From b86e5d8409273144dc0f014d1604d5a7b6d116e8 Mon Sep 17 00:00:00 2001
From: tschettervictor <85497460+tschettervictor@users.noreply.github.com>
Date: Tue, 2 Dec 2025 08:51:01 -0700
Subject: [PATCH 01/10] =?UTF-8?q?pkgbase:=20document=20using=20=E2=80=94ro?=
 =?UTF-8?q?otdir=20better?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 docs/chapters/pkgbase.rst | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/chapters/pkgbase.rst b/docs/chapters/pkgbase.rst
index 10fd14da..9cbaed71 100644
--- a/docs/chapters/pkgbase.rst
+++ b/docs/chapters/pkgbase.rst
@@ -49,6 +49,7 @@ before attempting to upgrade to 16.0-RELEASE. This can be done in two ways.
      ./pkgbasify.lua
 
 2. Fetch the ``pkgbasify`` script and run it from the host using ``--rootdir``.
+   This requires using PR 34 in the ``pkgbasify`` repo.
 
 .. code-block:: shell
 

From 3d61def3082c2a4c3d17a91c276e622aee37f9c3 Mon Sep 17 00:00:00 2001
From: tschettervictor <85497460+tschettervictor@users.noreply.github.com>
Date: Tue, 2 Dec 2025 11:44:43 -0700
Subject: [PATCH 02/10] bootstrap: also rm directories

---
 usr/local/share/bastille/bootstrap.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh
index 5b55fb08..1e9629c9 100644
--- a/usr/local/share/bastille/bootstrap.sh
+++ b/usr/local/share/bastille/bootstrap.sh
@@ -177,7 +177,8 @@ cleanup_directories() {
                 zfs destroy "${bastille_zfs_zpool:?}/${bastille_zfs_prefix:?}/releases/${RELEASE}"
             fi
         fi
-    elif [ -d "${bastille_cachedir}/${RELEASE}" ]; then
+    fi
+    if [ -d "${bastille_cachedir}/${RELEASE}" ]; then
         if [ -d "${bastille_cachedir}/${RELEASE}" ]; then
             rm -rf "${bastille_cachedir:?}/${RELEASE}"
         fi

From 9bdd0f45879cccece133251d2f85b5e9c8617ee8 Mon Sep 17 00:00:00 2001
From: tschettervictor <85497460+tschettervictor@users.noreply.github.com>
Date: Tue, 2 Dec 2025 14:13:59 -0500
Subject: [PATCH 03/10] bootstrap: print full release

---
 usr/local/share/bastille/bootstrap.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh
index 1e9629c9..c52059dd 100644
--- a/usr/local/share/bastille/bootstrap.sh
+++ b/usr/local/share/bastille/bootstrap.sh
@@ -190,11 +190,11 @@ cleanup_directories() {
 
 validate_release() {
 
-    info "\nAttempting to bootstrap ${PLATFORM_OS} release: ${RELEASE}"
-
     # Set release name to sane release
     RELEASE="${NAME_VERIFY}"
 
+    info "\nAttempting to bootstrap ${PLATFORM_OS} release: ${RELEASE}"
+
     ### FreeBSD ###
     if [ "${PLATFORM_OS}" = "FreeBSD" ]; then
         MAJOR_VERSION=$(echo ${RELEASE} | grep -Eo '^[0-9]+')

From 8cb1b1ad2b67fce423ab6f193b926ad1506c4999 Mon Sep 17 00:00:00 2001
From: tschettervictor <tschetter.victor@gmail.com>
Date: Tue, 2 Dec 2025 12:35:53 -0700
Subject: [PATCH 04/10] pkgbase: fix fingerprints directory

---
 .../share/bastille/pkgbase/FreeBSD-base.conf     | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/usr/local/share/bastille/pkgbase/FreeBSD-base.conf b/usr/local/share/bastille/pkgbase/FreeBSD-base.conf
index 26c62044..6eb8f523 100644
--- a/usr/local/share/bastille/pkgbase/FreeBSD-base.conf
+++ b/usr/local/share/bastille/pkgbase/FreeBSD-base.conf
@@ -2,55 +2,55 @@ FreeBSD-base-latest: {
   url: "pkg+https://pkg.FreeBSD.org/${ABI}/base_latest",
   mirror_type: "srv",
   signature_type: "fingerprints",
-  fingerprints: "/usr/share/keys/pkg",
+  fingerprints: "/usr/share/keys/pkgbase-${VERSION_MAJOR}",
   enabled: yes
 }
 FreeBSD-base-weekly: {
   url: "pkg+https://pkg.FreeBSD.org/${ABI}/base_weekly",
   mirror_type: "srv",
   signature_type: "fingerprints",
-  fingerprints: "/usr/share/keys/pkg",
+  fingerprints: "/usr/share/keys/pkgbase-${VERSION_MAJOR}",
   enabled: yes
 }
 FreeBSD-base-release-0: {
   url: "pkg+https://pkg.FreeBSD.org/${ABI}/base_release_0",
   mirror_type: "srv",
   signature_type: "fingerprints",
-  fingerprints: "/usr/share/keys/pkg",
+  fingerprints: "/usr/share/keys/pkgbase-${VERSION_MAJOR}",
   enabled: yes
 }
 FreeBSD-base-release-1: {
   url: "pkg+https://pkg.FreeBSD.org/${ABI}/base_release_1",
   mirror_type: "srv",
   signature_type: "fingerprints",
-  fingerprints: "/usr/share/keys/pkg",
+  fingerprints: "/usr/share/keys/pkgbase-${VERSION_MAJOR}",
   enabled: yes
 }
 FreeBSD-base-release-2: {
   url: "pkg+https://pkg.FreeBSD.org/${ABI}/base_release_2",
   mirror_type: "srv",
   signature_type: "fingerprints",
-  fingerprints: "/usr/share/keys/pkg",
+  fingerprints: "/usr/share/keys/pkgbase-${VERSION_MAJOR}",
   enabled: yes
 }
 FreeBSD-base-release-3: {
   url: "pkg+https://pkg.FreeBSD.org/${ABI}/base_release_3",
   mirror_type: "srv",
   signature_type: "fingerprints",
-  fingerprints: "/usr/share/keys/pkg",
+  fingerprints: "/usr/share/keys/pkgbase-${VERSION_MAJOR}",
   enabled: yes
 }
 FreeBSD-base-release-4: {
   url: "pkg+https://pkg.FreeBSD.org/${ABI}/base_release_4",
   mirror_type: "srv",
   signature_type: "fingerprints",
-  fingerprints: "/usr/share/keys/pkg",
+  fingerprints: "/usr/share/keys/pkgbase-${VERSION_MAJOR}",
   enabled: yes
 }
 FreeBSD-base-release-5: {
   url: "pkg+https://pkg.FreeBSD.org/${ABI}/base_release_5",
   mirror_type: "srv",
   signature_type: "fingerprints",
-  fingerprints: "/usr/share/keys/pkg",
+  fingerprints: "/usr/share/keys/pkgbase-${VERSION_MAJOR}",
   enabled: yes
 }
\ No newline at end of file

From 3aedbdaf0e46f7a8caf3069e5fef1adb577e963a Mon Sep 17 00:00:00 2001
From: tschettervictor <tschetter.victor@gmail.com>
Date: Tue, 2 Dec 2025 13:13:14 -0700
Subject: [PATCH 05/10] update/upgrade: simplify vars

---
 usr/local/share/bastille/bootstrap.sh |  2 +-
 usr/local/share/bastille/update.sh    | 32 +++++++++++++--------------
 usr/local/share/bastille/upgrade.sh   | 32 +++++++++++++++++++--------
 3 files changed, 40 insertions(+), 26 deletions(-)

diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh
index c52059dd..4496aac5 100644
--- a/usr/local/share/bastille/bootstrap.sh
+++ b/usr/local/share/bastille/bootstrap.sh
@@ -617,7 +617,7 @@ case "${RELEASE}" in
         UPSTREAM_URL=$(echo "${bastille_url_freebsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_VERIFY}" | sed 's/releases/snapshots/')
         FREEBSD_BRANCH="current"
         ;;
-    *-RELEASE|*-release|*-RC[1-9]|*-rc[1-9]|*-BETA[1-9])
+    *-release|*-RELEASE|*-rc[1-9]|*-RC[1-9]|*-beta[1-9]|*-BETA[1-9])
         ### FreeBSD ###
         PLATFORM_OS="FreeBSD"
         NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([0-9]+)\.[0-9](-RELEASE|-RC[1-9]|-BETA[1-9])$' | tr '[:lower:]' '[:upper:]')
diff --git a/usr/local/share/bastille/update.sh b/usr/local/share/bastille/update.sh
index 29028383..7ff12adc 100644
--- a/usr/local/share/bastille/update.sh
+++ b/usr/local/share/bastille/update.sh
@@ -123,18 +123,18 @@ jail_check() {
         JAIL_PLATFORM_OS="FreeBSD"
     fi
 
-    # Set CURRENT_VERSION
-    CURRENT_VERSION=$(/usr/sbin/jexec -l "${TARGET}" freebsd-version 2>/dev/null)
-    if [ -z "${CURRENT_VERSION}" ]; then
+    # Set OLD_RELEASE
+    OLD_RELEASE=$(/usr/sbin/jexec -l "${TARGET}" freebsd-version 2>/dev/null)
+    if [ -z "${OLD_RELEASE}" ]; then
         error_exit "[ERROR]: Can't determine '${TARGET}' version."
     fi
 
     # Validate method (Legacy/PkgBase)
     if [ "${JAIL_PLATFORM_OS}" = "FreeBSD" ]; then
         # Validate update method
-        MINOR_VERSION=$(echo ${CURRENT_VERSION} | sed -E 's/^[0-9]+\.([0-9]+)-.*$/\1/')
-        MAJOR_VERSION=$(echo ${CURRENT_VERSION} | grep -Eo '^[0-9]+')
-        if echo "${CURRENT_VERSION}" | grep -oq "\-CURRENT"; then
+        MINOR_VERSION=$(echo ${OLD_RELEASE} | sed -E 's/^[0-9]+\.([0-9]+)-.*$/\1/')
+        MAJOR_VERSION=$(echo ${OLD_RELEASE} | grep -Eo '^[0-9]+')
+        if echo "${OLD_RELEASE}" | grep -oq "\-CURRENT"; then
             FREEBSD_BRANCH="current"
         else
             FREEBSD_BRANCH="release"
@@ -181,10 +181,10 @@ jail_update() {
     fi
 
     # Update release version (including patch level)
-    NEW_VERSION=$(/usr/sbin/jexec -l "${TARGET}" freebsd-version 2>/dev/null)
-    if [ "${CURRENT_VERSION}" != "${NEW_VERSION}" ]; then
-        bastille config ${TARGET} set osrelease ${NEW_VERSION} >/dev/null
-        info "\nUpgrade complete: ${CURRENT_VERSION} > ${NEW_VERSION}\n"
+    UPDATED_RELEASE=$(/usr/sbin/jexec -l "${TARGET}" freebsd-version 2>/dev/null)
+    if [ "${OLD_RELEASE}" != "${UPDATED_RELEASE}" ]; then
+        bastille config ${TARGET} set osrelease ${UPDATED_RELEASE} >/dev/null
+        info "\nUpgrade complete: ${OLD_RELEASE} > ${UPDATED_RELEASE}\n"
     else
         info "\nNo updates available.\n"
     fi
@@ -233,10 +233,10 @@ jail_update_pkgbase() {
         fi
 
         # Update release version (including patch level)
-        NEW_VERSION=$(/usr/sbin/jexec -l "${TARGET}" freebsd-version 2>/dev/null)
-        if [ "${CURRENT_VERSION}" != "${NEW_VERSION}" ]; then
-            bastille config ${TARGET} set osrelease ${NEW_VERSION} >/dev/null
-            info "\nUpgrade complete: ${CURRENT_VERSION} > ${NEW_VERSION}\n"
+        UPDATED_RELEASE=$(/usr/sbin/jexec -l "${TARGET}" freebsd-version 2>/dev/null)
+        if [ "${OLD_RELEASE}" != "${UPDATED_RELEASE}" ]; then
+            bastille config ${TARGET} set osrelease ${UPDATED_RELEASE} >/dev/null
+            info "\nUpgrade complete: ${OLD_RELEASE} > ${UPDATED_RELEASE}\n"
         else
             info "\nNo updates available.\n"
         fi
@@ -436,9 +436,9 @@ case "${TARGET}" in
         NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]+)\.[0-9](-STABLE)$' | tr '[:lower:]' '[:upper:]')
         UPDATE_TARGET="RELEASE"
         ;;
-    *-release|*-RELEASE)
+	*-release|*-RELEASE|*-rc[1-9]|*-RC[1-9]|*-beta[1-9]|*-BETA[1-9])
         PLATFORM_OS="FreeBSD"
-        NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([0-9]+)\.[0-9](-RELEASE)$' | tr '[:lower:]' '[:upper:]')
+        NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([0-9]+)\.[0-9](-RELEASE|-RC[1-9]|-BETA[1-9])$' | tr '[:lower:]' '[:upper:]')
         UPDATE_TARGET="RELEASE"
         ;;
     current|CURRENT)
diff --git a/usr/local/share/bastille/upgrade.sh b/usr/local/share/bastille/upgrade.sh
index c7313d4d..84e331c2 100644
--- a/usr/local/share/bastille/upgrade.sh
+++ b/usr/local/share/bastille/upgrade.sh
@@ -137,7 +137,7 @@ thick_jail_check() {
         # Set VERSION
         OLD_RELEASE="$(${bastille_jailsdir}/${TARGET}/root/bin/freebsd-version 2>/dev/null)"
         OLD_CONFIG_RELEASE="$(bastille config ${TARGET} get osrelease)"
-        if [ -z "${OLD_RELEASE}" ]; then
+        if [ -z "${OLD_RELEASE}" ] || [ -z "${OLD_CONFIG_RELEASE}" ]; then
             error_exit "[ERROR]: Can't determine '${TARGET}' version."
         fi
 
@@ -189,9 +189,9 @@ release_check() {
             PLATFORM_OS="FreeBSD"
             NAME_VERIFY=$(echo "${NEW_RELEASE}" | grep -iwE '^([1-9]+)\.[0-9](-STABLE)$' | tr '[:lower:]' '[:upper:]')
             ;;
-        *-release|*-RELEASE)
+        *-release|*-RELEASE|*-rc[1-9]|*-RC[1-9]|*-beta[1-9]|*-BETA[1-9])
             PLATFORM_OS="FreeBSD"
-            NAME_VERIFY=$(echo "${NEW_RELEASE}" | grep -iwE '^([0-9]+)\.[0-9](-RELEASE)$' | tr '[:lower:]' '[:upper:]')
+            NAME_VERIFY=$(echo "${NEW_RELEASE}" | grep -iwE '^([0-9]+)\.[0-9](-RELEASE|-RC[1-9]|-BETA[1-9])$' | tr '[:lower:]' '[:upper:]')
             ;;
         current|CURRENT)
             PLATFORM_OS="HardenedBSD"
@@ -321,9 +321,18 @@ jail_upgrade_pkgbase() {
 
         info "\n[${TARGET}]:"
 
-        if [ "${OLD_RELEASE}" = "${NEW_RELEASE}" ]; then
-            error_notify "[ERROR]: Jail is already running '${NEW_RELEASE}'"
-            error_exit "See 'bastille update TARGET' to update jail."
+        # Verify trusted pkg keys
+        if [ ! -f "${fingerprints}/trusted/awskms-${NEW_MAJOR_VERSION}" ]; then
+            if ! fetch -o "${fingerprints}/trusted" https://cgit.freebsd.org/src/tree/share/keys/pkgbase-${NEW_MAJOR_VERSION}/trusted/awskms-${NEW_MAJOR_VERSION}
+            then
+                error_exit "[ERROR]: Failed to fetch trusted pkg keys."
+            fi
+        fi
+        if [ ! -f "${fingerprints}/trusted/backup-signing-${NEW_MAJOR_VERSION}" ]; then
+            if ! fetch -o "${fingerprints}/trusted" https://cgit.freebsd.org/src/tree/share/keys/pkgbase-${NEW_MAJOR_VERSION}/trusted/backup-signing-${NEW_MAJOR_VERSION}
+            then
+                error_exit "[ERROR]: Failed to fetch trusted backup pkg keys."
+            fi
         fi
 
         # Upgrade jail with pkgbase (thick only)
@@ -356,10 +365,15 @@ jail_upgrade_pkgbase() {
         fi
 
         # Update release version (including patch level)
-        NEW_VERSION=$(/usr/sbin/jexec -l "${TARGET}" freebsd-version 2>/dev/null)
-        bastille config ${TARGET} set osrelease ${NEW_VERSION} >/dev/null 2>/dev/null
+        UPGRADED_RELEASE=$(/usr/sbin/jexec -l "${TARGET}" freebsd-version 2>/dev/null)
+        if [ "${OLD_RELEASE}" != "${UPGRADED_RELEASE}" ]; then
+            bastille config ${TARGET} set osrelease ${UPGRADED_RELEASE} >/dev/null 2>/dev/null
+            info "\nUpgrade complete: ${OLD_RELEASE} > ${UPGRADED_RELEASE}\n"
+        else
+            info "\nNo updates available.\n"
+        fi
 
-        info "\nUpgraded ${TARGET}: ${OLD_RELEASE} -> ${NEW_RELEASE}"
+        info "\nUpgraded ${TARGET}: ${OLD_RELEASE} -> ${UPGRADED_RELEASE}"
     else
         error_exit "[ERROR]: Not implemented for platform: ${PLATFORM_OS}"
     fi

From 6f0e33fe9b5feb87dbf09c9f294bf06bd4992274 Mon Sep 17 00:00:00 2001
From: tschettervictor <85497460+tschettervictor@users.noreply.github.com>
Date: Tue, 2 Dec 2025 15:24:20 -0500
Subject: [PATCH 06/10] upgrade: use pkgbase if jail is pkgbasified

---
 usr/local/share/bastille/upgrade.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/usr/local/share/bastille/upgrade.sh b/usr/local/share/bastille/upgrade.sh
index 84e331c2..639ab4a6 100644
--- a/usr/local/share/bastille/upgrade.sh
+++ b/usr/local/share/bastille/upgrade.sh
@@ -122,7 +122,7 @@ thick_jail_check() {
         else
             FREEBSD_BRANCH="release"
         fi
-        if [ "${NEW_MAJOR_VERSION}" -ge 16 ] || pkg -r "${bastille_jailsdir}/${TARGET}/root" which /usr/bin/uname > /dev/null 2>&1; then
+        if pkg -r "${bastille_jailsdir}/${TARGET}/root" which /usr/bin/uname > /dev/null 2>&1; then
             PKGBASE=1
         fi
 
@@ -438,4 +438,4 @@ case ${NEW_RELEASE} in
             fi
         fi
         ;;
-esac
\ No newline at end of file
+esac

From b0f90c2ffc2b2482b68eced4aa71cfd4de0a1636 Mon Sep 17 00:00:00 2001
From: tschettervictor <85497460+tschettervictor@users.noreply.github.com>
Date: Tue, 2 Dec 2025 15:25:18 -0500
Subject: [PATCH 07/10] update: better pkgbase check

---
 usr/local/share/bastille/update.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/usr/local/share/bastille/update.sh b/usr/local/share/bastille/update.sh
index 7ff12adc..863fcf0a 100644
--- a/usr/local/share/bastille/update.sh
+++ b/usr/local/share/bastille/update.sh
@@ -139,7 +139,7 @@ jail_check() {
         else
             FREEBSD_BRANCH="release"
         fi
-        if [ "${MAJOR_VERSION}" -ge 16 ] || pkg -r "${bastille_jailsdir}/${TARGET}/root" which /usr/bin/uname > /dev/null 2>&1; then
+        if pkg -r "${bastille_jailsdir}/${TARGET}/root" which /usr/bin/uname > /dev/null 2>&1; then
             PKGBASE=1
         fi
     fi
@@ -276,7 +276,7 @@ release_check() {
         else
             FREEBSD_BRANCH="release"
         fi
-        if [ "${MAJOR_VERSION}" -ge 16 ] || pkg -r "${bastille_releasesdir}/${TARGET}" which /usr/bin/uname > /dev/null 2>&1; then
+        if pkg -r "${bastille_releasesdir}/${TARGET}" which /usr/bin/uname > /dev/null 2>&1; then
             PKGBASE=1
         fi
     fi
@@ -489,4 +489,4 @@ case ${UPDATE_TARGET} in
     *)
         error_exit "[ERROR]: Unknown update target."
         ;;
-esac
\ No newline at end of file
+esac

From 0cc060932155190f69908bfcca7007ab6d0680dd Mon Sep 17 00:00:00 2001
From: tschettervictor <85497460+tschettervictor@users.noreply.github.com>
Date: Tue, 2 Dec 2025 15:31:12 -0500
Subject: [PATCH 08/10] update: better naming pattern

---
 usr/local/share/bastille/update.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/usr/local/share/bastille/update.sh b/usr/local/share/bastille/update.sh
index 863fcf0a..9b60da3d 100644
--- a/usr/local/share/bastille/update.sh
+++ b/usr/local/share/bastille/update.sh
@@ -184,7 +184,7 @@ jail_update() {
     UPDATED_RELEASE=$(/usr/sbin/jexec -l "${TARGET}" freebsd-version 2>/dev/null)
     if [ "${OLD_RELEASE}" != "${UPDATED_RELEASE}" ]; then
         bastille config ${TARGET} set osrelease ${UPDATED_RELEASE} >/dev/null
-        info "\nUpgrade complete: ${OLD_RELEASE} > ${UPDATED_RELEASE}\n"
+        info "\nUpdate complete: ${OLD_RELEASE} > ${UPDATED_RELEASE}\n"
     else
         info "\nNo updates available.\n"
     fi
@@ -236,7 +236,7 @@ jail_update_pkgbase() {
         UPDATED_RELEASE=$(/usr/sbin/jexec -l "${TARGET}" freebsd-version 2>/dev/null)
         if [ "${OLD_RELEASE}" != "${UPDATED_RELEASE}" ]; then
             bastille config ${TARGET} set osrelease ${UPDATED_RELEASE} >/dev/null
-            info "\nUpgrade complete: ${OLD_RELEASE} > ${UPDATED_RELEASE}\n"
+            info "\nUpdate complete: ${OLD_RELEASE} > ${UPDATED_RELEASE}\n"
         else
             info "\nNo updates available.\n"
         fi

From a3a7235da74b8ea96664ca6f8ca3941797317f9c Mon Sep 17 00:00:00 2001
From: tschettervictor <tschetter.victor@gmail.com>
Date: Tue, 2 Dec 2025 15:43:52 -0700
Subject: [PATCH 09/10] upgrade: many fixes

---
 usr/local/share/bastille/upgrade.sh | 62 ++++++++++++++++-------------
 1 file changed, 34 insertions(+), 28 deletions(-)

diff --git a/usr/local/share/bastille/upgrade.sh b/usr/local/share/bastille/upgrade.sh
index 639ab4a6..710d71a9 100644
--- a/usr/local/share/bastille/upgrade.sh
+++ b/usr/local/share/bastille/upgrade.sh
@@ -104,7 +104,15 @@ thick_jail_check() {
         error_exit "Use [-a|--auto] to auto-start the jail."
     fi
 
-    if [ "${PLATFORM_OS}" = "FreeBSD" ]; then
+    # Verify PLATFORM_OS inside jail
+    JAIL_PLATFORM_OS="$(${bastille_jailsdir}/${TARGET}/root/bin/freebsd-version)"
+    if echo "${JAIL_PLATFORM_OS}" | grep -q "HBSD"; then
+        JAIL_PLATFORM_OS="HardenedBSD"
+    else
+        JAIL_PLATFORM_OS="FreeBSD"
+    fi
+
+    if [ "${JAIL_PLATFORM_OS}" = "FreeBSD" ]; then
 
         # Set OLD_RELEASE
         OLD_RELEASE="$(${bastille_jailsdir}/${TARGET}/root/bin/freebsd-version 2>/dev/null)"
@@ -117,13 +125,13 @@ thick_jail_check() {
         NEW_MAJOR_VERSION=$(echo ${NEW_RELEASE} | grep -Eo '^[0-9]+')
 
         # Validate PKGBASE or non-PKGBASE
-        if echo "${NEW_RELEASE}" | grep -oq "\-CURRENT"; then
-            FREEBSD_BRANCH="current"
-        else
-            FREEBSD_BRANCH="release"
-        fi
         if pkg -r "${bastille_jailsdir}/${TARGET}/root" which /usr/bin/uname > /dev/null 2>&1; then
             PKGBASE=1
+            if echo "${NEW_RELEASE}" | grep -oq "\-CURRENT"; then
+                FREEBSD_BRANCH="current"
+            else
+                FREEBSD_BRANCH="release"
+            fi
         fi
 
         # Check if jail is already running NEW_RELEASE
@@ -132,7 +140,7 @@ thick_jail_check() {
             error_exit "See 'bastille update TARGET' to update the jail."
         fi
 
-    elif [ "${PLATFORM_OS}" = "HardenedBSD" ]; then
+    elif [ "${JAIL_PLATFORM_OS}" = "HardenedBSD" ]; then
 
         # Set VERSION
         OLD_RELEASE="$(${bastille_jailsdir}/${TARGET}/root/bin/freebsd-version 2>/dev/null)"
@@ -160,7 +168,7 @@ thin_jail_check() {
         error_exit "Use [-a|--auto] to auto-stop the jail."
     fi
 
-    # Set VERSION
+    # Set OLD_RELEASE
     OLD_RELEASE="$(bastille config ${TARGET} get osrelease)"
     if [ -z "${OLD_RELEASE}" ]; then
         error_exit "[ERROR]: Can't determine '${TARGET}' version."
@@ -243,31 +251,29 @@ jail_upgrade() {
 
     else
 
-        if [ "${PLATFORM_OS}" = "FreeBSD" ]; then
+        if [ "${JAIL_PLATFORM_OS}" = "FreeBSD" ]; then
 
             local jailpath="${bastille_jailsdir}/${TARGET}/root"
             local work_dir="${jailpath}/var/db/freebsd-update"
             local freebsd_update_conf="${jailpath}/etc/freebsd-update.conf"
 
             # Upgrade a thick jail
-            env PAGER="/bin/cat" freebsd-update ${OPTION} --not-running-from-cron \
-            --currently-running "${OLD_RELEASE}" \
-            -j "${TARGET}" \
-            -d "${work_dir}" \
-            -f "${freebsd_update_conf}" \
-            -r "${NEW_RELEASE}" upgrade
+            if env PAGER="/bin/cat" freebsd-update ${OPTION} --not-running-from-cron \
+                --currently-running "${OLD_RELEASE}" \
+                -j "${TARGET}" \
+                -d "${work_dir}" \
+                -f "${freebsd_update_conf}" \
+                -r "${NEW_RELEASE}" upgrade; then
 
-            UPGRADED_RELEASE="$(${bastille_jailsdir}/${TARGET}/root/bin/freebsd-version 2>/dev/null)"
-            if [ "${OLD_RELEASE}" = "${UPGRADED_RELEASE}" ]; then
-                info "\nNo upgrades available.\n"
-            else
                 # Update "osrelease" inside jail.conf using 'bastille config'
                 bastille config ${TARGET} set osrelease ${UPGRADED_RELEASE} >/dev/null 2>/dev/null
-                warn "Please run 'bastille upgrade ${TARGET} install', restart the jail, then run 'bastille upgrade ${TARGET} install' again to finish installing updates."
-                echo
+                info "\nUpgraded ${TARGET}: ${OLD_RELEASE} > ${NEW_RELEASE}"
+                warn "\nPlease run 'bastille upgrade ${TARGET} install', restart the jail, then run 'bastille upgrade ${TARGET} install' again to finish installing the upgrade.\n"
+            else
+                info "\nNo upgrades available.\n"
             fi
 
-        elif [ "${PLATFORM_OS}" = "HardenedBSD" ]; then
+        elif [ "${JAIL_PLATFORM_OS}" = "HardenedBSD" ]; then
 
             local jailname="${TARGET}"
             local jailpath="${bastille_jailsdir}/${TARGET}/root"
@@ -296,10 +302,10 @@ jail_upgrade() {
             -c "${hbsd_update_conf}"
 
             UPGRADED_RELEASE="$(${bastille_jailsdir}/${TARGET}/root/bin/freebsd-version 2>/dev/null)"
-            if [ "${OLD_RELEASE}" = "${UPGRADED_RELEASE}" ]; then
-                info "\nNo upgrades available.\n"
-            else
+            if [ "${OLD_RELEASE}" != "${UPGRADED_RELEASE}" ]; then
                 info "\nUpgraded ${TARGET}: ${OLD_RELEASE} -> ${UPGRADED_RELEASE}\n"
+            else
+                info "\nNo upgrades available.\n"
             fi
         fi
     fi
@@ -307,7 +313,7 @@ jail_upgrade() {
 
 jail_upgrade_pkgbase() {
 
-    if [ "${PLATFORM_OS}" = "FreeBSD" ]; then
+    if [ "${JAIL_PLATFORM_OS}" = "FreeBSD" ]; then
 
         local jailpath="${bastille_jailsdir}/${TARGET}/root"
         local abi="FreeBSD:${NEW_MAJOR_VERSION}:${HW_MACHINE_ARCH}"
@@ -382,7 +388,7 @@ jail_upgrade_pkgbase() {
 
 jail_updates_install() {
 
-    if [ "${PLATFORM_OS}" = "FreeBSD" ]; then
+    if [ "${JAIL_PLATFORM_OS}" = "FreeBSD" ]; then
 
         local jailpath="${bastille_jailsdir}/${TARGET}/root"
         local work_dir="${jailpath}/var/db/freebsd-update"
@@ -438,4 +444,4 @@ case ${NEW_RELEASE} in
             fi
         fi
         ;;
-esac
+esac
\ No newline at end of file

From 06f377c047d2c0139cc192042bd1bf3b92e06797 Mon Sep 17 00:00:00 2001
From: tschettervictor <85497460+tschettervictor@users.noreply.github.com>
Date: Tue, 2 Dec 2025 15:46:44 -0700
Subject: [PATCH 10/10] conf: spacing and capitalization

---
 usr/local/etc/bastille/bastille.conf.sample | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/usr/local/etc/bastille/bastille.conf.sample b/usr/local/etc/bastille/bastille.conf.sample
index da2c1a1f..7daae546 100644
--- a/usr/local/etc/bastille/bastille.conf.sample
+++ b/usr/local/etc/bastille/bastille.conf.sample
@@ -2,7 +2,7 @@
 ## [ BastilleBSD ] ##
 #####################
 
-## default paths
+## Default paths
 bastille_prefix="/usr/local/bastille"                                 ## default: "/usr/local/bastille"
 bastille_backupsdir="${bastille_prefix}/backups"                      ## default: "${bastille_prefix}/backups"
 bastille_cachedir="${bastille_prefix}/cache"                          ## default: "${bastille_prefix}/cache"
@@ -14,10 +14,10 @@ bastille_logsdir="/var/log/bastille"                                  ## default
 ## pf configuration path
 bastille_pf_conf="/etc/pf.conf"                                       ## default: "/etc/pf.conf"
 
-## bastille scripts directory (assumed by bastille pkg)
+## Bastille commands directory (assumed by bastille pkg)
 bastille_sharedir="/usr/local/share/bastille"                         ## default: "/usr/local/share/bastille"
 
-## bootstrap archives, which components of the OS to install.
+## Bootstrap archives, which components of the OS to install.
 ## base  - The base OS, kernel + userland
 ## lib32 - Libraries for compatibility with 32 bit binaries
 ## ports - The FreeBSD ports (3rd party applications) tree
@@ -27,7 +27,7 @@ bastille_sharedir="/usr/local/share/bastille"                         ## default
 ## bastille_bootstrap_archives="base lib32 ports src test"
 bastille_bootstrap_archives="base"                                    ## default: "base"
 
-## pkgbase package sets (used for FreeBSD 15+)
+## Pkgbase package sets
 ## Any set with [-dbg] can be installed with debugging
 ## symbols by adding '-dbg' to the package set
 ## base[-dbg]          - Base system
@@ -45,16 +45,16 @@ bastille_bootstrap_archives="base"                                    ## default
 ## bastille_pkgbase_packages="base-jail lib32-dbg src"
 bastille_pkgbase_packages="base-jail"                                 ## default: "base-jail"
 
-## default timezone
+## Default timezone
 bastille_tzdata=""                                                    ## default: empty to use host's time zone
 
-## default jail resolv.conf
+## Default jail resolv.conf
 bastille_resolv_conf="/etc/resolv.conf"                               ## default: "/etc/resolv.conf"
 
-## bootstrap urls
-bastille_url_freebsd="http://ftp.freebsd.org/pub/FreeBSD/releases/"          ## default: "http://ftp.freebsd.org/pub/FreeBSD/releases/"
-bastille_url_hardenedbsd="https://installers.hardenedbsd.org/pub/" ## default: "https://installer.hardenedbsd.org/pub/HardenedBSD/releases/"
-bastille_url_midnightbsd="https://www.midnightbsd.org/ftp/MidnightBSD/releases/"          ## default: "https://www.midnightbsd.org/pub/MidnightBSD/releases/"
+## Bootstrap URLs
+bastille_url_freebsd="http://ftp.freebsd.org/pub/FreeBSD/releases/"                  ## default: "http://ftp.freebsd.org/pub/FreeBSD/releases/"
+bastille_url_hardenedbsd="https://installers.hardenedbsd.org/pub/"                   ## default: "https://installer.hardenedbsd.org/pub/HardenedBSD/releases/"
+bastille_url_midnightbsd="https://www.midnightbsd.org/ftp/MidnightBSD/releases/"     ## default: "https://www.midnightbsd.org/pub/MidnightBSD/releases/"
 
 ## ZFS options
 bastille_zfs_enable="NO"                                              ## default: "NO"