feat: Improved installation (#63)

This commit is contained in:
Kroese 2024-01-22 02:56:28 +01:00 committed by GitHub
parent accd1799d2
commit f381f9ebbf
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 869 additions and 70 deletions

View File

@ -15,10 +15,7 @@ RUN apt-get update \
COPY ./src /run/
COPY ./assets /run/assets
ADD https://github.com/qemus/virtiso/raw/master/virtio-win.iso /run/drivers.iso
ADD https://raw.githubusercontent.com/ElliotKillick/Mido/main/Mido.sh /run/mido.sh
RUN chmod +x /run/*.sh
EXPOSE 8006 3389

View File

@ -56,7 +56,7 @@ docker run -it --rm -p 8006:8006 --device=/dev/kvm --cap-add NET_ADMIN dockurr/w
- Start the container and get some coffee.
- Connect to port 8006 of the container in your web browser.
- Connect to [port 8006](http://localhost:8006) of the container in your web browser.
- Sit back and relax while the magic happens, the whole installation will be performed fully automatic.
@ -127,7 +127,7 @@ docker run -it --rm -p 8006:8006 --device=/dev/kvm --cap-add NET_ADMIN dockurr/w
Then follow these steps:
- Start the container and connect to port 8006 of the container in your web browser. After the download is finished, you will see the Windows installation screen.
- Start the container and connect to [port 8006](http://localhost:8006) of the container in your web browser. After the download is finished, you will see the Windows installation screen.
- Start the installation by clicking ```Install now```. On the next screen, press 'OK' when prompted to ```Load driver``` and select the ```VirtIO SCSI``` driver from the list that matches your Windows version. So for Windows 11, select ```D:\amd64\w11\vioscsi.inf``` and click 'Next'.
@ -143,16 +143,16 @@ docker run -it --rm -p 8006:8006 --device=/dev/kvm --cap-add NET_ADMIN dockurr/w
- Now your Windows installation is ready for use. Enjoy it, and don't forget to star this repo!
* ### How do I install an unsupported version?
* ### How do I install a custom image?
You can specify an URL in the `VERSION` environment variable, in order to download a custom ISO image:
In order to download a custom ISO image, specify an URL in the `VERSION` environment variable:
```yaml
environment:
VERSION: "https://example.com/win.iso"
```
During the installation you may need to add some drivers as described in [manual installation](https://github.com/dockur/windows/tree/master?tab=readme-ov-file#how-do-i-perform-a-manual-installation) above.
Make sure your `/storage` folder is empty before starting the container. Alternatively, you can also place a file called `custom.iso` in that folder to skip the download.
* ### How do I pass-through a disk?

View File

@ -2,7 +2,6 @@
set -Eeuo pipefail
: "${MANUAL:=""}"
: "${EXTERNAL:=""}"
: "${VERSION:="win11x64"}"
[[ "${VERSION,,}" == "11" ]] && VERSION="win11x64"
@ -48,17 +47,15 @@ fi
MSG="Windows is being started, please wait..."
BASE="custom.iso"
if [ ! -f "$STORAGE/$BASE" ]; then
if [[ "$EXTERNAL" != [Yy1]* ]]; then
if [[ "$EXTERNAL" != [Yy1]* ]]; then
BASE="$VERSION.iso"
if [ ! -f "$STORAGE/$BASE" ]; then
MSG="Windows is being downloaded, please wait..."
fi
else
else
BASE=$(basename "${VERSION%%\?*}")
: "${BASE//+/ }"; printf -v BASE '%b' "${_//%/\\x}"
@ -68,33 +65,47 @@ if [ ! -f "$STORAGE/$BASE" ]; then
MSG="Image '$BASE' is being downloaded, please wait..."
fi
fi
fi
[[ "${BASE,,}" == "custom."* ]] && BASE="target.iso"
html "$MSG"
[ -f "$STORAGE/$BASE" ] && return 0
TMP="$STORAGE/tmp"
rm -rf "$TMP"
if [ -f "$STORAGE/$BASE" ]; then
rm -rf "$TMP"
return 0
fi
mkdir -p "$TMP"
ISO="$TMP/$BASE"
rm -f "$ISO"
if [[ "$EXTERNAL" != [Yy1]* ]]; then
CUSTOM="custom.iso"
SCRIPT="$TMP/mido.sh"
[ ! -f "$STORAGE/$CUSTOM" ] && CUSTOM="custom.img"
[ ! -f "$STORAGE/$CUSTOM" ] && CUSTOM="Custom.iso"
[ ! -f "$STORAGE/$CUSTOM" ] && CUSTOM="Custom.img"
[ ! -f "$STORAGE/$CUSTOM" ] && CUSTOM="custom.ISO"
[ ! -f "$STORAGE/$CUSTOM" ] && CUSTOM="custom.IMG"
[ ! -f "$STORAGE/$CUSTOM" ] && CUSTOM="CUSTOM.ISO"
[ ! -f "$STORAGE/$CUSTOM" ] && CUSTOM="CUSTOM.IMG"
if [ ! -f "$STORAGE/$CUSTOM" ]; then
CUSTOM=""
else
ISO="$STORAGE/$CUSTOM"
fi
if [ ! -f "$ISO" ]; then
if [[ "$EXTERNAL" != [Yy1]* ]]; then
rm -f "$SCRIPT"
cp /run/mido.sh "$SCRIPT"
chmod +x "$SCRIPT"
cd "$TMP"
bash "$SCRIPT" "$VERSION"
rm -f "$SCRIPT"
/run/mido.sh "$VERSION"
cd /run
else
else
info "Downloading $BASE as boot image..."
@ -109,17 +120,31 @@ else
(( rc != 0 )) && echo && error "Failed to download $VERSION, reason: $rc" && exit 60
fi
[ ! -f "$ISO" ] && echo && error "Failed to download $VERSION" && exit 61
fi
[ ! -f "$ISO" ] && echo && error "Failed to download $VERSION" && exit 61
SIZE=$(stat -c%s "$ISO")
SIZE_GB=$(( (SIZE + 1073741823)/1073741824 ))
if ((SIZE<10000000)); then
echo && error "Invalid ISO file: Size is smaller than 10 MB" && exit 62
fi
MSG="Extracting downloaded ISO image..."
SPACE=$(df --output=avail -B 1 "$TMP" | tail -n 1)
SPACE_GB=$(( (SPACE + 1073741823)/1073741824 ))
if (( SIZE > SPACE )); then
error "Not enough free space in $STORAGE, have $SPACE_GB GB available but need at least $SIZE_GB GB." && exit 63
fi
if [ -n "$CUSTOM" ]; then
MSG="Extracting custom ISO image..."
else
MSG="Extracting downloaded ISO image..."
fi
echo && info "$MSG" && html "$MSG"
DIR="$TMP/unpack"
@ -138,11 +163,13 @@ if [ ! -f "$DIR/$ETFS" ] || [ ! -f "$DIR/$EFISYS" ]; then
else
warn "failed to locate file 'efisys_noprompt.bin' in ISO image, $FB"
fi
mv "$ISO" "$STORAGE/$BASE"
mv -f "$ISO" "$STORAGE/$BASE"
rm -rf "$TMP"
echo && return 0
fi
[ -z "$CUSTOM" ] && rm -f "$ISO"
if [ -z "$MANUAL" ]; then
MANUAL="N"
@ -156,11 +183,10 @@ fi
XML=""
if [[ "$MANUAL" != [Yy1]* ]]; then
if [[ "$EXTERNAL" != [Yy1]* ]]; then
XML="$VERSION.xml"
[[ "$EXTERNAL" != [Yy1]* ]] && XML="$VERSION.xml"
else
if [ ! -f "/run/assets/$XML" ]; then
MSG="Detecting Windows version from ISO image..."
info "$MSG" && html "$MSG"
@ -190,7 +216,12 @@ if [[ "$MANUAL" != [Yy1]* ]]; then
if [ -n "$DETECTED" ]; then
XML="$DETECTED.xml"
echo "Detected image of type '$DETECTED', will apply autounattend.xml file."
if [ -f "/run/assets/$XML" ]; then
echo "Detected image of type '$DETECTED', will apply an autounattend.xml file."
else
warn "detected image of type '$DETECTED', but no matching .xml file exists, $FB."
fi
else
if [ -z "$NAME" ]; then
@ -255,25 +286,30 @@ if [ -f "$ASSET" ]; then
echo
else
if [ -n "$XML" ]; then
warn "XML file '$XML' does not exist, $FB" && echo
fi
fi
CAT="BOOT.CAT"
LABEL="${BASE%.*}"
LABEL="${LABEL::30}"
ISO="$TMP/$LABEL.tmp"
rm -f "$ISO"
OUT="$TMP/$LABEL.tmp"
rm -f "$OUT"
SPACE=$(df --output=avail -B 1 "$TMP" | tail -n 1)
SPACE_GB=$(( (SPACE + 1073741823)/1073741824 ))
if (( SIZE > SPACE )); then
error "Not enough free space in $STORAGE, have $SPACE_GB GB available but need at least $SIZE_GB GB." && exit 63
fi
MSG="Generating new ISO image for installation..."
info "$MSG" && html "$MSG"
genisoimage -b "$ETFS" -no-emul-boot -c "$CAT" -iso-level 4 -J -l -D -N -joliet-long -relaxed-filenames -quiet -V "$LABEL" -udf \
-boot-info-table -eltorito-alt-boot -eltorito-boot "$EFISYS" -no-emul-boot -o "$ISO" -allow-limited-size "$DIR"
-boot-info-table -eltorito-alt-boot -eltorito-boot "$EFISYS" -no-emul-boot -o "$OUT" -allow-limited-size "$DIR"
mv "$ISO" "$STORAGE/$BASE"
[ -n "$CUSTOM" ] && rm -f "$STORAGE/$CUSTOM"
mv "$OUT" "$STORAGE/$BASE"
rm -rf "$TMP"
html "Successfully prepared image for installation..."

766
src/mido.sh Normal file
View File

@ -0,0 +1,766 @@
#!/bin/sh
# Copyright (C) 2024 Elliot Killick <contact@elliotkillick.com>
# Licensed under the MIT License. See LICENSE file for details.
[ "$DEBUG" ] && set -x
# Prefer Dash shell for greater security if available
if [ "$BASH" ] && command -v dash > /dev/null; then
exec dash "$0" "$@"
fi
# Test for 4-bit color (16 colors)
# Operand "colors" is undefined by POSIX
# If the operand doesn't exist, the terminal probably doesn't support color and the program will continue normally without it
if [ "0$(tput colors 2> /dev/null)" -ge 16 ]; then
RED='\033[0;31m'
BLUE='\033[0;34m'
GREEN='\033[0;32m'
NC='\033[0m'
fi
# Avoid printing messages as potential terminal escape sequences
echo_ok() { printf "%b%s%b" "${GREEN}[+]${NC} " "$1" "\n" >&2; }
echo_info() { printf "%b%s%b" "${BLUE}[i]${NC} " "$1" "\n" >&2; }
echo_err() { printf "%b%s%b" "${RED}[!]${NC} " "$1" "\n" >&2; }
# https://pubs.opengroup.org/onlinepubs/9699919799/utilities/fold.html
format() { fold -s; }
word_count() { echo $#; }
usage() {
echo "Mido - The Secure Microsoft Windows Downloader"
echo ""
echo "Usage: $0 <windows_media>..."
echo ""
echo "Download specified list of Windows media."
echo ""
echo "Specify \"all\", or one or more of the following Windows media:"
echo " win7x64-ultimate"
echo " win81x64"
echo " win10x64"
echo " win11x64"
echo " win81x64-enterprise-eval"
echo " win10x64-enterprise-eval"
echo " win11x64-enterprise-eval"
echo " win10x64-enterprise-ltsc-eval (most secure)"
echo " win2008r2"
echo " win2012r2-eval"
echo " win2016-eval"
echo " win2019-eval"
echo " win2022-eval"
echo ""
echo "Each ISO download takes between 3 - 7 GiBs (average: 5 GiBs)."
echo ""
echo "Updates"
echo "-------"
echo "All the downloads provided here are the most up-to-date releases that Microsoft provides. This is ensured by programmatically checking Microsoft's official download pages to get the latest download link. In other cases, the Windows version in question is no longer supported by Microsoft meaning a direct download link (stored in Mido) will always point to the most up-to-date release." | format
echo ""
echo "Remember to update Windows to the latest patch level after installation."
echo ""
echo "Overuse"
echo "-------"
echo "Newer consumer versions of Windows including win81x64, win10x64, and win11x64 are downloaded through Microsoft's gated download web interface. Do not overuse this interface. Microsoft may be quick to do ~24 hour IP address bans after only a few download requests (especially if they are done in quick succession). Being temporarily banned from one of these downloads (e.g. win11x64) doesn't cause you to be banned from any of the other downloads provided through this interface." | format
echo ""
echo "Privacy Preserving Technologies"
echo "-------------------------------"
echo "The aforementioned Microsoft gated download web interface is currently blocking Tor (and similar technologies). They say this is to prevent people in restricted regions from downloading certain Windows media they shouldn't have access to. This is fine by most standards because Tor is too slow for large downloads anyway and we have checksum verification for security." | format
echo ""
echo "Language"
echo "--------"
echo "All the downloads provided here are for English (United States). This helps to great simplify maintenance and minimize the user's fingerprint. If another language is desired then that can easily be configured in Windows once it's installed." | format
echo ""
echo "Architecture"
echo "------------"
echo "All the downloads provided here are for x86-64 (x64). This is the only architecture Microsoft ships Windows Server in.$([ -d /run/qubes ] && echo ' Also, the only architecture Qubes OS supports.')" | format
}
# Media naming scheme info:
# Windows Server has no architecture because Microsoft only supports amd64 for this version of Windows (the last version to support x86 was Windows Server 2008 without the R2)
# "eval" is short for "evaluation", it's simply the license type included with the Windows installation (only exists on enterprise/server) and must be specified in the associated answer file
# "win7x64" has the "ultimate" edition appended to it because it isn't "multi-edition" like the other Windows ISOs (for multi-edition ISOs the edition is specified in the associated answer file)
readonly win7x64_ultimate="win7x64-ultimate.iso"
readonly win81x64="win81x64.iso"
readonly win10x64="win10x64.iso"
readonly win11x64="win11x64.iso"
readonly win81x64_enterprise_eval="win81x64-enterprise-eval.iso"
readonly win10x64_enterprise_eval="win10x64-enterprise-eval.iso"
readonly win11x64_enterprise_eval="win11x64-enterprise-eval.iso"
readonly win10x64_enterprise_ltsc_eval="win10x64-enterprise-ltsc-eval.iso"
readonly win2008r2="win2008r2.iso"
readonly win2012r2_eval="win2012r2-eval.iso"
readonly win2016_eval="win2016-eval.iso"
readonly win2019_eval="win2019-eval.iso"
readonly win2022_eval="win2022-eval.iso"
parse_args() {
for arg in "$@"; do
if [ "$arg" = "-h" ] || [ "$arg" = "--help" ]; then
usage
exit
fi
done
if [ $# -lt 1 ]; then
usage >&2
exit 1
fi
# Append to media_list so media is downloaded in the order they're passed in
for arg in "$@"; do
case "$arg" in
win7x64-ultimate)
media_list="$media_list $win7x64_ultimate"
;;
win81x64)
media_list="$media_list $win81x64"
;;
win10x64)
media_list="$media_list $win10x64"
;;
win11x64)
media_list="$media_list $win11x64"
;;
win81x64-enterprise-eval)
media_list="$media_list $win81x64_enterprise_eval"
;;
win10x64-enterprise-eval)
media_list="$media_list $win10x64_enterprise_eval"
;;
win11x64-enterprise-eval)
media_list="$media_list $win11x64_enterprise_eval"
;;
win10x64-enterprise-ltsc-eval)
media_list="$media_list $win10x64_enterprise_ltsc_eval"
;;
win2008r2)
media_list="$media_list $win2008r2"
;;
win2012r2-eval)
media_list="$media_list $win2012r2_eval"
;;
win2016-eval)
media_list="$media_list $win2016_eval"
;;
win2019-eval)
media_list="$media_list $win2019_eval"
;;
win2022-eval)
media_list="$media_list $win2022_eval"
;;
all)
media_list="$win7x64_ultimate $win81x64 $win10x64 $win11x64 $win81x64_enterprise_eval $win10x64_enterprise_eval $win11x64_enterprise_eval $win10x64_enterprise_ltsc_eval $win2008r2 $win2012r2_eval $win2016_eval $win2019_eval $win2022_eval"
break
;;
*)
echo_err "Invalid Windows media specified: $arg"
exit 1
;;
esac
done
}
handle_curl_error() {
error_code="$1"
fatal_error_action=2
case "$error_code" in
6)
echo_err "Failed to resolve Microsoft servers! Is there an Internet connection? Exiting..."
return "$fatal_error_action"
;;
7)
echo_err "Failed to contact Microsoft servers! Is there an Internet connection or is the server down?"
;;
8)
echo_err "Microsoft servers returned a malformed HTTP response!"
;;
22)
echo_err "Microsoft servers returned a failing HTTP status code!"
;;
23)
echo_err "Failed at writing Windows media to disk! Out of disk space or permission error? Exiting..."
return "$fatal_error_action"
;;
26)
echo_err "Ran out of memory during download! Exiting..."
return "$fatal_error_action"
;;
36)
echo_err "Failed to continue earlier download!"
;;
63)
echo_err "Microsoft servers returned an unexpectedly large response!"
;;
# POSIX defines exit statuses 1-125 as usable by us
# https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_08_02
$((error_code <= 125)))
# Must be some other server or network error (possibly with this specific request/file)
# This is when accounting for all possible errors in the curl manual assuming a correctly formed curl command and HTTP(S) request, using only the curl features we're using, and a sane build
echo_err "Miscellaneous server or network error!"
;;
126 | 127)
echo_err "Curl command not found! Please install curl and try again. Exiting..."
return "$fatal_error_action"
;;
# Exit statuses are undefined by POSIX beyond this point
*)
case "$(kill -l "$error_code")" in
# Signals defined to exist by POSIX:
# https://pubs.opengroup.org/onlinepubs/009695399/basedefs/signal.h.html
INT)
echo_err "Curl was interrupted!"
;;
# There could be other signals but these are most common
SEGV | ABRT)
echo_err "Curl crashed! Failed exploitation attempt? Please report any core dumps to curl developers. Exiting..."
return "$fatal_error_action"
;;
*)
echo_err "Curl terminated due to a fatal signal!"
;;
esac
esac
return 1
}
part_ext=".PART"
unverified_ext=".UNVERIFIED"
scurl_file() {
out_file="$1"
tls_version="$2"
url="$3"
part_file="${out_file}${part_ext}"
# --location: Microsoft likes to change which endpoint these downloads are stored on but is usually kind enough to add redirects
# --fail: Return an error on server errors where the HTTP response code is 400 or greater
curl --progress-bar --location --output "$part_file" --continue-at - --max-filesize 10G --fail --proto =https "--tlsv$tls_version" --http1.1 -- "$url" || {
error_code=$?
handle_curl_error "$error_code"
error_action=$?
# Clean up and make sure future resumes don't happen from bad download resume files
if [ -f "$out_file" ]; then
# If file is empty, bad HTTP code, or bad download resume file
if [ ! -s "$out_file" ] || [ "$error_code" = 22 ] || [ "$error_code" = 36 ]; then
echo_info "Deleting failed download..."
rm -f "$out_file"
fi
fi
return "$error_action"
}
# Full downloaded succeeded, ready for verification check
mv "$part_file" "${out_file}"
}
manual_verification() {
media_verification_failed_list="$1"
checksum_verification_failed_list="$2"
echo_info "Manual verification instructions"
echo " 1. Get checksum (may already be done for you):" >&2
echo " sha256sum <ISO_FILENAME>" >&2
echo "" >&2
echo " 2. Verify media:" >&2
echo " Web search: https://duckduckgo.com/?q=%22CHECKSUM_HERE%22" >&2
echo " Onion search: https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/?q=%22CHECKSUM_HERE%22" >&2
echo " \"No results found\" or unexpected results indicates the media has been modified and should not be used." >&2
echo "" >&2
echo " 3. Remove the $unverified_ext extension from the file after performing or deciding to skip verification (not recommended):" >&2
echo " mv <ISO_FILENAME>$unverified_ext <ISO_FILENAME>" >&2
echo "" >&2
for media in $media_verification_failed_list; do
# Read current checksum in list and then read remaining checksums back into the list (effectively running "shift" on the variable)
# POSIX sh doesn't support indexing so do this instead to iterate both lists at once
# POSIX sh doesn't support here-strings (<<<). We could also use the "cut" program but that's not a builtin
IFS=' ' read -r checksum checksum_verification_failed_list << EOF
$checksum_verification_failed_list
EOF
echo " ${media}${unverified_ext} = $checksum" >&2
echo " Web search: https://duckduckgo.com/?q=%22$checksum%22" >&2
echo " Onion search: https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/?q=%22$checksum%22" >&2
echo " mv ${media}${unverified_ext} $media" >&2
echo "" >&2
done
echo " Theses searches can be performed in a web/Tor browser or more securely using" >&2
echo " ddgr (Debian/Fedora packages available) terminal search tool if preferred." >&2
echo " Once validated, consider updating the checksums in Mido by submitting a pull request on GitHub." >&2
# If you're looking for a single secondary source to cross-reference checksums then try here: https://files.rg-adguard.net/search
# This site is recommended by the creator of Rufus in the Fido README and has worked well for me
}
consumer_download() {
# Copyright (C) 2024 Elliot Killick <contact@elliotkillick.com>
# Licensed under the MIT License. See LICENSE file for details.
#
# This function is from the Mido project:
# https://github.com/ElliotKillick/Mido
# Download newer consumer Windows versions from behind gated Microsoft API
out_file="$1"
# Either 8, 10, or 11
windows_version="$2"
url="https://www.microsoft.com/en-us/software-download/windows$windows_version"
case "$windows_version" in
8 | 10) url="${url}ISO" ;;
esac
user_agent="Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0"
# uuidgen: For MacOS (installed by default) and other systems (e.g. with no /proc) that don't have a kernel interface for generating random UUIDs
session_id="$(cat /proc/sys/kernel/random/uuid 2> /dev/null || uuidgen --random)"
# Get product edition ID for latest release of given Windows version
# Product edition ID: This specifies both the Windows release (e.g. 22H2) and edition ("multi-edition" is default, either Home/Pro/Edu/etc., we select "Pro" in the answer files) in one number
# This is a request we make that Fido doesn't. Fido manually maintains a list of all the Windows release/edition product edition IDs in its script (see: $WindowsVersions array). This is helpful for downloading older releases (e.g. Windows 10 1909, 21H1, etc.) but we always want to get the newest release which is why we get this value dynamically
# Also, keeping a "$WindowsVersions" array like Fido does would be way too much of a maintenance burden
# Remove "Accept" header that curl sends by default (match Fido requests)
iso_download_page_html="$(curl -sS --user-agent "$user_agent" --header "Accept:" --max-filesize 1M --fail --proto =https --tlsv1.2 --http1.1 -- "$url")" || {
handle_curl_error $?
return $?
}
# tr: Filter for only numerics to prevent HTTP parameter injection
# head -c was recently added to POSIX: https://austingroupbugs.net/view.php?id=407
product_edition_id="$(echo "$iso_download_page_html" | grep -Eo '<option value="[0-9]+">Windows' | cut -d '"' -f 2 | head -n 1 | tr -cd '0-9' | head -c 16)"
[ "$VERBOSE" ] && echo "Product edition ID: $product_edition_id" >&2
# Permit Session ID
# "org_id" is always the same value
curl -sS --output /dev/null --user-agent "$user_agent" --header "Accept:" --max-filesize 100K --fail --proto =https --tlsv1.2 --http1.1 -- "https://vlscppe.microsoft.com/tags?org_id=y6jn8c31&session_id=$session_id" || {
# This should only happen if there's been some change to how this API works
handle_curl_error $?
return $?
}
# Extract everything after the last slash
url_segment_parameter="${url##*/}"
# Get language -> skuID association table
# SKU ID: This specifies the language of the ISO. We always use "English (United States)", however, the SKU for this changes with each Windows release
# We must make this request so our next one will be allowed
# --data "" is required otherwise no "Content-Length" header will be sent causing HTTP response "411 Length Required"
language_skuid_table_html="$(curl -sS --request POST --user-agent "$user_agent" --data "" --header "Accept:" --max-filesize 10K --fail --proto =https --tlsv1.2 --http1.1 -- "https://www.microsoft.com/en-US/api/controls/contentinclude/html?pageId=a8f8f489-4c7f-463a-9ca6-5cff94d8d041&host=www.microsoft.com&segments=software-download,$url_segment_parameter&query=&action=getskuinformationbyproductedition&sessionId=$session_id&productEditionId=$product_edition_id&sdVersion=2")" || {
handle_curl_error $?
return $?
}
# tr: Filter for only alphanumerics or "-" to prevent HTTP parameter injection
sku_id="$(echo "$language_skuid_table_html" | grep "English (United States)" | sed 's/&quot;//g' | cut -d ',' -f 1 | cut -d ':' -f 2 | tr -cd '[:alnum:]-' | head -c 16)"
[ "$VERBOSE" ] && echo "SKU ID: $sku_id" >&2
# Get ISO download link
# If any request is going to be blocked by Microsoft it's always this last one (the previous requests always seem to succeed)
# --referer: Required by Microsoft servers to allow request
iso_download_link_html="$(curl -sS --request POST --user-agent "$user_agent" --data "" --referer "$url" --header "Accept:" --max-filesize 100K --fail --proto =https --tlsv1.2 --http1.1 -- "https://www.microsoft.com/en-US/api/controls/contentinclude/html?pageId=6e2a1789-ef16-4f27-a296-74ef7ef5d96b&host=www.microsoft.com&segments=software-download,$url_segment_parameter&query=&action=GetProductDownloadLinksBySku&sessionId=$session_id&skuId=$sku_id&language=English&sdVersion=2")" || {
# This should only happen if there's been some change to how this API works
handle_curl_error $?
return $?
}
if ! [ "$iso_download_link_html" ]; then
# This should only happen if there's been some change to how this API works
echo_err "Microsoft servers gave us an empty response to our request for an automated download. Please manually download this ISO in a web browser: $url"
manual_verification="true"
return 1
fi
if echo "$iso_download_link_html" | grep -q "We are unable to complete your request at this time."; then
echo_err "Microsoft blocked the automated download request based on your IP address. Please manually download this ISO in a web browser here: $url"
manual_verification="true"
return 1
fi
# Filter for 64-bit ISO download URL
# sed: HTML decode "&" character
# tr: Filter for only alphanumerics or punctuation
iso_download_link="$(echo "$iso_download_link_html" | grep -o "https://software.download.prss.microsoft.com.*IsoX64" | cut -d '"' -f 1 | sed 's/&amp;/\&/g' | tr -cd '[:alnum:][:punct:]' | head -c 512)"
if ! [ "$iso_download_link" ]; then
# This should only happen if there's been some change to the download endpoint web address
echo_err "Microsoft servers gave us no download link to our request for an automated download. Please manually download this ISO in a web browser: $url"
manual_verification="true"
return 1
fi
echo_ok "Got latest ISO download link (valid for 24 hours): $iso_download_link"
# Download ISO
scurl_file "$out_file" "1.3" "$iso_download_link"
}
enterprise_eval_download() {
# Copyright (C) 2024 Elliot Killick <contact@elliotkillick.com>
# Licensed under the MIT License. See LICENSE file for details.
#
# This function is from the Mido project:
# https://github.com/ElliotKillick/Mido
# Download enterprise evaluation Windows versions
out_file="$1"
windows_version="$2"
enterprise_type="$3"
url="https://www.microsoft.com/en-us/evalcenter/download-$windows_version"
iso_download_page_html="$(curl -sS --location --max-filesize 1M --fail --proto =https --tlsv1.2 --http1.1 -- "$url")" || {
handle_curl_error $?
return $?
}
if ! [ "$iso_download_page_html" ]; then
# This should only happen if there's been some change to where this download page is located
echo_err "Windows enterprise evaluation download page gave us an empty response"
return 1
fi
iso_download_links="$(echo "$iso_download_page_html" | grep -o "https://go.microsoft.com/fwlink/p/?LinkID=[0-9]\+&clcid=0x[0-9a-z]\+&culture=en-us&country=US")" || {
# This should only happen if there's been some change to the download endpoint web address
echo_err "Windows enterprise evaluation download page gave us no download link"
return 1
}
# Limit untrusted size for input validation
iso_download_links="$(echo "$iso_download_links" | head -c 1024)"
case "$enterprise_type" in
# Select x64 download link
"enterprise") iso_download_link=$(echo "$iso_download_links" | head -n 2 | tail -n 1) ;;
# Select x64 LTSC download link
"ltsc") iso_download_link=$(echo "$iso_download_links" | head -n 4 | tail -n 1) ;;
*) iso_download_link="$iso_download_links" ;;
esac
# Follow redirect so proceeding log message is useful
# This is a request we make this Fido doesn't
# We don't need to set "--max-filesize" here because this is a HEAD request and the output is to /dev/null anyway
iso_download_link="$(curl -sS --location --output /dev/null --silent --write-out "%{url_effective}" --head --fail --proto =https --tlsv1.2 --http1.1 -- "$iso_download_link")" || {
# This should only happen if the Microsoft servers are down
handle_curl_error $?
return $?
}
# Limit untrusted size for input validation
iso_download_link="$(echo "$iso_download_link" | head -c 1024)"
echo_ok "Got latest ISO download link: $iso_download_link"
# Use highest TLS version for endpoints that support it
case "$iso_download_link" in
"https://download.microsoft.com"*) tls_version="1.2" ;;
*) tls_version="1.3" ;;
esac
# Download ISO
scurl_file "$out_file" "$tls_version" "$iso_download_link"
}
download_media() {
echo_info "Downloading Windows media from official Microsoft servers..."
media_download_failed_list=""
for media in $media_list; do
case "$media" in
"$win7x64_ultimate")
echo_info "Downloading Windows 7..."
# Source, Google search this (it can be found many places): "dec04cbd352b453e437b2fe9614b67f28f7c0b550d8351827bc1e9ef3f601389" "download.microsoft.com"
# This Windows 7 ISO bundles MSU update packages
# It's the most up-to-date Windows 7 ISO that Microsoft offers (August 2018 update): https://files.rg-adguard.net/files/cea4210a-3474-a17a-88d4-4b3e10bd9f66
# Of particular interest to us is the update that adds support for SHA-256 driver signatures so Qubes Windows Tools installs correctly
#
# Microsoft purged Windows 7 from all their servers...
# More info about this event: https://github.com/pbatard/Fido/issues/64
# Luckily, the ISO is still available on the Wayback Machine so get the last copy of it from there
# This is still secure because we validate with the checksum from before the purge
# The only con then is that web.archive.org is a much slower download source than the Microsoft servers
echo_info "Microsoft has unfortunately purged all downloads of Windows 7 from their servers so this identical download is sourced from: web.archive.org"
scurl_file "$media" "1.3" "https://web.archive.org/web/20221228154140/https://download.microsoft.com/download/5/1/9/5195A765-3A41-4A72-87D8-200D897CBE21/7601.24214.180801-1700.win7sp1_ldr_escrow_CLIENT_ULTIMATE_x64FRE_en-us.iso"
;;
"$win81x64")
echo_info "Downloading Windows 8.1..."
consumer_download "$media" 8
;;
"$win10x64")
echo_info "Downloading Windows 10..."
consumer_download "$media" 10
;;
"$win11x64")
echo_info "Downloading Windows 11..."
consumer_download "$media" 11
;;
"$win81x64_enterprise_eval")
echo_info "Downloading Windows 8.1 Enterprise Evaluation..."
# This download link is "Update 1": https://files.rg-adguard.net/file/166cbcab-1647-53d5-1785-6ef9e22a6500
# A more up-to-date "Update 3" enterprise ISO exists but it was only ever distributed by Microsoft through MSDN which means it's impossible to get a Microsoft download link now: https://files.rg-adguard.net/file/549a58f2-7813-3e77-df6c-50609bc6dd7c
# win81x64 is "Update 3" but that's isn't an enterprise version (although technically it's possible to modify a few files in the ISO to get any edition)
# If you want "Update 3" enterprise though (not from Microsoft servers), then you should still be able to get it from here: https://archive.org/details/en_windows_8.1_enterprise_with_update_x64_dvd_6054382_202110
# "Update 1" enterprise also seems to be the ISO used by other projects
# Old source, used to be here but Microsoft deleted it: http://technet.microsoft.com/en-us/evalcenter/hh699156.aspx
# Source: https://gist.github.com/eyecatchup/11527136b23039a0066f
scurl_file "$media" "1.2" "https://download.microsoft.com/download/B/9/9/B999286E-0A47-406D-8B3D-5B5AD7373A4A/9600.17050.WINBLUE_REFRESH.140317-1640_X64FRE_ENTERPRISE_EVAL_EN-US-IR3_CENA_X64FREE_EN-US_DV9.ISO"
;;
"$win10x64_enterprise_eval")
echo_info "Downloading Windows 10 Enterprise Evaluation..."
enterprise_eval_download "$media" windows-10-enterprise enterprise
;;
"$win11x64_enterprise_eval")
echo_info "Downloading Windows 11 Enterprise Evaluation..."
enterprise_eval_download "$media" windows-11-enterprise enterprise
;;
"$win10x64_enterprise_ltsc_eval")
echo_info "Downloading Windows 10 Enterprise LTSC Evaluation..."
enterprise_eval_download "$media" windows-10-enterprise ltsc
;;
"$win2008r2")
echo_info "Downloading Windows Server 2008 R2..."
# Old source, used to be here but Microsoft deleted it: https://www.microsoft.com/en-us/download/details.aspx?id=11093
# Microsoft took down the original download link provided by that source too but this new one has the same checksum
# Source: https://github.com/rapid7/metasploitable3/pull/563
scurl_file "$media" "1.2" "https://download.microsoft.com/download/4/1/D/41DEA7E0-B30D-4012-A1E3-F24DC03BA1BB/7601.17514.101119-1850_x64fre_server_eval_en-us-GRMSXEVAL_EN_DVD.iso"
;;
"$win2012r2_eval")
echo_info "Downloading Windows Server 2012 R2 Evaluation..."
enterprise_eval_download "$media" windows-server-2012-r2 server
;;
"$win2016_eval")
echo_info "Downloading Windows Server 2016 Evaluation..."
enterprise_eval_download "$media" windows-server-2016 server
;;
"$win2019_eval")
echo_info "Downloading Windows Server 2019 Evaluation..."
enterprise_eval_download "$media" windows-server-2019 server
;;
"$win2022_eval")
echo_info "Downloading Windows Server 2022 Evaluation..."
enterprise_eval_download "$media" windows-server-2022 server
;;
esac || {
error_action=$?
media_download_failed_list="$media_download_failed_list $media"
# Return immediately on a fatal error action
if [ "$error_action" = 2 ]; then
return
fi
}
done
}
verify_media() {
# SHA256SUMS file
# Some of these Windows ISOs are EOL (e.g. win81x64) so their checksums will always match
# For all other Windows ISOs, a new release will make their checksums no longer match
#
# IMPORTANT: These checksums are not necessarily subject to being updated
# Unfortunately, the maintenance burden would be too large and even if I did there would still be some time gap between Microsoft releasing a new ISO and me updating the checksum (also, users would have to update this script)
# For these reasons, I've opted for a slightly more manual verification where you have to look up the checksum to see if it's a well-known Windows ISO checksum
# Ultimately, you have to trust Microsft because they could still include a backdoor in the verified ISO (keeping Windows air gapped could help with this)
# Community contributions for these checksums are welcome
#
# Leading backslash is to avoid prepending a newline while maintaining alignment
readonly sha256sums="\
dec04cbd352b453e437b2fe9614b67f28f7c0b550d8351827bc1e9ef3f601389 win7x64-ultimate.iso
d8333cf427eb3318ff6ab755eb1dd9d433f0e2ae43745312c1cd23e83ca1ce51 win81x64.iso
# Windows 10 22H2
a6f470ca6d331eb353b815c043e327a347f594f37ff525f17764738fe812852e win10x64.iso
# Windows 11 23H2 v2
36de5ecb7a0daa58dce68c03b9465a543ed0f5498aa8ae60ab45fb7c8c4ae402 win11x64.iso
2dedd44c45646c74efc5a028f65336027e14a56f76686a4631cf94ffe37c72f2 win81x64-enterprise-eval.iso
ef7312733a9f5d7d51cfa04ac497671995674ca5e1058d5164d6028f0938d668 win10x64-enterprise-eval.iso
ebbc79106715f44f5020f77bd90721b17c5a877cbc15a3535b99155493a1bb3f win11x64-enterprise-eval.iso
e4ab2e3535be5748252a8d5d57539a6e59be8d6726345ee10e7afd2cb89fefb5 win10x64-enterprise-ltsc-eval.iso
30832ad76ccfa4ce48ccb936edefe02079d42fb1da32201bf9e3a880c8ed6312 win2008r2.iso
6612b5b1f53e845aacdf96e974bb119a3d9b4dcb5b82e65804ab7e534dc7b4d5 win2012r2-eval.iso
1ce702a578a3cb1ac3d14873980838590f06d5b7101c5daaccbac9d73f1fb50f win2016-eval.iso
6dae072e7f78f4ccab74a45341de0d6e2d45c39be25f1f5920a2ab4f51d7bcbb win2019-eval.iso
3e4fa6d8507b554856fc9ca6079cc402df11a8b79344871669f0251535255325 win2022-eval.iso"
# Read sha256sums line-by-line to build known checksum and media lists
# Only use shell builtins for better security and stability
# Don't use a for loop because IFS cannot temporarily be set using that
while IFS="$(printf '\n')" read -r line; do
# Ignore comments and empty lines
case "$line" in
"#"* | "") continue ;;
esac
# Read first and second words of line
IFS=' ' read -r known_checksum known_media _ << EOF
$line
EOF
known_checksum_list="$known_checksum_list $known_checksum"
known_media_list="$known_media_list $known_media"
done << EOF
$sha256sums
EOF
media_verification_failed_list=""
checksum_verification_failed_list=""
for media in $media_list; do
# Scan for unverified media files
if ! [ -f "${media}${unverified_ext}" ]; then
continue
fi
if [ "$verify_media_message_shown" != "true" ]; then
echo_info "Verifying integrity..."
verify_media_message_shown="true"
fi
checksum_line="$(sha256sum "${media}${unverified_ext}")"
# Get first word of checksum line
IFS=' ' read -r checksum _ << EOF
$checksum_line
EOF
# Sanity check: Assert correct size of SHA-256 checksum
if [ ${#checksum} != 64 ]; then
echo_err "Failed SHA-256 sanity check! Exiting..."
exit 2
fi
known_checksum_list_iterator="$known_checksum_list"
# Search known media and checksum lists for the current media
for known_media in $known_media_list; do
IFS=' ' read -r known_checksum known_checksum_list_iterator << EOF
$known_checksum_list_iterator
EOF
if [ "$media" = "$known_media" ]; then
break
fi
done
# Verify current media integrity
if [ "$checksum" = "$known_checksum" ]; then
echo "$media: OK"
mv "${media}${unverified_ext}" "$media"
else
echo "$media: UNVERIFIED"
media_verification_failed_list="$media_verification_failed_list $media"
checksum_verification_failed_list="$checksum_verification_failed_list $checksum"
fi
# Reset known checksum list iterator so we can iterate on it again for the next media
known_checksum_list_iterator="$known_checksum_list"
done
}
ending_summary() {
echo "" >&2
if [ "$media_download_failed_list" ]; then
for media in $media_download_failed_list; do
media_download_failed_argument_list="$media_download_failed_argument_list ${media%%.iso}"
done
# shellcheck disable=SC2086
echo_err "$(word_count $media_download_failed_list) attempted download(s) failed! Please re-run Mido with these arguments to try downloading again (any partial downloads will be resumed):$media_download_failed_argument_list"
fi
# Exit codes
# 0: Success
# 1: Argument parsing error
# 2: Runtime error (see error message for more info)
# 3: One or more downloads failed
# 4: One or more verifications failed
# 5: At least one download and one verification failed (when more than one media is specified)
exit_code=0
# Determine exit code
if [ "$media_download_failed_list" ] && [ "$media_verification_failed_list" ]; then
exit_code=5
else
if [ "$media_download_failed_list" ]; then
exit_code=3
elif [ "$media_verification_failed_list" ]; then
exit_code=4
fi
fi
trap -- - EXIT
if [ "$exit_code" = 0 ]; then
echo_ok "Successfully downloaded Windows image!"
else
echo_ok "Finished! Please see the above errors with information"
exit "$exit_code"
fi
}
# https://unix.stackexchange.com/questions/752570/why-does-trap-passthough-zero-instead-of-the-signal-the-process-was-killed-wit
handle_exit() {
exit_code=$?
signal="$1"
if [ "$exit_code" != 0 ] || [ "$signal" ]; then
echo "" >&2
echo_err "Mido was exited abruptly! PARTially downloaded or UNVERIFIED Windows media may exist. Please re-run this Mido command and do not use the bad media."
fi
if [ "$exit_code" != 0 ]; then
trap -- - EXIT
exit "$exit_code"
elif [ "$signal" ]; then
trap -- - "$signal"
kill -s "$signal" -- $$
fi
}
# Enable exiting on error
#
# Disable shell globbing
# This isn't necessary given that all unquoted variables (e.g. for determining word count) are set directly by us but it's just a precaution
set -ef
# IFS defaults to many different kinds of whitespace but we only care about space
# Note: This means that ISO filenames cannot contain spaces but that's a bad idea anyway
IFS=' '
parse_args "$@"
# POSIX sh doesn't include signals in its EXIT trap so do it ourselves
signo=1
while true; do
# "kill" is a shell builtin
# shellcheck disable=SC2064
case "$(kill -l "$signo" 2> /dev/null)" in
# Trap on all catchable terminating signals as defined by POSIX
# Stop (i.e. suspend) signals (like Ctrl + Z or TSTP) are fine because they can be resumed
# Most signals result in termination so this way is easiest (Linux signal(7) only adds more terminating signals)
#
# https://pubs.opengroup.org/onlinepubs/009695399/basedefs/signal.h.html
# https://unix.stackexchange.com/a/490816
# Signal WINCH was recently added to POSIX: https://austingroupbugs.net/view.php?id=249
CHLD | CONT | URG | WINCH | KILL | STOP | TSTP | TTIN | TTOU) ;;
*) trap "handle_exit $signo" "$signo" 2> /dev/null || break ;;
esac
signo=$((signo + 1))
done
trap handle_exit EXIT
download_media
verify_media
ending_summary