" /tmp/RunningApps.txt;
then
    echo "******Application is currently running on target Mac. Installation of Firefox ESR cannot proceed.******"
    exit 1;
else
    echo "******Application is not running on target Mac. Proceeding...******"
    install_Firefox
    exit 0
fi
}

# If the version installed differs at all from the available version
# then we want to update

case "${installed_version}" in
  "${available_version}")
    echo "****** Firefox version checked OK (${available_version}) ******"
    ;;
  *) 
    echo "****** Firefox version differs - installed: ${installed_version}, available: ${available_version} ******"
    check_Running
    ;;
esac

exit 0;
Reply

davidjess
New Contributor III

Posted on ‎05-28-2019 07:24 AM

Thanks mate, i'll have a look at this and post back what i come up with.

0 Kudos
Reply

rwinfie
Contributor

Posted on ‎05-28-2019 09:56 AM

This is used for DMG self contained .apps just plug in the URL from the Vendor and the app name. The convert to cdr was added for the apps that have an acknowledgement you have to click to bypass it

!/bin/bash

URL=$4
DMG=$5
myApp=$(find /Volumes/ -name *.app)
AppName=$(find /Volumes/ -name *.app | cut -d / -f5)

echo "Downloading $DMG to tmp "
curl -Lo /tmp/$DMG.dmg $URL

hdiutil convert /tmp/$DMG.dmg -format UDTO -o /tmp/$DMG.cdr -quiet

hdiutil mount /tmp/$DMG.cdr -noverify -nobrowse -noautoopen

Echo " Copying $myApp to Applications"
rsync -av $myApp /Applications/

rsync -av /Volumes/$DMG/*.app /Applications/

echo " Changing permissions on $AppName"
chown -R root:wheel /Applications/"$AppName"
chmod -R 755 /Applications/"$AppName"

hdiutil unmount /Volumes/$DMG*

rm -rf /tmp/$DMG.cdr
rm -rf /tmp/$DMG.dmg

Reply

tlarkin
Honored Contributor

Posted on ‎05-28-2019 03:01 PM

I would highly advise against these types of workflows. If an attacker were to specifically attack your Org, they could advertise Man In The Middle attacks at any end point your curl scripts run. You will have no control over where your end points hit that URL either because you are distributing the command to every endpoint via script.

If you want to automatically package things I would highly recommend you look at AutoPKG and have a single device call the Internet and build a pkg. The problem with a curl script on your client endpoints is that you are basically running a script as root and downloading software as root and then installing it as root. It wouldn't be too hard for an attacker to offer a malicious package or malicious URL. Having one end point download it, in an automated fashion gives you that level of control.

I really advise that people do not use curl scripts on client systems. Plus AutoPKG does a lot more checking than every curl script I have ever seen and can integrate with tools like Virus Total.

Reply

rajrajan
New Contributor III

Posted on ‎06-07-2021 12:50 PM

Hello,

Can someone help me to verify this bash script? My goal is to install TeamViewerQS directly from the URL.

!/bin/bash

URL=$4
DMG=$5
TeamViewerQS=$(find /Volumes/ -name .app)
TeamViewerQSe=$(find /Volumes/ -name .app | cut -d / -f5)

echo "Downloading $TeamViewerQS to tmp "
curl -Lo /tmp/$TeamViewerQS.dmg $https://download.teamviewer.com/download/TeamViewerQS.dmg

hdiutil convert /tmp/$TeamViewerQS.dmg -format UDTO -o /tmp/$TeamViewerQS.cdr -quiet

hdiutil mount /tmp/$TeamViewerQS.cdr -noverify -nobrowse -noautoopen

Echo " Copying $TeamViewerQS to Applications"
rsync -av $TeamViewerQS /Applications/

rsync -av /Volumes/$TeamViewerQS.dmg/*.app /Applications/
echo " Changing permissions on $TeamViewerQS"
chown -R root:wheel /Applications/"$TeamViewerQS"
chmod -R 755 /Applications/"$TeamViewerQS"

hdiutil unmount /Volumes/$TeamViewerQS*

rm -rf /tmp/$TeamViewerQS.cdr
rm -rf /tmp/$TeamViewerQS.dmg

0 Kudos
Reply