update.sh: check if all files are signed

also source a custom update.sh if present

update.sh

@@ -130,6 +130,8 @@ fi
 
 [[ ${NAME} ]]
 
+mkdir -p /var/cache/${NAME}
+
 readonly MY_TMPDIR="$(mktemp -p "/var/cache/${NAME}/" -d)"
 [ -d "$MY_TMPDIR" ] || {
     printf "%s\n" "${PROGNAME}: mktemp -p '/var/cache/${NAME}/' -d failed." >&2
@@ -177,7 +179,24 @@ cd ${IMAGE}
 if ! [[ $NO_CHECK ]]; then
     # check integrity
     gpg2 --no-default-keyring --keyring /etc/pki/${NAME}/GPG-KEY --verify sha512sum.txt.sig sha512sum.txt
-    sha512sum -c sha512sum.txt
+    sha512sum --strict -c sha512sum.txt
+    unset FILES; declare -A FILES
+    while read _ file || [[ $file ]]; do
+        FILES["$file"]="1"
+    done < sha512sum.txt
+    for i in $(ls -1); do
+        [[ $i == sha512sum.txt ]] && continue
+        [[ $i == sha512sum.txt.sig ]] && continue
+        if ! [[ ${FILES["$i"]} ]]; then
+            echo "File $i not signed"
+            exit 1
+        fi
+    done
+fi
+
+if [[ ${FILES["update.sh"]} ]] && [[ -e ./update.sh ]]; then
+ . ./update.sh
+ exit $?
 fi
 
 dd status=progress if=root.img of=${ROOT_DEV}-part${NEW_ROOT_PARTNO}