From 6bcfbadcd2c553ed8c65319c3fe523ff9795286f Mon Sep 17 00:00:00 2001
From: James Hoctor <JEHoctor@protonmail.com>
Date: Fri, 22 Aug 2025 14:19:20 -0400
Subject: [PATCH 1/5] Fix error handling around sudo in install.sh.in

1. Use `set -Eeuo pipefail` to enable Bash "sane mode".
2. Fix usage of sudo when writing to protected directories by
   introducing the tee command.
3. Change exit code from 0 to 1 when script fails due to lack of root
   and lack of an available sudo command.
4. Remove trailing whitespace (which is stripped by GPG anyway).
---
 install.sh.in | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/install.sh.in b/install.sh.in
index 99f2808..ffa0593 100644
--- a/install.sh.in
+++ b/install.sh.in
@@ -1,6 +1,8 @@
 # shellcheck disable=SC2148
 ENDOFSIGSTART=
 
+set -Eeuo pipefail
+
 export PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin
 
 #
@@ -17,9 +19,9 @@ ZT_BASE_URL_HTTPS='https://download.zerotier.com/'
 ZT_BASE_URL_HTTP='http://download.zerotier.com/'
 
 ##########################################################
-# 
+#
 #  Maximum Supported Distribution Versions and Codenames
-# 
+#
 ##########################################################
 
 # Debian
@@ -77,7 +79,7 @@ MINT_CODENAME_MAP["faye"]="bookworm"
 
 ##########################################################
 #
-# End 
+# End
 #
 ##########################################################
 
@@ -108,7 +110,7 @@ if [ "$UID" != "0" ]; then
 		SUDO=sudo
 	else
 		echo '*** This quick installer script requires root privileges.'
-		exit 0
+		exit 1
 	fi
 fi
 
@@ -204,7 +206,7 @@ _old_apt_signing() {
 	URL=$1
 	CODENAME=$2
 	if [ -d /etc/apt/trusted.gpg.d ]; then
-		$SUDO gpg --dearmor < /tmp/zt-gpg-key > /etc/apt/trusted.gpg.d/zerotier-debian-package-key.gpg
+		gpg --dearmor < /tmp/zt-gpg-key | $SUDO tee /etc/apt/trusted.gpg.d/zerotier-debian-package-key.gpg > /dev/null
 	else
 		$SUDO apt-key add /tmp/zt-gpg-key
 	fi
@@ -214,7 +216,7 @@ _old_apt_signing() {
 _new_apt_signing() {
 	URL=$1
 	CODENAME=$2
-	$SUDO gpg --dearmor < /tmp/zt-gpg-key > /usr/share/keyrings/zerotier-debian-package-key.gpg
+	gpg --dearmor < /tmp/zt-gpg-key | $SUDO tee /usr/share/keyrings/zerotier-debian-package-key.gpg > /dev/null
 	echo "deb [signed-by=/usr/share/keyrings/zerotier-debian-package-key.gpg] ${URL}debian/$CODENAME $CODENAME main" >/tmp/zt-sources-list
 }
 
@@ -285,7 +287,7 @@ if [ $ID == "debian" ] || [ $ID == "raspbian" ]; then
 	# Debian testing/sid does not declare a VERSION_ID in /etc/os-release
 	if [ -z "$VERSION_ID" ] || [ $VERSION_ID -gt $MAX_SUPPORTED_DEBIAN_VERSION ]; then
 		write_apt_repo $ID $MAX_SUPPORTED_DEBIAN_VERSION $ZT_BASE_URL_HTTP $MAX_SUPPORTED_DEBIAN_VERSION_NAME
-	else 
+	else
 		write_apt_repo $ID $VERSION_ID $ZT_BASE_URL_HTTP $VERSION_CODENAME
 	fi
 elif [ $ID == "ubuntu" ] || [ $ID == "pop" ]; then
@@ -293,18 +295,18 @@ elif [ $ID == "ubuntu" ] || [ $ID == "pop" ]; then
 
 	if [[ "$VERSION_ID" > "$MAX_SUPPORTED_UBUNTU_VERSION" ]]; then
 		write_apt_repo ubuntu $MAX_SUPPORTED_UBUNTU_VERSION $ZT_BASE_URL_HTTP $MAX_SUPPORTED_UBUNTU_VERSION_NAME
-	else 
+	else
 		write_apt_repo ubuntu $VERSION_ID $ZT_BASE_URL_HTTP ${UBUNTU_CODENAME_MAP[${VERSION_CODENAME}]}
 	fi
 elif [ $ID == "linuxmint" ]; then
 	echo '*** Detected Linux Mint, creating /etc/apt/sources.list.d/zerotier.list'
- 	
+
   	# fix for non integer version number
   	VERSION_ID=$(echo $VERSION_ID | cut -d . -f 1)
 
 	if [[ "$VERSION_ID" -gt "$MAX_SUPPORTED_MINT_VERSION" ]]; then
 		write_apt_repo $ID $MAX_SUPPORTED_MINT_VERSION $ZT_BASE_URL_HTTP $MAX_SUPPORTED_MINT_VERSION_NAME
-	else 
+	else
 		write_apt_repo $ID $VERSION_ID $ZT_BASE_URL_HTTP ${MINT_CODENAME_MAP[${VERSION_CODENAME}]}
 	fi
 elif [ $ID == "kali" ]; then
@@ -365,8 +367,8 @@ elif [ $ID == "opensuse" ] || [ $ID == "suse" ]; then
 	echo '*** Installing zeortier-one package...'
 
 	cat /dev/null | $SUDO zypper install -y zerotier-one
-elif  [ $ID == "opensuse-tumbleweed" ]; then 
-	echo '*** Found SuSE Tumbleweed/Leap, adding zypper YUM repo...'	
+elif  [ $ID == "opensuse-tumbleweed" ]; then
+	echo '*** Found SuSE Tumbleweed/Leap, adding zypper YUM repo...'
 	cat /dev/null | $SUDO zypper addrepo -t YUM -G ${ZT_BASE_URL_HTTP}redhat/el/9 zerotier
 
 	echo

From 0a42d36c5ad0415e1f3376910c8cf21bbc06c4b1 Mon Sep 17 00:00:00 2001
From: James Hoctor <JEHoctor@protonmail.com>
Date: Fri, 22 Aug 2025 15:11:38 -0400
Subject: [PATCH 2/5] Enable Bash xtrace mode in CI

---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 775c0dd..9243a2d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -51,4 +51,4 @@ jobs:
       - name: apt
         run: apt-get -y update && apt-get -y install curl gnupg2 gnupg gpg || true
       - name: install ${{ matrix.container }}
-        run: bash install.sh.in
+        run: bash -x install.sh.in

From e626ea945335fec469ac7aca4ded73372a15065f Mon Sep 17 00:00:00 2001
From: James Hoctor <JEHoctor@protonmail.com>
Date: Fri, 22 Aug 2025 15:27:16 -0400
Subject: [PATCH 3/5] Remove Debian Buster from CI install test as its repos
 have been archived

---
 .github/workflows/ci.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9243a2d..26c9505 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -34,7 +34,6 @@ jobs:
           - "debian:latest"
           - "debian:12"
           - "debian:11"
-          - "debian:10"
           - "linuxmintd/mint22-amd64:latest"
           - "kalilinux/kali-rolling:latest"
           - "redhat/ubi9:latest"

From 950d8cc2c23f3091aa0b3a83591b35ba0cc5eadd Mon Sep 17 00:00:00 2001
From: James Hoctor <JEHoctor@protonmail.com>
Date: Fri, 22 Aug 2025 15:37:14 -0400
Subject: [PATCH 4/5] Disable Bash errexit where it would interfere with
 explicit error handling

---
 install.sh.in | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/install.sh.in b/install.sh.in
index ffa0593..d5c46f1 100644
--- a/install.sh.in
+++ b/install.sh.in
@@ -397,6 +397,8 @@ echo '*** Enabling and starting ZeroTier service...'
 if [ -e /usr/bin/systemctl -o -e /usr/sbin/systemctl -o -e /sbin/systemctl -o -e /bin/systemctl ]; then
 	if [[ -d /run/systemd/system ]]; then
 		$SUDO systemctl enable zerotier-one
+		# Disable errexit temporarily and handle error status explicitly.
+		set +e
 		$SUDO systemctl start zerotier-one
 		if [ "$?" != "0" ]; then
 			echo
@@ -405,6 +407,8 @@ if [ -e /usr/bin/systemctl -o -e /usr/sbin/systemctl -o -e /sbin/systemctl -o -e
 			echo
 			exit 1
 		fi
+		# Re-enable errexit.
+		set -e
 	else
 		echo
 		echo '*** Package installed but cannot start service! You may be in a Docker container'

From c092d7e088af8183456fec5044f3e43e1b126cb8 Mon Sep 17 00:00:00 2001
From: James Hoctor <JEHoctor@protonmail.com>
Date: Fri, 22 Aug 2025 15:44:29 -0400
Subject: [PATCH 5/5] Remove unnecessary apt install in CI

---
 .github/workflows/ci.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 26c9505..10852a2 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -47,7 +47,5 @@ jobs:
     steps:
       - name: Check out repository code
         uses: actions/checkout@v4
-      - name: apt
-        run: apt-get -y update && apt-get -y install curl gnupg2 gnupg gpg || true
       - name: install ${{ matrix.container }}
         run: bash -x install.sh.in