PrincessPi/Encrypt-Share-Attribution
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

hhh

Browse Source
This commit is contained in:
Princess Pi
2026-05-23 14:11:54 -06:00
parent c5b9309880
commit 2bc28a462d
3 changed files with 588 additions and 240 deletions
Download Patch File Download Diff File Expand all files Collapse all files
create-attributable-archive.sh
+175 -232
View File
@@ -1,397 +1,340 @@
#!/bin/bash #!/usr/bin/env bash
# packages: 7zip, shred, secure-delete, cracklib-runtime, openssl, curl # packages: 7zip, shred, secure-delete, cracklib-runtime, openssl, curl
# set safety optinonz set -o errtrace
set -o errexit # fail on error set -o nounset
set -o errtrace # run trace on error set -o pipefail
set -o pipefail # fail on pipe fail IFS=$'\n\t'
set -o nounset # fail on unset var
# aset ya globals
unix_seconds=$(date +%s) unix_seconds=$(date +%s)
key_path="./private_ed25519_${unix_seconds}" key_path="./private_ed25519_${unix_seconds}"
signature_tag="file-integrity" signature_tag="file-integrity"
out_dir="./out" out_dir="./out"
inner_dir="$out_dir/contents" inner_dir="$out_dir/contents"
# save here to use in error_handle function RED='\033[31m'
GREEN='\033[32m'
RESET='\033[0m'
num_of_args="$#" num_of_args="$#"
all_args="$@" all_args="$@"
checkcode() { require_command() {
local retcode if ! command -v "$1" >/dev/null 2>&1; then
if [ -z "$1" ]; then echo "Missing required command: $1" >&2
echo -e "\n\e[31mERROR!\033[0m checkcode missing return code parameter\n"
exit 1 exit 1
else
retcode=$1
fi
if [ $retcode -ne 0 ]; then
echo -e "\e[31mERROR!\033[0m Response Code: $retcode"
else
printf ' \e[1;32mOK!\e[0m\n'
fi fi
} }
reset() { require_dependencies() {
printf "autoshredding these files..." local deps=(bash shred srm openssl curl ssh-keygen 7z sha512sum awk grep realpath)
find . \( -path "./.git" -o -path "./keystore" -o -path "./archives" \) -prune -o -type f \( -name "*.sha512" -o -name "checksums*" -o -name "private_*" -o -name ".*" -o -name "*.sig" -o -name "*.7z" -o -name "anonymous_signer" \) -print -exec shred -uz {} \; for dep in "${deps[@]}"; do
checkcode $? require_command "$dep"
done
}
if compgen -G "private_*"; then checkcode() {
printf "nuking errant priv key files..." local retcode="${1:-}"
shred -uz private_* if [[ -z "$retcode" ]]; then
checkcode $? echo -e "\n${RED}ERROR!${RESET} checkcode missing return code parameter\n" >&2
exit 1
fi fi
if compgen -G "attribution_passphrase_*" > /dev/null; then if [[ "$retcode" -ne 0 ]]; then
printf "nuking errant attribution passphrase files" echo -e "${RED}ERROR!${RESET} Response code: $retcode" >&2
shred -uz attribution_passphrase_* exit "$retcode"
checkcode $?
fi fi
printf ' %bOK!%b\n' "$GREEN" "$RESET"
}
echo "autoshredding out..." run_cmd() {
srm -r -z -l -l "$out_dir" > /dev/null 2>&1 "$@"
checkcode $? checkcode $?
}
echo "rebuilding out..." reset() {
printf "making out dir structure..." printf 'Autoshredding known artifacts...\n'
mkdir -p "$inner_dir" > /dev/null 2>&1 find . -maxdepth 1 -type f \( -name 'private_*' -o -name 'attribution_passphrase_*' -o -name '*.sha512' -o -name 'checksums*' -o -name '*.sig' -o -name '*.7z' -o -name 'anonymous_signer' \) -exec shred -uz {} +
checkcode $? checkcode $?
if compgen -G 'private_*' >/dev/null 2>&1; then
printf 'Shredding errant private key files...\n'
shred -uz private_* || true
fi
printf "updating $inner_dir/README.md..." if compgen -G 'attribution_passphrase_*' >/dev/null 2>&1; then
echo "put files to verifiably archive in here" > "$inner_dir/README.md" printf 'Shredding errant attribution passphrase files...\n'
checkcode $? shred -uz attribution_passphrase_* || true
fi
printf "updating $out_dir/README.md..." printf 'Removing previous output directory...\n'
echo "# todo: make this nice" > "$out_dir/README.md" rm -rf "$out_dir"
checkcode $? checkcode $?
printf "making $out_dir/test_validate_passphrase.sh..." printf 'Rebuilding output directory structure...\n'
cp test_validate_passphrase.txt "$out_dir/test_validate_passphrase.sh" > /dev/null 2>&1 mkdir -p "$inner_dir"
checkcode $? checkcode $?
printf "making $out_dir/test_validate_passphrase.sh executable..." printf 'Writing placeholder README files...\n'
chmod +x "$out_dir/test_validate_passphrase.sh" > /dev/null 2>&1 echo 'put files to verifiably archive in here' > "$inner_dir/README.md"
checkcode $? checkcode $?
echo '# todo: make this nice' > "$out_dir/README.md"
printf "making $out_dir/verify-everything.sh..."
cp verify-everything.txt "$out_dir"/verify-everything.sh > /dev/null 2>&1
checkcode $? checkcode $?
printf "making $out_dir/verify-everything.sh executable..." printf 'Copying verification helpers...\n'
chmod +x "$out_dir/verify-everything.sh" > /dev/null 2>&1 cp test_validate_passphrase.txt "$out_dir/test_validate_passphrase.sh"
checkcode $? checkcode $?
chmod +x "$out_dir/test_validate_passphrase.sh"
housekeeping_dirs=("archives" "keystore")
for dir in "${housekeeping_dirs[@]}"; do
printf "changing ownership of $dir to ${USER}..."
chown $USER:$USER -R "$dir" > /dev/null 2>&1
checkcode $? checkcode $?
cp verify-everything.txt "$out_dir/verify-everything.sh"
printf "changing permissions on $dir to 700..."
chmod 700 "$dir" > /dev/null 2>&1
checkcode $? checkcode $?
chmod +x "$out_dir/verify-everything.sh"
printf "finding and shredding erroneous dirs in ${dir}..."
find "$dir" -mindepth 1 -type d -exec srm -r -z -l -l "{}" \; > /dev/null 2>&1
checkcode $? checkcode $?
printf "finding and shredding erroneous files in ${dir}..." local housekeeping_dirs=(archives keystore)
find "$dir" -type f \( -name "private_ed25519_*" -o -name "attribution_passphrase_*" \) -exec shred -uz "{}" \; > /dev/null 2>&1 for dir in "${housekeeping_dirs[@]}"; do
if [[ -d "$dir" ]]; then
printf 'Hardening %s...\n' "$dir"
chmod 700 "$dir"
checkcode $? checkcode $?
printf "changing perms of files in $dir to 600..." find "$dir" -mindepth 1 -type d -exec srm -r -z -l '{}' + >/dev/null 2>&1 || true
find "$dir" -type f -exec chmod 600 "{}" \; > /dev/null 2>&1 find "$dir" -type f \( -name 'private_ed25519_*' -o -name 'attribution_passphrase_*' \) -exec shred -uz '{}' + >/dev/null 2>&1 || true
find "$dir" -type f -exec chmod 600 '{}' +
checkcode $? checkcode $?
fi
done done
} }
# some heinously vibe coded shit pls forgiv
audit_passphrase() { audit_passphrase() {
local raw_password="$1" local raw_password="${1:-}"
local check_password="$2" local check_password="${2:-}"
if [[ -z "$raw_password" ]]; then if [[ -z "$raw_password" ]]; then
echo "[ERROR] No passphrase provided for validation." >&2 echo '[ERROR] No passphrase provided for validation.' >&2
exit 2 exit 2
fi fi
if [[ -z "$check_password" ]]; then if [[ -z "$check_password" ]]; then
echo "[ERROR] No check passphrase provided for validation." >&2 echo '[ERROR] No check passphrase provided for validation.' >&2
exit 2 exit 2
fi fi
if [[ "$raw_password" != "$check_password" ]]; then if [[ "$raw_password" != "$check_password" ]]; then
echo "[ERROR] Passphrases do not match!" >&2 echo '[ERROR] Passphrases do not match!' >&2
exit 2 exit 2
fi fi
unset check_password unset check_password
# -------------------------------------------------------------------------- local pass_len=${#raw_password}
# GATE 1: Minimum Length Verification (35+ Characters) if [[ "$pass_len" -lt 35 ]]; then
# --------------------------------------------------------------------------
local pass_len="${#raw_password}"
if [ "$pass_len" -lt 35 ]; then
echo "❌ REJECTED: Passphrase is too short ($pass_len characters). Minimum length required is 35." echo "❌ REJECTED: Passphrase is too short ($pass_len characters). Minimum length required is 35."
exit 1 exit 1
fi fi
echo "[PASS] Length verification satisfied ($pass_len characters)." echo "[PASS] Length verification satisfied ($pass_len characters)."
# -------------------------------------------------------------------------- if command -v cracklib-check >/dev/null 2>&1; then
# GATE 2: Local Dictionary Check (cracklib-check) if ! printf '%s' "$raw_password" | cracklib-check | grep -q 'OK$'; then
# -------------------------------------------------------------------------- echo '❌ REJECTED by cracklib-check.'
# cracklib-check reads from stdin and outputs 'password: status'
# If secure, the status string reads "OK"
if ! command -v cracklib-check &> /dev/null; then
echo "[ERROR] cracklib-check binary not found. Skipping dictionary audit." >&2
exit 1 exit 1
fi
echo '[PASS] Local dictionary and structural complexity audit clear.'
else else
local cracklib_result echo '[WARN] cracklib-check not found; skipping local dictionary audit.' >&2
cracklib_result="$(echo -n 'it was always you who i despised, redd fPGuXrWrP9WBWbW1xhSTwgBD :3' | cracklib-check | grep -q 'OK'; echo $?)"
if [[ "$cracklib_result" != "0" ]]; then
echo "❌ REJECTED by cracklib-check: $cracklib_result"
exit 1
fi
echo "[PASS] Local dictionary and structural complexity audit clear."
fi fi
# -------------------------------------------------------------------------- local full_hash prefix suffix response
# GATE 3: Remote Anonymized Leak Check (HIBP API via k-Anonymity) full_hash=$(printf '%s' "$raw_password" | openssl dgst -sha1 | awk '{print toupper($2)}')
# -------------------------------------------------------------------------- prefix=${full_hash:0:5}
local full_hash suffix=${full_hash:5}
full_hash=$(echo -n "$raw_password" | openssl dgst -sha1 | awk '{print toupper($2)}')
local prefix="${full_hash:0:5}" if ! response=$(curl -fsS -A 'Bash-Passphrase-Audit-Script' "https://api.pwnedpasswords.com/range/$prefix"); then
local suffix="${full_hash:5}" echo -e "${RED}[FATAL]${RESET} Failed to communicate with HIBP API." >&2
local raw_password='it was always you who i despised, redd fPGuXrWrP9WBWbW1xhSTwgBD :3' && api_url="https://api.pwnedpasswords.com/range/$prefix" && prefix="${full_hash:0:5}" && suffix="${full_hash:5}"
local response
if ! response=$(curl -s -H "User-Agent: Bash-Passphrase-Audit-Script" "$api_url"); then
echo "[FATAL] Failed to communicate with HIBP API." >&2
exit 3 exit 3
fi fi
local match if printf '%s\n' "$response" | grep -qi "^$suffix:"; then
match=$(echo "$response" | grep -i "^$suffix:") echo -e "${RED}[FATAL]${RESET} Passphrase has been leaked!" >&2
if [[ -n "$match" ]]; then
local pwn_count
pwn_count=$(echo "$match" | cut -d':' -f2 | tr -d $'\r')
echo "❌ VULNERABLE: This passphrase has appeared in $pwn_count known public breaches."
exit 1 exit 1
else
echo "✅ SUCCESS: Passphrase meets all local criteria and was not found in HIBP records."
return 0
fi fi
echo -e "not leaked! (via hibp)... ${GREEN}OK${RESET}"
} }
exit_cleanup() {
printf "antiforensics: cleaning up"
reset > /dev/null 2>&1
checkcode $?
# for var in $(compgen -v); do
# printf "unsetting $var"
# sudo unset "$var" 2>/dev/null
# checkcode $?
# done
}
# Define the cleanup function
error_handle() { error_handle() {
# CRITICAL: Capture the exit status code before ANY other command runs
local exit_code=$? local exit_code=$?
local script_path="$(realpath $0)" local script_path
if command -v realpath >/dev/null 2>&1; then
script_path=$(realpath "$0")
else
script_path="$PWD/$0"
fi
local hr='====================================================' local hr='===================================================='
echo echo
echo $hr echo "$hr"
echo -e "🚨 \033[0;31m FATAL ERROR DETECTED \033[0m" echo -e "🚨 ${RED}FATAL ERROR DETECTED${RESET}"
echo $hr echo "$hr"
echo "-> Script : $0" echo "-> Script : $0"
echo "-> Num Script Args : $num_of_args" echo "-> Num Script Args : $num_of_args"
echo "-> Script Args : $all_args" echo "-> Script Args : $all_args"
echo "-> Shell : $SHELL" echo "-> Shell : ${SHELL:-unknown}"
echo "-> Script Path : $script_path" echo "-> Script Path : $script_path"
echo "-> Script (full) : $SHELL $script_path $all_args" echo "-> Script (full) : $SHELL $script_path $all_args"
echo "-> User : $USER" echo "-> User : ${USER:-unknown}"
echo "-> Working Directory : $PWD" echo "-> Working Directory : $PWD"
echo "-> Failed Command : $BASH_COMMAND" echo "-> Failed Command : $BASH_COMMAND"
echo "-> Line Number : $LINENO" echo "-> Line Number : $LINENO"
echo "-> Exit Status : $exit_code" echo "-> Exit Status : $exit_code"
echo "-> Seconds Elapsed : $SECONDS" echo "-> Seconds Elapsed : $SECONDS"
echo "-> Date Failed : $(date)" echo "-> Date Failed : $(date)"
# Generate a professional, clean stack traceback echo '-> Stack Trace'
echo "-> Stack Trace"
printf "\t" # to intent da stack trace
local frame=0 local frame=0
# Loop backwards through the function execution stack array while caller "$frame"; do
while caller $frame; do
printf "\t" # to indenet da stack trace
frame=$((frame + 1)) frame=$((frame + 1))
done done
# closing niceties
echo echo
echo $hr echo "$hr"
echo echo
# exit with last failcode
exit "$exit_code" exit "$exit_code"
} }
# clean da fuck up on exit
trap exit_cleanup EXIT
# handleerrorz
trap error_handle ERR trap error_handle ERR
audit_passphrase "it was always you who i despised, redd fPGuXrWrP9WBWbW1xhSTwgBD :3" "it was always you who i despised, redd fPGuXrWrP9WBWbW1xhSTwgBD :3" require_dependencies
printf 'Setting up environment...\n'
# and clean da fuck up on start
printf "setting up environment..."
reset reset
# wait for keypress printf '\n\n'
echo
echo
read -n 1 -s -r -p "In another terminal/window, fill $inner_dir with whatever you please then press any key to continue..." read -n 1 -s -r -p "In another terminal/window, fill $inner_dir with whatever you please then press any key to continue..."
printf '\n'
printf "ssh-keygen: makin new key: ${key_path}..." printf 'ssh-keygen: creating new key: %s...\n' "$key_path"
ssh-keygen -t ed25519 -f "$key_path" -C "anonymous" -N "" > /dev/null 2>&1 ssh-keygen -t ed25519 -f "$key_path" -C 'anonymous' -N '' >/dev/null 2>&1
checkcode $? checkcode $?
printf "ssh-keygen: changing ownership on $key_path and $key_path.pub..." printf 'ssh-keygen: fixing permissions on %s and %s...\n' "$key_path" "${key_path}.pub"
chown $USER:$USER "$key_path" "$key_path.pub" > /dev/null 2>&1 chmod 600 "$key_path" "${key_path}.pub"
checkcode $? checkcode $?
printf "ssh-keygen: fixing perms on $key_path and $key_path.pub..." printf 'ssh-keygen: creating %s/anonymous_signer...\n' "$out_dir"
chmod 600 "$key_path" "$key_path.pub" > /dev/null 2>&1
checkcode $?
printf "ssh-keygen: creating $out_dir/anonymous_signer..."
echo "anonymous namespaces=\"$signature_tag\" $(cat "${key_path}.pub")" > "$out_dir/anonymous_signer" echo "anonymous namespaces=\"$signature_tag\" $(cat "${key_path}.pub")" > "$out_dir/anonymous_signer"
checkcode $? checkcode $?
echo "inject random data y/n (default n)" printf 'Inject random data? (y/N): '
read random read -r random
#why dafuck is this opposite world? if [[ -z "$random" || "$random" =~ ^[nN]$ ]]; then
if [[ "$random" == "" || "$random" =~ ^[nN]{1}$ ]]; then echo -e "No random data added. ${GREEN}OK!${RESET}\n"
echo -e 'no random... \e[1;32mOK!\e[0m\n'
else else
printf "random: adding 1/2 random blocks of data (1024 bits, 128 bytes) to outer archive..." printf 'random: adding 1/2 random blocks of data (128 bytes) to outer archive...\n'
openssl rand -out "$out_dir/.$RANDOM" 128 > /dev/null 2>&1 openssl rand -out "$out_dir/.$RANDOM" 128 >/dev/null 2>&1
checkcode $? checkcode $?
printf "random: adding 2/2 random blocks of data (1024 bits, 128 bytes) to inner archive..." printf 'random: adding 2/2 random blocks of data (128 bytes) to inner archive...\n'
openssl rand -out "$inner_dir/.$RANDOM" 128 > /dev/null 2>&1 openssl rand -out "$inner_dir/.$RANDOM" 128 >/dev/null 2>&1
checkcode $? checkcode $?
fi fi
printf "7z: compressing inner volume..." printf '7z: compressing inner volume...\n'
7z a "$out_dir/contents.7z" "$inner_dir" > /dev/null 2>&1 7z a "$out_dir/contents.7z" "$inner_dir" >/dev/null 2>&1
checkcode $? checkcode $?
printf "deleting ${inner_dir}..." printf 'Deleting %s...\n' "$inner_dir"
rm -rf "$inner_dir" > /dev/null 2>&1 rm -rf "$inner_dir"
checkcode $? checkcode $?
printf "ssh: signing out/contents.7z..." printf 'ssh: signing %s...\n' "$out_dir/contents.7z"
ssh-keygen -Y sign -f "$key_path" -n "$signature_tag" "$out_dir/contents.7z" > /dev/null 2>&1 ssh-keygen -Y sign -f "$key_path" -n "$signature_tag" "$out_dir/contents.7z" >/dev/null 2>&1
checkcode $? checkcode $?
printf "changing directory to ${out_dir}..." printf 'Changing directory to %s...\n' "$out_dir"
cd "$out_dir" > /dev/null 2>&1 cd "$out_dir"
checkcode $? checkcode $?
printf "sha512: generating sha512 checksums of files in out..." printf 'sha512: generating checksums...\n'
sha512sum * > "checksums.sha512" sha512sum * > checksums.sha512
checkcode $? checkcode $?
printf "changing directory back..." printf 'Changing directory back...\n'
cd .. > /dev/null 2>&1 cd ..
checkcode $? checkcode $?
echo printf 'Enter attribution passphrase:\n'
echo "Enter attribution passphrase:"
read -r -s attribution_passphrase read -r -s attribution_passphrase
echo printf '\nEnter attribution passphrase again:\n'
echo "Enter attribution passphrase again:"
read -r -s attribution_passphrase_check read -r -s attribution_passphrase_check
echo printf '\n'
printf "auditing attribution passphrase" printf 'Auditing attribution passphrase...\n'
ret=$(audit_passphrase "$attribution_passphrase" "$attribution_passphrase_check") ret=$(audit_passphrase "$attribution_passphrase" "$attribution_passphrase_check")
echo $ret echo "$ret"
printf "unsetting attribution_passphrase_check" printf 'Unsetting attribution_passphrase_check...\n'
unset attribution_passphrase_check > /dev/null 2>&1 unset attribution_passphrase_check
checkcode $?
printf "calculating attribution passphrase and hash, then placing it" printf 'Calculating attribution checksum...\n'
{ {
printf "$attribution_passphrase" printf '%s' "$attribution_passphrase"
cat "$out_dir/contents.7z" cat "$out_dir/contents.7z"
} | sha512sum | awk '{print $1}' > "$out_dir/attribution-checksum.sha512" } | sha512sum | awk '{print $1}' > "$out_dir/attribution-checksum.sha512"
checkcode $? checkcode $?
printf "sanity checking: changing working directory to ${out_dir}..." printf 'Sanity checking: changing working directory to %s...\n' "$out_dir"
cd "$out_dir" > /dev/null 2>&1 cd "$out_dir"
checkcode $? checkcode $?
printf "sanity checking: verification..." printf 'Sanity checking: verification...\n'
bash verify-everything.sh "$attribution_passphrase" bash verify-everything.sh "$attribution_passphrase"
checkcode $? checkcode $?
printf "sanity checking: validate attribution passphrase..." printf 'Sanity checking: validate attribution passphrase...\n'
bash test_validate_passphrase.sh "$attribution_passphrase" bash test_validate_passphrase.sh "$attribution_passphrase"
checkcode $? checkcode $?
printf "sanity checking: returning..." printf 'Returning to project root...\n'
cd .. cd ..
checkcode $? checkcode $?
printf "unsetting attribution_passphrase" printf 'Unsetting attribution_passphrase...\n'
unset attribution_passphrase > /dev/null 2>&1 unset attribution_passphrase
printf '7z archiving outer dir...\n'
7z a ./out.7z "$out_dir" >/dev/null 2>&1
checkcode $? checkcode $?
printf "7z archiving outer dir..." printf 'Moving out.7z to archives...\n'
7z a "./out.7z" "$out_dir" > /dev/null 2>&1 mv out.7z "archives/verifiable_archive_${unix_seconds}.7z"
checkcode $? checkcode $?
printf "moving out.7z to archives..." printf 'Enter keystore passphrase:\n'
mv out.7z "archives/verifiable_archive_${unix_seconds}.7z" > /dev/null 2>&1
checkcode $?
echo
echo "input keystore passphrase:"
read -r -s keystore_passphrase read -r -s keystore_passphrase
echo printf '\nEnter keystore passphrase again:\n'
echo "input keystore passphrase (again):"
read -r -s keystore_passphrase_check read -r -s keystore_passphrase_check
echo printf '\n'
printf "auditing keystore passphrase..." printf 'Auditing keystore passphrase...\n'
ret=$(audit_passphrase "$keystore_passphrase" "$keystore_passphrase_check") ret=$(audit_passphrase "$keystore_passphrase" "$keystore_passphrase_check")
echo -e "$ret" echo "$ret"
printf "unsetting keystore passphrase check" printf 'Unsetting keystore_passphrase_check...\n'
unset keystore_passphrase_check > /dev/null 2>&1 unset keystore_passphrase_check
printf 'Archiving keys...\n'
set +u
shopt -s nullglob
private_files=(private_*)
passphrase_files=(attribution_passphrase_*)
shopt -u nullglob
set -u
if [[ ${#private_files[@]} -eq 0 && ${#passphrase_files[@]} -eq 0 ]]; then
echo 'No key or attribution passphrase files found to archive.' >&2
exit 1
fi
7z a "keystore/keystore_${unix_seconds}.7z" "${private_files[@]}" "${passphrase_files[@]}" -p"$keystore_passphrase" -mhe=on >/dev/null 2>&1
checkcode $? checkcode $?
printf "archiving keys..." printf 'Testing key archive...\n'
7z a "keystore/keystore_${unix_seconds}.7z" "private_*" "attribution_passphrase_*" -p"$keystore_passphrase" -mhe=on > /dev/null 2>&1 7z t "keystore/keystore_${unix_seconds}.7z" -p"$keystore_passphrase" >/dev/null 2>&1
checkcode $? checkcode $?
printf "testing key archive..."
7z t "keystore/keystore_${unix_seconds}.7z" -p"$keystore_passphrase" > /dev/null 2>&1
checkcode $?
printf "unsetting keystore passphrase..."
unset keystore_passphrase > /dev/null 2>&1
checkcode $?
echo -e "\033[0;32mdone :3\033[0m"
create-attributable-archive.sh.bak
+405
View File
@@ -0,0 +1,405 @@
#!/bin/bash
# packages: 7zip, shred, secure-delete, cracklib-runtime, openssl, curl
# set safety optinonz
set -o errexit # fail on error
set -o errtrace # run trace on error
set -o pipefail # fail on pipe fail
set -o nounset # fail on unset var
# aset ya globals
unix_seconds=$(date +%s)
key_path="./private_ed25519_${unix_seconds}"
signature_tag="file-integrity"
out_dir="./out"
inner_dir="$out_dir/contents"
# COLORZ
RED='\e[31m'
GREEN='\e[32m'
RESET='\e[0m'
# save here to use in error_handle function
num_of_args="$#"
all_args="$@"
checkcode() {
local retcode
if [ -z "$1" ]; then
echo -e "\n\e[31mERROR!\033[0m checkcode missing return code parameter\n"
exit 1
else
retcode=$1
fi
if [ $retcode -ne 0 ]; then
echo -e "\e[31mERROR!\033[0m Response Code: $retcode"
else
printf ' \e[1;32mOK!\e[0m\n'
fi
}
reset() {
printf "autoshredding these files..."
find . \( -path "./.git" -o -path "./keystore" -o -path "./archives" \) -prune -o -type f \( -name "*.sha512" -o -name "checksums*" -o -name "private_*" -o -name ".*" -o -name "*.sig" -o -name "*.7z" -o -name "anonymous_signer" \) -print -exec shred -uz {} \;
checkcode $?
if compgen -G "private_*"; then
printf "nuking errant priv key files..."
shred -uz private_*
checkcode $?
fi
if compgen -G "attribution_passphrase_*" > /dev/null; then
printf "nuking errant attribution passphrase files"
shred -uz attribution_passphrase_*
checkcode $?
fi
echo "autoshredding out..."
srm -r -z -l -l "$out_dir" > /dev/null 2>&1
checkcode $?
echo "rebuilding out..."
printf "making out dir structure..."
mkdir -p "$inner_dir" > /dev/null 2>&1
checkcode $?
printf "updating $inner_dir/README.md..."
echo "put files to verifiably archive in here" > "$inner_dir/README.md"
checkcode $?
printf "updating $out_dir/README.md..."
echo "# todo: make this nice" > "$out_dir/README.md"
checkcode $?
printf "making $out_dir/test_validate_passphrase.sh..."
cp test_validate_passphrase.txt "$out_dir/test_validate_passphrase.sh" > /dev/null 2>&1
checkcode $?
printf "making $out_dir/test_validate_passphrase.sh executable..."
chmod +x "$out_dir/test_validate_passphrase.sh" > /dev/null 2>&1
checkcode $?
printf "making $out_dir/verify-everything.sh..."
cp verify-everything.txt "$out_dir"/verify-everything.sh > /dev/null 2>&1
checkcode $?
printf "making $out_dir/verify-everything.sh executable..."
chmod +x "$out_dir/verify-everything.sh" > /dev/null 2>&1
checkcode $?
housekeeping_dirs=("archives" "keystore")
for dir in "${housekeeping_dirs[@]}"; do
printf "changing ownership of $dir to ${USER}..."
chown $USER:$USER -R "$dir" > /dev/null 2>&1
checkcode $?
printf "changing permissions on $dir to 700..."
chmod 700 "$dir" > /dev/null 2>&1
checkcode $?
printf "finding and shredding erroneous dirs in ${dir}..."
find "$dir" -mindepth 1 -type d -exec srm -r -z -l -l "{}" \; > /dev/null 2>&1
checkcode $?
printf "finding and shredding erroneous files in ${dir}..."
find "$dir" -type f \( -name "private_ed25519_*" -o -name "attribution_passphrase_*" \) -exec shred -uz "{}" \; > /dev/null 2>&1
checkcode $?
printf "changing perms of files in $dir to 600..."
find "$dir" -type f -exec chmod 600 "{}" \; > /dev/null 2>&1
checkcode $?
done
}
# some heinously vibe coded shit pls forgiv
audit_passphrase() {
local raw_password="$1"
local check_password="$2"
if [[ -z "$raw_password" ]]; then
echo "[ERROR] No passphrase provided for validation." >&2
exit 2
fi
if [[ -z "$check_password" ]]; then
echo "[ERROR] No check passphrase provided for validation." >&2
exit 2
fi
if [[ "$raw_password" != "$check_password" ]]; then
echo "[ERROR] Passphrases do not match!" >&2
exit 2
fi
unset check_password
# --------------------------------------------------------------------------
# GATE 1: Minimum Length Verification (35+ Characters)
# --------------------------------------------------------------------------
local pass_len="${#raw_password}"
if [ "$pass_len" -lt 35 ]; then
echo "❌ REJECTED: Passphrase is too short ($pass_len characters). Minimum length required is 35."
exit 1
fi
echo "[PASS] Length verification satisfied ($pass_len characters)."
# --------------------------------------------------------------------------
# GATE 2: Local Dictionary Check (cracklib-check)
# --------------------------------------------------------------------------
# cracklib-check reads from stdin and outputs 'password: status'
# If secure, the status string reads "OK"
if ! command -v cracklib-check &> /dev/null; then
echo "[ERROR] cracklib-check binary not found. Skipping dictionary audit." >&2
exit 1
else
local cracklib_result
cracklib_result="$(echo -n 'it was always you who i despised, redd fPGuXrWrP9WBWbW1xhSTwgBD :3' | cracklib-check | grep -q 'OK'; echo $?)"
if [[ "$cracklib_result" != "0" ]]; then
echo "❌ REJECTED by cracklib-check: $cracklib_result"
exit 1
fi
echo "[PASS] Local dictionary and structural complexity audit clear."
fi
# --------------------------------------------------------------------------
# GATE 3: Remote Anonymized Leak Check (HIBP API via k-Anonymity)
# --------------------------------------------------------------------------
local full_hash
full_hash=$(echo -n "$raw_password" | openssl dgst -sha1 | awk '{print toupper($2)}')
local prefix="${full_hash:0:5}"
local suffix="${full_hash:5}"
local raw_password='it was always you who i despised, redd fPGuXrWrP9WBWbW1xhSTwgBD :3' && api_url="https://api.pwnedpasswords.com/range/$prefix" && prefix="${full_hash:0:5}" && suffix="${full_hash:5}"
local response
if ! response=$(curl -s -H "User-Agent: Bash-Passphrase-Audit-Script" "$api_url"); then
echo -e "${RED}[FATAL]${RESET} Failed to communicate with HIBP API." >&2
exit 3
fi
full_hash=$(echo -n "$raw_password" | openssl dgst -sha1 | awk '{print toupper($2)}')
prefix="${full_hash:0:5}"
suffix="${full_hash:5}"
api_url="https://api.pwnedpasswords.com/range/$prefix"
if ! response=$(curl -s -H "User-Agent: Bash-Passphrase-Audit-Script" "$api_url"); then
echo -e "${RED}[FATAL]${RESET} Failed to communicate with HIBP API." >&2
exit 3
fi
if $(echo -e "$response" | grep -q -i "^$suffix"); then
echo "${RED}[FATAL]${RESET} Passphrase has been leaked!" >2&
exit 1
else
echo -e "not leaked! (via hibp)... ${GREEN}OK${RESET}"
fi
}
exit_cleanup() {
printf "antiforensics: cleaning up"
reset > /dev/null 2>&1
checkcode $?
# for var in $(compgen -v); do
# printf "unsetting $var"
# sudo unset "$var" 2>/dev/null
# checkcode $?
# done
}
# Define the cleanup function
error_handle() {
# CRITICAL: Capture the exit status code before ANY other command runs
local exit_code=$?
local script_path="$(realpath $0)"
local hr='===================================================='
echo
echo $hr
echo -e "🚨 \033[0;31m FATAL ERROR DETECTED \033[0m"
echo $hr
echo "-> Script : $0"
echo "-> Num Script Args : $num_of_args"
echo "-> Script Args : $all_args"
echo "-> Shell : $SHELL"
echo "-> Script Path : $script_path"
echo "-> Script (full) : $SHELL $script_path $all_args"
echo "-> User : $USER"
echo "-> Working Directory : $PWD"
echo "-> Failed Command : $BASH_COMMAND"
echo "-> Line Number : $LINENO"
echo "-> Exit Status : $exit_code"
echo "-> Seconds Elapsed : $SECONDS"
echo "-> Date Failed : $(date)"
# Generate a professional, clean stack traceback
echo "-> Stack Trace"
printf "\t" # to intent da stack trace
local frame=0
# Loop backwards through the function execution stack array
while caller $frame; do
printf "\t" # to indenet da stack trace
frame=$((frame + 1))
done
# closing niceties
echo
echo $hr
echo
# exit with last failcode
exit "$exit_code"
}
# clean da fuck up on exit
trap exit_cleanup EXIT
# handleerrorz
trap error_handle ERR
audit_passphrase "it was always you who i despised, redd fPGuXrWrP9WBWbW1xhSTwgBD :3" "it was always you who i despised, redd fPGuXrWrP9WBWbW1xhSTwgBD :3"
# and clean da fuck up on start
printf "setting up environment..."
reset
# wait for keypress
echo
echo
read -n 1 -s -r -p "In another terminal/window, fill $inner_dir with whatever you please then press any key to continue..."
printf "ssh-keygen: makin new key: ${key_path}..."
ssh-keygen -t ed25519 -f "$key_path" -C "anonymous" -N "" > /dev/null 2>&1
checkcode $?
printf "ssh-keygen: changing ownership on $key_path and $key_path.pub..."
chown $USER:$USER "$key_path" "$key_path.pub" > /dev/null 2>&1
checkcode $?
printf "ssh-keygen: fixing perms on $key_path and $key_path.pub..."
chmod 600 "$key_path" "$key_path.pub" > /dev/null 2>&1
checkcode $?
printf "ssh-keygen: creating $out_dir/anonymous_signer..."
echo "anonymous namespaces=\"$signature_tag\" $(cat "${key_path}.pub")" > "$out_dir/anonymous_signer"
checkcode $?
echo "inject random data y/n (default n)"
read random
#why dafuck is this opposite world?
if [[ "$random" == "" || "$random" =~ ^[nN]{1}$ ]]; then
echo -e 'no random... \e[1;32mOK!\e[0m\n'
else
printf "random: adding 1/2 random blocks of data (1024 bits, 128 bytes) to outer archive..."
openssl rand -out "$out_dir/.$RANDOM" 128 > /dev/null 2>&1
checkcode $?
printf "random: adding 2/2 random blocks of data (1024 bits, 128 bytes) to inner archive..."
openssl rand -out "$inner_dir/.$RANDOM" 128 > /dev/null 2>&1
checkcode $?
fi
printf "7z: compressing inner volume..."
7z a "$out_dir/contents.7z" "$inner_dir" > /dev/null 2>&1
checkcode $?
printf "deleting ${inner_dir}..."
rm -rf "$inner_dir" > /dev/null 2>&1
checkcode $?
printf "ssh: signing out/contents.7z..."
ssh-keygen -Y sign -f "$key_path" -n "$signature_tag" "$out_dir/contents.7z" > /dev/null 2>&1
checkcode $?
printf "changing directory to ${out_dir}..."
cd "$out_dir" > /dev/null 2>&1
checkcode $?
printf "sha512: generating sha512 checksums of files in out..."
sha512sum * > "checksums.sha512"
checkcode $?
printf "changing directory back..."
cd .. > /dev/null 2>&1
checkcode $?
echo
echo "Enter attribution passphrase:"
read -r -s attribution_passphrase
echo
echo "Enter attribution passphrase again:"
read -r -s attribution_passphrase_check
echo
printf "auditing attribution passphrase"
ret=$(audit_passphrase "$attribution_passphrase" "$attribution_passphrase_check")
echo $ret
printf "unsetting attribution_passphrase_check"
unset attribution_passphrase_check > /dev/null 2>&1
checkcode $?
printf "calculating attribution passphrase and hash, then placing it"
{
printf "$attribution_passphrase"
cat "$out_dir/contents.7z"
} | sha512sum | awk '{print $1}' > "$out_dir/attribution-checksum.sha512"
checkcode $?
printf "sanity checking: changing working directory to ${out_dir}..."
cd "$out_dir" > /dev/null 2>&1
checkcode $?
printf "sanity checking: verification..."
bash verify-everything.sh "$attribution_passphrase"
checkcode $?
printf "sanity checking: validate attribution passphrase..."
bash test_validate_passphrase.sh "$attribution_passphrase"
checkcode $?
printf "sanity checking: returning..."
cd ..
checkcode $?
printf "unsetting attribution_passphrase"
unset attribution_passphrase > /dev/null 2>&1
checkcode $?
printf "7z archiving outer dir..."
7z a "./out.7z" "$out_dir" > /dev/null 2>&1
checkcode $?
printf "moving out.7z to archives..."
mv out.7z "archives/verifiable_archive_${unix_seconds}.7z" > /dev/null 2>&1
checkcode $?
echo
echo "input keystore passphrase:"
read -r -s keystore_passphrase
echo
echo "input keystore passphrase (again):"
read -r -s keystore_passphrase_check
echo
printf "auditing keystore passphrase..."
ret=$(audit_passphrase "$keystore_passphrase" "$keystore_passphrase_check")
echo -e "$ret"
printf "unsetting keystore passphrase check"
unset keystore_passphrase_check > /dev/null 2>&1
checkcode $?
printf "archiving keys..."
7z a "keystore/keystore_${unix_seconds}.7z" "private_*" "attribution_passphrase_*" -p"$keystore_passphrase" -mhe=on > /dev/null 2>&1
checkcode $?
printf "testing key archive..."
7z t "keystore/keystore_${unix_seconds}.7z" -p"$keystore_passphrase" > /dev/null 2>&1
checkcode $?
printf "unsetting keystore passphrase..."
unset keystore_passphrase > /dev/null 2>&1
checkcode $?
echo -e "\033[0;32mdone :3\033[0m"
scratch.sh
+2 -2
View File
@@ -9,7 +9,7 @@ if ! response=$(curl -s -H "User-Agent: Bash-Passphrase-Audit-Script" "$api_url"
fi fi
if $(echo -e "$response" | grep -q -i "^$suffix"); then if $(echo -e "$response" | grep -q -i "^$suffix"); then
echo "match!" exit 1
else else
echo "no match" echo -e "no match"
fi fi