Solved How to detect END-OF-LIFE on an OS release via script?

[D-FENS]

I would like to implement a detection within a script that gives me an answer if the release is at END OF LIFE or still current.
In a nutshell, I call freebsd-update from my script and I need to differentiate between a legitimate error and the error code 1 returned by freebsd-update when the update was successful but the release is not supported anymore:

WARNING: FreeBSD 12.1-RELEASE HAS PASSED ITS END-OF-LIFE DATE.
Any security issues discovered after Sun Jan 31 00:00:00 UTC 2021
will not have been corrected.
# echo $?
1

Ideally I would like to check if the release has passed the end of life date and simply skip it without executing the update.
I don't want to maintain a database with the different versions and their end of life dates.

Any idea on how to do that? Is this logic hardcoded in freebsd-update?
Maybe I could parse the table from this URL: https://www.freebsd.org/security/unsupported/ ?

Edit:
I discovered that a simple curl/grep on the above URL gives me an answer if the release in question is within the unsupported list:

curl https://www.freebsd.org/security/unsupported/ | grep 12.1-RELEASE
[ $? -eq 0 ] && echo "Release is unsupported"

Is there a better way, or is that the way to go?

 

[SirDice]

I call freebsd-update from my script and I need to differentiate between a legitimate error and the error code 1 returned by freebsd-update when the update was successful

Both cases are legitimate errors that need further investigation. So why would you need to differentiate between them?

 

[D-FENS]

My problem is technical. I have a number of base jails with fixed versions. Whenever I need a newer version, I create a new base jail for it.
I am implementing a function to update all base jails with a single command. Currently the base jails for 12.0 and 12.1 give me an update error and break the script.
I would like to identify they are out of support and then handle appropriately (issue a warning to the user, then ignore the base jail for the current update) instead of interrupting the whole script (which should be the case if an update was performed but failed).

 

[rootbert]

why not trigger on "HAS PASSED ITS END-OF-LIFE DATE" from the output of freebsd-update?

 

[covacat]

this the official way (with some more tests / pulled from /usr/sbin/freebsd-update)

 [ $(fetch -q -o - http://update.freebsd.org/12.1-RELEASE/amd64/latest.ssl| openssl rsautl -pubin -inkey /var/db/freebsd-update/pub.ssl -verify |cut -f6 -d\|) -lt $(TZ=UTC date +%s) ] && echo EXPIRED

 

[astyle]

this the official way (with some more tests / pulled from /usr/sbin/freebsd-update)

 [ $(fetch -q -o - http://update.freebsd.org/12.1-RELEASE/amd64/latest.ssl| openssl rsautl -pubin -inkey /var/db/freebsd-update/pub.ssl -verify |cut -f6 -d\|) -lt $(TZ=UTC date +%s) ] && echo EXPIRED

yeah, and stuff that into cron, so that you can get an email that's screaming "FREEBSD 12 HAS REACHED EOL, UPGRADE ASAP, OR ELSE!" ?

 

[D-FENS]

this the official way (with some more tests / pulled from /usr/sbin/freebsd-update)

 [ $(fetch -q -o - http://update.freebsd.org/12.1-RELEASE/amd64/latest.ssl| openssl rsautl -pubin -inkey /var/db/freebsd-update/pub.ssl -verify |cut -f6 -d\|) -lt $(TZ=UTC date +%s) ] && echo EXPIRED

WOW! Thanks, that's quite a command line!

 

[covacat]

WOW! Thanks, that's quite a command line!

i just condensed some stuff from freebsd-update itself
the original code has some more test (fetch succeded, signature valid, etc)
i was just curious from were the expiration date is pulled

 

[Matlib]

TZ=UTC date +%s

Also date -u instead of changing the time zone ?
It's not needed for a timestamp though.