PrincessPi/Encrypt-Share-Attribution
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
738a794d897cca873068c5d82471c04919f6fe6e
Encrypt-Share-Attribution/create-attributable-archive.sh
T
PrincessPi 738a794d89 sum silly shitty
2026-05-23 11:24:11 -06:00

264 lines
8.1 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# packages: 7zip, shred, secure-delete, cracklib-runtime
set -e
unix_seconds=$(date +%s)
key_path="./private_ed25519_${unix_seconds}"
signature_tag="file-integrity"
out_dir="./out"
inner_dir="$out_dir/contents"
checkcode() {
local retcode
if [ -z "$1" ]; then
echo -e "\n\e[31mERROR!\033[0m checkcode missing return code parameter\n"
exit 1
else
retcode=$1
fi
if [ $retcode -ne 0 ]; then
echo -e "\e[31mERROR!\033[0m Response Code: $retcode"
else
printf ' \e[1;32mOK!\e[0m\n'
fi
}
reset() {
printf "autoshredding these files..."
find . -type f \( -path ".git" -o -path "keystore" -o -path "archives" \) -prune \( -name "*.sha512" -o -name "checksums*" -o -name "private_*" -o -name ".*" -o -name "*.sig" -o -name "*.7z" -o -name "anonymous_signer" \) -print -exec shred -uz {} \;
checkcode $?
if compgen -G "private_*"; then
printf "nuking errant priv key files..."
shred -uz private_*
checkcode $?
fi
if compgen -G "attribution_passphrase_*" > /dev/null; then
printf "nuking errant attribution passphrase files"
shred -uz attribution_passphrase_*
checkcode $?
fi
echo "autoshredding out..."
srm -r -z -l -l "$out_dir" > /dev/null 2>&1
checkcode $?
echo "rebuilding out..."
printf "making out dir structure..."
mkdir -p "$inner_dir" > /dev/null 2>&1
checkcode $?
printf "updating $inner_dir/READMD.md..."
echo "put files to verifiably archive in here" > "$inner_dir/README.md"
checkcode $?
printf "updating $out_dir/README.md..."
echo "# todo: make this nice" > "$out_dir/README.md"
checkcode $?
printf "making "$out_dir"/test_validate_passphrase.sh..."
cp test_validate_passphrase.txt "$out_dir/test_validate_passphrase.sh" > /dev/null 2>&1
checkcode $?
printf "making $out_dir/test_validate_passphrase.sh executable..."
chmod +x "$out_dir/test_validate_passphrase.sh" > /dev/null 2>&1
checkcode $?
printf "making $out_dir/verify-everything.sh..."
cp verify-everything.txt "$out_dir"/verify-everything.sh > /dev/null 2>&1
checkcode $?
printf "making $out_dir/verify-everything.sh executable"...
chmod +x "$out_dir/verify-everything.sh" > /dev/null 2>&1
checkcode $?
housekeeping_dirs=("archives" "keystore")
for dir in "${housekeeping_dirs[@]}"; do
printf "changing ownership of $dir to ${USER}..."
chown $USER:$USER -R "$dir" > /dev/null 2>&1
checkcode $?
printf "changing permissions on $dir to 700..."
chmod 700 "$dir" > /dev/null 2>&1
checkcode $?
printf "finding and shredding erroneous dirs in ${dir}..."
find "$dir" -mindepth 1 -type d -exec srm -r -z -l -l "{}" \; > /dev/null 2>&1
checkcode $?
printf "finding and shredding erronious files in ${dir}..."
find "$dir" -type f \( -name "private_ed25519_*" -o -name "attribution_passphrase_*" \) -exec shred -uz "{}" \; > /dev/null 2>&1
checkcode $?
printf "changing perms of files in $dir to 600..."
find "$dir" -type f -exec chmod 600 "{}" \; > /dev/null 2>&1
checkcode $?
done
}
printf "setting up environment..."
reset
# wait for keypress
read -n 1 -s -r -p "In another terminal/window, fill $inner_dir with whatever you please then press any key to continue..."
printf "ssh-keygen: makin new key: ${key_path}..."
ssh-keygen -t ed25519 -f "$key_path" -C "anonymous" -N "" > /dev/null 2>&1
checkcode $?
printf "ssh-keygen: changing ownership on $key_path and $key_path.pub..."
chown $USER:$USER "$key_path" "$key_path.pub" > /dev/null 2>&1
checkcode $?
printf "ssh-keygen: fixing perms on $key_path and $key_path.pub..."
chmod 600 "$key_path" "$key_path.pub" > /dev/null 2>&1
checkcode $?
printf "ssh-keygen: creating $out_dir/anonymous_signer..."
echo "anonymous namespaces=\"$signature_tag\" $(cat "${key_path}.pub")" > "$out_dir/anonymous_signer"
checkcode $?
echo "inject random data y/n (default n)"
read random
if [[ "$random" == "" || "$random" =~ ^[nN]{1}$ ]]; then
printf "random: adding 1/2 random blocks of data (1024 bits, 128 bytes) to outer archive..."
openssl rand -out "$out_dir/.$RANDOM" 128 > /dev/null 2>&1
checkcode $?
printf "random: adding 2/2 random blocks of data (1024 bits, 128 bytes) to inner archive..."
openssl rand -out "$inner_dir/.$RANDOM" 128 > /dev/null 2>&1
checkcode $?
else
echo -e 'no random... \e[1;32mOK!\e[0m\n'
fi
printf "7z: compressing inner volume..."
7z a "$out_dir/contents.7z" "$inner_dir" > /dev/null 2>&1
checkcode $?
printf "deleting ${inner_dir}..."
rm -rf "$inner_dir" > /dev/null 2>&1
checkcode $?
printf "ssh: signing out/contents.7z..."
ssh-keygen -Y sign -f "$key_path" -n "$signature_tag" "$out_dir/contents.7z" > /dev/null 2>&1
checkcode $?
printf "changing directory to ${out_dir}..."
cd "$out_dir" > /dev/null 2>&1
checkcode $?
printf "sha512: generating sha512 checksums of files in out..."
sha512sum * > "checksums.sha512"
checkcode $?
printf "changing directory back..."
cd .. > /dev/null 2>&1
checkcode $?
echo
echo "Enter attribution passphrase:"
read -r -s attribution_passphrase
echo
echo "Enter attribution passphrase again:"
read -r -s attribution_passphrase_check
echo
if printf "$attribution_passphrase" | cracklib-check | grep -q 'OK'; then
echo -e "attribution passphrase strength: \033[0;32mOK!\033[0m"
else
echo -e "\n\n\033[0;31mAttribution passphrase ia not secure enough! Exiting!\033[0m\n\n" > /dev/null 2>&1
exit 1
fi
if [[ "$attribution_passphrase" != "$attribution_passphrase_check" ]]; then
echo -e "\n\n\033[0;31mAttribution passphrases do not match! Exiting!\033[0m\n\n" > /dev/null 2>&1
exit 1
else
echo -e "attribution_passphrase: \033[0;32mOK!\033[0m"
echo "$attribution_passphrase" > "attribution_passphrase_${unix_seconds}.txt"
fi
printf "unsetting attribution_passphrase_check"
unset attribution_passphrase_check > /dev/null 2>&1
checkcode $?
printf "calculating attribution passphrase and hash, then placing it"
{
printf "$attribution_passphrase"
cat "$out_dir/contents.7z"
} | sha512sum | awk '{print $1}' > "$out_dir/attribution-checksum.sha512"
checkcode $?
printf "sanity checking: changing working directory to ${out_dir}..."
cd "$out_dir" > /dev/null 2>&1
checkcode $?
printf "sanity checking: verification..."
bash verify-everything.sh "$attribution_passhrase"
checkcode $?
printf "sanity checking: validate attribution passphrase..."
bash test_validate_passphrase.sh "$attribution_passphrase"
checkcode $?
printf "sanity checking: returning..."
cd ..
checkcode $?
printf "unsetting attribution_passphrase"
unset attribution_passphrase > /dev/null 2>&1
checkcode $?
printf "7z archiving outer dir..."
7z a "./out.7z" "$out_dir" > /dev/null 2>&1
checkcode $?
printf "moving out.7z to archives..."
mv out.7z "archives/verifiable_archive_${unix_seconds}.7z" > /dev/null 2>&1
checkcode $?
echo
echo "input keystore passphrase:"
read -r -s keystore_passphrase
echo
echo "input keystore passphrase (again):"
read -r -s keystore_passphrase_check
echo
if printf "$keystore_passphrase" | cracklib-check | grep -q 'OK'; then
echo -e "keystore passphrase strength: \033[0;32mOK!\033[0m"
else
echo -e "\n\n\033[0;31mKeystore passphrase not strong enough! Exiting!\033[0m\n\n" > /dev/null 2>&1
exit 1
fi
if [[ "$keystore_passphrase" != "$keystore_passphrase_check" ]]; then
echo -e "\n\n\033[0;31mKeystore passphrases do not match! Exiting!\033[0m\n\n" > /dev/null 2>&1
exit 1
else
echo -e "keystore passphrases... \e[1;32mOK!\e[0m"
fi
printf "unsetting keystore passphrase checl"
unset keystore_passphrase_check > /dev/null 2>&1
checkcode $?
printf "archivin keys..."
7z a "keystore/keystore_${unix_seconds}.7z" "private_*" "attribution_passphrase_*" -p"$keystore_passphrase" -mhe=on > /dev/null 2>&1
checkcode $?
printf "testing key archive..."
7z t "keystore/keystore_${unix_seconds}.7z" -p"$keystore_passphrase" > /dev/null 2>&1
checkcode $?
printf "unsetting keystore passphrase..."
unset keystore_passphrase > /dev/null 2>&1
checkcode $?
printf "resetting environment..."
reset
echo -e "\033[0;32mdone :3\033[0m"
Reference in New Issue View Git Blame Copy Permalink