Build: Make install-chrome.sh safe to run via curl | sudo bash

Two issues prevented the script from running cleanly when piped into
sudo (the most reliable invocation over SSH):

1. The header recommended `bash <(curl …)`, but with sudo the process
   substitution opens /dev/fd/63 in the unprivileged parent shell and
   the elevated bash cannot read it — the script aborted with
   `bash: /dev/fd/63: No such file or directory`. Replace with the
   `curl -fsSL … | sudo bash` pattern (and keep an explicit
   download-then-run fallback). Also call out the broken sudo + process
   substitution form so users do not retry it.

2. With stdin piped to bash, `gpg --dearmor` tried to write status to
   /dev/tty and failed with `gpg: cannot open '/dev/tty'`, breaking the
   keyring import (and silently leaving an empty keyring on a fresh
   host). Pass `--no-tty --batch --yes` to both gpg calls.

Tested end-to-end on Ubuntu 26.04 ("resolute") via
`curl -fsSL …/install-chrome.sh | sudo bash` from a clean state
(no preexisting keyring or apt list): keyring valid OpenPGP file, deb
fetched and installed, `google-chrome --version` returns 147.0.7727.116.
This commit is contained in:
Cathie Integra 2026-04-25 13:06:14 +02:00
parent c1e9d80692
commit d4666a5765

View file

@ -10,13 +10,27 @@
# libminizip1, ...) are close enough to Ubuntu LTS that apt can resolve
# them by pulling those few libs from the Debian repo; the chromium
# binary itself runs fine on Ubuntu glibc from jammy (22.04, 2.35) up.
# bash <(curl -s https://raw.githubusercontent.com/photoprism/photoprism/develop/scripts/dist/install-chrome.sh)
#
# This script must run as root. Use one of these invocations:
#
# # Pipe via stdin (recommended one-liner — works everywhere, incl. SSH):
# curl -fsSL https://raw.githubusercontent.com/photoprism/photoprism/develop/scripts/dist/install-chrome.sh | sudo bash
#
# # Or download first and run:
# curl -fsSL https://raw.githubusercontent.com/photoprism/photoprism/develop/scripts/dist/install-chrome.sh -o /tmp/install-chrome.sh
# sudo bash /tmp/install-chrome.sh
#
# Do NOT use process substitution under sudo (`sudo bash <(curl …)`): the
# substitution opens /dev/fd/63 in the *parent* (unprivileged) shell, which
# the elevated bash cannot read once sudo re-execs — the script aborts
# immediately with `bash: /dev/fd/63: No such file or directory`.
PATH="/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin:/scripts:$PATH"
# Abort if not executed as root.
if [[ $(id -u) != "0" ]]; then
echo "Usage: run ${0##*/} as root" 1>&2
echo "Usage: ${0##*/} must run as root. Try:" 1>&2
echo " curl -fsSL <url-to-this-script> | sudo bash" 1>&2
exit 1
fi
@ -39,7 +53,7 @@ install_chromium_from_debian_bookworm() {
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://ftp-master.debian.org/keys/archive-key-12.asc \
| gpg --dearmor -o "$keyring"
| gpg --no-tty --batch --yes --dearmor -o "$keyring"
cat > "$src" <<EOF
Types: deb
@ -58,7 +72,7 @@ case $DESTARCH in
amd64 | AMD64 | x86_64 | x86-64)
echo "Installing Google Chrome (stable) on ${ID} for ${DESTARCH^^}..."
set -e
curl -fsSL https://dl-ssl.google.com/linux/linux_signing_key.pub | gpg --dearmor -o /etc/apt/trusted.gpg.d/dl-ssl.google.com.gpg
curl -fsSL https://dl-ssl.google.com/linux/linux_signing_key.pub | gpg --no-tty --batch --yes --dearmor -o /etc/apt/trusted.gpg.d/dl-ssl.google.com.gpg
sh -c 'echo "deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google-chrome.list'
apt-get update
apt-get -qq install google-chrome-stable