Compare commits
115 Commits
main
..
462214de78
| Author | SHA1 | Date | |
|---|---|---|---|
| 462214de78 | |||
| 2b401d6ed7 | |||
| 946f29c7e2 | |||
| afbe0e5d56 | |||
| 80cd151047 | |||
| 8a4960a6fd | |||
| 55dc3d9933 | |||
| d8a80a9ac0 | |||
| cc26042284 | |||
| 417dc33bce | |||
| f452f450e9 | |||
| bdf5794b59 | |||
| c50aa04517 | |||
| af06164cd3 | |||
| 78de4d315b | |||
| c99e75e4ab | |||
| 2bc28a462d | |||
| c5b9309880 | |||
| c3486904f8 | |||
| eb484b7c98 | |||
| 07398c73f6 | |||
| 6512dbd0e9 | |||
| 56380beb68 | |||
| c50dfc6785 | |||
| 79b922435a | |||
| b89b06eebe | |||
| ee5be2d9eb | |||
| af8c18f19c | |||
| a748c72a96 | |||
| ba89a8423d | |||
| 4ce18be210 | |||
| eebdba57ec | |||
| 21fd38a34e | |||
| 192e3ef2f7 | |||
| 6a58e3a3e6 | |||
| c5bc56f136 | |||
| d342908563 | |||
| a71bff6a6c | |||
| 96ffe5e70a | |||
| ce90c2f6fd | |||
| ed0079c399 | |||
| 74aaad2dd0 | |||
| 91e40493b4 | |||
| d8f126a128 | |||
| 26ca778dd1 | |||
| 6b71b15408 | |||
| bc20acec0f | |||
| 568ee014d4 | |||
| 738a794d89 | |||
| 55822d0bcb | |||
| a45bd78978 | |||
| 67ddff8c64 | |||
| c85b8547b6 | |||
| 7f466a6256 | |||
| b8727e8ed4 | |||
| 2c6f0d7288 | |||
| 2e3527394e | |||
| 76c92fa47a | |||
| b0292f6726 | |||
| 1467b0aebe | |||
| 422c7911e6 | |||
| da708b4e2b | |||
| 88a8ec4b6f | |||
| 555cc9c142 | |||
| eba068f3c9 | |||
| e22c171c8e | |||
| b95fa219f7 | |||
| b245a9778f | |||
| 2c0df8f79b | |||
| abc62c5969 | |||
| 5032070b5d | |||
| 5a8280215f | |||
| 042944e416 | |||
| fa658fa4fb | |||
| fd740e66f0 | |||
| 787bc95c68 | |||
| e1efae469d | |||
| 907cad81f7 | |||
| 7d674f135b | |||
| 7c9e0b61fa | |||
| 8e3acf1f70 | |||
| 190d93d12a | |||
| 16061f529b | |||
| 576cf0b5bd | |||
| 6fc8ffd687 | |||
| 6154cebbd0 | |||
| c6394c9d45 | |||
| eb7fb0d434 | |||
| 6c943fb07b | |||
| 12046b6d02 | |||
| 06d688d802 | |||
| 7977df0755 | |||
| bd1e5ab648 | |||
| c5e2068c32 | |||
| 0941aec939 | |||
| 2ea5be068a | |||
| 1605ae2141 | |||
| e726465701 | |||
| 6356b9d6ac | |||
| 4ed43dab2d | |||
| 2199ad63c6 | |||
| 4b2d5c8eb8 | |||
| a1f18b566e | |||
| a435b9503d | |||
| 1799b523bc | |||
| 900ac72ed8 | |||
| 43f840140c | |||
| c081716207 | |||
| ed494e9a08 | |||
| 8e9b1832c6 | |||
| eaa54dec22 | |||
| a765531e2e | |||
| 38aff02921 | |||
| e2a3f08b51 | |||
| 888d96de8f |
+21
-2
@@ -1,2 +1,21 @@
|
||||
*/secrets_*
|
||||
*/parsed_*
|
||||
# dirs
|
||||
## archives dir
|
||||
archives/*
|
||||
!archives/README.md
|
||||
## keystore dir
|
||||
keystore/*
|
||||
!keystore/README.md
|
||||
## out dir
|
||||
out/*
|
||||
!out/README.md
|
||||
## out/content dir
|
||||
out/content/*
|
||||
!out/content/README.md
|
||||
|
||||
# files
|
||||
*/*.7z
|
||||
*/*.sha512
|
||||
*/*.sha256
|
||||
*/private_*
|
||||
*/*.sig
|
||||
anonymous_signer
|
||||
|
||||
@@ -0,0 +1 @@
|
||||
# File Map
|
||||
@@ -0,0 +1,13 @@
|
||||
# Verifiably, Attributably Secure Archives
|
||||
verifuably, durably, and attributing information as anonymously as desired
|
||||
|
||||
## Scripts (Linux Only)
|
||||
- [verify-everything.sh](./verify-everything.sh) verifies the integrity of the data
|
||||
- [test_validate_passphrase.sh](./test_validate_passphrase.sh)
|
||||
|
||||
## Files
|
||||
- README.md : this file
|
||||
- checksums.sha512 : sha512 checksums of all the files in the outer archive (here)
|
||||
- attribution-checksum.sha512 : sha512 checksum of a passphrase+contents.7z to test for attribution by passphrase
|
||||
- anonymous_signer : holds ed25519 public key and name (anonymous)
|
||||
- contents.7z.sig : ed25519 signature file of contents.7z
|
||||
@@ -1,6 +1,85 @@
|
||||
# fuck_git_downloader
|
||||
downloads all of a github users public repos, scans them for secrets, then parses into something you can use.
|
||||
# Verifiably, Attributably Secure Archives
|
||||
For when you need to distribute information anonymously, but wish to keep it provably full and intact, but _also_ wish to have options to prove attribution.
|
||||
|
||||
this is barely even a script and yet its so hysterically effective that id be remiss not to post it. here be dragons and all idk
|
||||
## Writeup
|
||||
### Purpose
|
||||
todo
|
||||
### Method
|
||||
todo
|
||||
### Issues
|
||||
- two-way deanonymization is assumed when either method to attribute is used
|
||||
- when sha512 method is used, originator is assumed to be the owner of the ed25519 key and vice versa
|
||||
- any reveal of either signed note or sha512 attribution passphrase, the other is assumed to belong to the same entity
|
||||
- opsec failures can result in two-way deanonymization
|
||||
|
||||
## Usage
|
||||
### Installation
|
||||
todo
|
||||
### Usage
|
||||
todo
|
||||
|
||||
## todo
|
||||
1. x validate attribution thing
|
||||
2. clean up output
|
||||
3. x **fix password audit!**
|
||||
4. x sanity checks
|
||||
5. this README.md
|
||||
6. x the README-instructions.txt and placedment for archive
|
||||
7. x passphrase strength/length checks
|
||||
8. sha256 mode with independant passphrase(?)
|
||||
9. encrypt archive option
|
||||
1. inner
|
||||
1. goes first
|
||||
2. gets passphrase
|
||||
3. tests passphrase
|
||||
4. generates txt file backup
|
||||
5. then tests with passphrase
|
||||
2. outer
|
||||
1. goes second
|
||||
2. gets passphrase
|
||||
3. tests passphrase
|
||||
4. generates txt file backup
|
||||
5. then tests with passphrase
|
||||
10. x random data optional
|
||||
1. x `read -n 1 -s -r -p "In another terminal/window, fill $inner_dir with whatever you please then press any key to continue..."`
|
||||
2. x now only takes up 2Kb!
|
||||
3. x only use 128 bytes (1024 bits) x 2
|
||||
1. x `openssl rand -out "$out_dir/.$RANDOM" 128`
|
||||
2. x `openssl rand -out "$inner_dir/.$RANDOM" 128`
|
||||
3. x `find "$out_dir" -type f -name ".*" -exec chown $USER:$USER "{}" \;`
|
||||
4. x `find "$out_dir" -type f -name ".*" -exec chmod 600 "{}" \;`
|
||||
11. writeup in this README
|
||||
12. usage in this README
|
||||
13. specification definition
|
||||
1. Specification.md
|
||||
14. FileMap.md
|
||||
15. x function: passphrase checkin
|
||||
1. x match
|
||||
2. x pass cracklib-check
|
||||
3. x =>35 chars long
|
||||
4. x pass call to haveibeenpwned.com api
|
||||
16. x exit trap with cleanup
|
||||
|
||||
## Changelog
|
||||
- reduced random data to 2x 10Kb
|
||||
- reduced random data to 2x 1Kb
|
||||
- added password strength check with cracklib-check
|
||||
- cleaned up output
|
||||
- added housekeeping
|
||||
- set perms and ownership on archives and keystore to minimum
|
||||
- shred all erronious files and dirs
|
||||
- cleaned up code
|
||||
- better rng
|
||||
- better passphrase check
|
||||
- checks for exact match
|
||||
- minimum of 35 chars
|
||||
- checks with cracklib-check
|
||||
- checks online with haveibeenpwned.com
|
||||
- bug fixes
|
||||
- random data is now actually optional and is only 128 bytes (1024 bits) and are generated securely
|
||||
- better antiforensics by unsetting vars and cleaning up on exit
|
||||
- actually workan password checks
|
||||
- actually workan nice :3 mo stable mo sanity checks mo safety settings and methods
|
||||
|
||||
hii
|
||||
|
||||

|
||||
|
||||
@@ -0,0 +1 @@
|
||||
# Specification (WIP)
|
||||
@@ -0,0 +1 @@
|
||||
completed archives here
|
||||
@@ -0,0 +1,69 @@
|
||||
#!/bin/bash
|
||||
|
||||
# file paths
|
||||
sha256_file_path=./checksums.sha256
|
||||
md5_file_path=./checksums.md5
|
||||
error_log=./checksums_error.log
|
||||
|
||||
# text colors
|
||||
RED='\e[31m'
|
||||
GREEN='\e[32m'
|
||||
RESET='\e[0m'
|
||||
|
||||
# set these false at the start to be safe
|
||||
checksha256=false
|
||||
checkmd5=false
|
||||
|
||||
# output errors to error log
|
||||
exec 2> >(tee -a "$error_log" >&2)
|
||||
|
||||
# environment checks
|
||||
## check for presence of $sha256_file_path, fail with general error on error
|
||||
if [ ! -f "$sha256_file_path" ]; then
|
||||
echo -e "\n${RED}FAIL!${RESET} File $sha256_file_path Not Found!\n" >&2
|
||||
exit 1
|
||||
fi
|
||||
## check if $sha256_file_path is writable
|
||||
if [ ! -r "$sha256_file_path" ]; then
|
||||
echo -e "\n${RED}FAIL!${RESET} File $sha256_file_path Exists But Not Readable!\n" >&2
|
||||
exit 1
|
||||
fi
|
||||
## check for presence of $md5_file_path, fail with general error on error
|
||||
if [ ! -f "$md5_file_path" ]; then
|
||||
echo -e "\nFAIL! File $md5_file_path Not Found!\n" >&2
|
||||
exit 1
|
||||
fi
|
||||
## check if $md5_file_path is writable
|
||||
if [ ! -r "$md5_file_path" ]; then
|
||||
echo -e "\n${RED}FAIL!${RESET} File $md5_file_path Exists But Not Readable!\n" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# check checksums
|
||||
## check sha256
|
||||
if sha256sum -c "$sha256_file_path" 1>/dev/null; then
|
||||
echo -e "SHA256 Checksums: ${GREEN}OK!${RESET}"
|
||||
checksha256=true
|
||||
else
|
||||
echo -e "\n\nSHA256 Checksums: ${RED}BAD!${RESET}\nDumping SHA256 Checksum Fails:" >&2
|
||||
sha256sum -c "$sha256_file_path" | grep 'FAILED' >&2
|
||||
echo -e "\nSHA256 Checksums: ${RED}BAD!${RESET}\n" >&2
|
||||
fi
|
||||
## check md5
|
||||
if md5sum -c "$md5_file_path" 1>/dev/null; then
|
||||
echo -e "MD5 checksums: ${GREEN}OK!${RESET}"
|
||||
checkmd5=true
|
||||
else
|
||||
echo -e "\n\nFAIL: MD5 Checksums: ${RED}BAD!${RESET}\n\tDumping MD5 Checksum Fails:" >&2
|
||||
md5sum -c "md5_file_path" | grep 'FAILED' >&2
|
||||
echo -e "\nMD5 Checksums: ${RED}BAD!${RESET}\n" >&2
|
||||
fi
|
||||
|
||||
# tally checks
|
||||
if [[ $checksha256 == true && $checkmd5 == true ]]; then
|
||||
echo -e "\nFile Integrity: VERIFIED! All Checksums: ${GREEN}OK!${RESET}\n"
|
||||
exit 0 # exit success
|
||||
else
|
||||
echo -e "\nFile Integrity Check: ${RED}FAILED!${RESET}\n\tSee Above or See $error_log" >&2
|
||||
exit 1 # exit general failure
|
||||
fi
|
||||
@@ -0,0 +1,16 @@
|
||||
e1351c891f5d836961f9a5bf8272b12e ./.gitignore
|
||||
b73f788fe14ae5b781d81eb94e960de0 ./archives/README.md
|
||||
11e5d6a30bfd73314e40a34b8189e647 ./checksums_generate_recursive.sh
|
||||
b381bf88afe4262ad8185dd64a0d842d ./create-attributable-archive.sh
|
||||
7bb49a9ca83d3eaec2ff3a16e3e35981 ./datetimestamp.txt
|
||||
0a007706580563c1d3f31b37b28be8bc ./FileMap.md
|
||||
c7a749b080c6dd2324568f0bd5c0f17f ./keystore/README.md
|
||||
dd2587cac4bdd1b2231e7805eb48df90 ./out/contents/README.md
|
||||
298db900c3611a0f6794ee30eacbf23d ./out/README.md
|
||||
973323f463d79c6870a8448c62c83a81 ./out/test_validate_passphrase.sh
|
||||
a4bc6a7243371e94b7d831433cb43afa ./out/verify-everything.sh
|
||||
ba1192e212e20c3c1b3306a4faef6b8a ./README-instructions.txt
|
||||
bc6cd9956d0fa7fe8c8d242e02330531 ./README.md
|
||||
43f978564c0309905204c2e3d41920c4 ./Specification.md
|
||||
973323f463d79c6870a8448c62c83a81 ./test_validate_passphrase.txt
|
||||
a4bc6a7243371e94b7d831433cb43afa ./verify-everything.txt
|
||||
@@ -0,0 +1,31 @@
|
||||
8eaf8cd5d9e5cb3d2170a44344a8efc37e014ad8d7d8cc4fa49fb4a6e2a18bbe ./.gitignore
|
||||
7fd36c34bee48c3fae99ed4bf3ab4dcbc53b20405e20fec7261e2b53e78ae6b2 ./archives/README.md
|
||||
e4fe64ba4374d0ccdb5b35c09b92bc3914f7c54b95e0a5b64b3fb903b80dc931 ./checksums_generate_recursive.sh
|
||||
4b4a63a30c7ef05f876d9d82cb814eb6a47ab2c494a7894c4066216f0b6b0c07 ./create-attributable-archive.sh
|
||||
77a0b49395192e3b4ab451bf3512e3d5bd317f09ad826a65d2e8d2028456e2f0 ./FileMap.md
|
||||
4393dfc3184bb3ce55bf4c611b5aabaebc551da4cf748570a01e9f7a3a79b837 ./keystore/README.md
|
||||
8d09ddfa82784ae6b88962d72712b10d9c555de791034c44ba7a5e5a7630a0f4 ./out/contents/README.md
|
||||
6f0b8bd158eb8608beca242d60257765c5ec0fa97e0a2a67c16482c8c9ee33ec ./out/README.md
|
||||
5e795860b295d132e2382c137b1a61211e4e315cb064a40a41dccaa4692f64fb ./out/test_validate_passphrase.sh
|
||||
af78d32024215da3f69c817440855e7c34e4d05d4ba17ccacc0162a56127cfd0 ./out/verify-everything.sh
|
||||
2c873d9dd7fabc18b139d18c094ed16b5c3107448ce92c812e05474e8e1f5652 ./README-instructions.txt
|
||||
327a649a4851981e8d4dcdd473a577210b1cd7c6e078789c821d2c29fee20e0d ./README.md
|
||||
065d7229fbf08a2b6e0098435fa12221398e4386026f6bebd3ac5b756f73616d ./Specification.md
|
||||
5e795860b295d132e2382c137b1a61211e4e315cb064a40a41dccaa4692f64fb ./test_validate_passphrase.txt
|
||||
af78d32024215da3f69c817440855e7c34e4d05d4ba17ccacc0162a56127cfd0 ./verify-everything.txt
|
||||
8eaf8cd5d9e5cb3d2170a44344a8efc37e014ad8d7d8cc4fa49fb4a6e2a18bbe ./.gitignore
|
||||
7fd36c34bee48c3fae99ed4bf3ab4dcbc53b20405e20fec7261e2b53e78ae6b2 ./archives/README.md
|
||||
e4fe64ba4374d0ccdb5b35c09b92bc3914f7c54b95e0a5b64b3fb903b80dc931 ./checksums_generate_recursive.sh
|
||||
4b4a63a30c7ef05f876d9d82cb814eb6a47ab2c494a7894c4066216f0b6b0c07 ./create-attributable-archive.sh
|
||||
45da0a27c033830a13f0a195ad8729379fe82fd0cf30a938a379055630c4677b ./datetimestamp.txt
|
||||
77a0b49395192e3b4ab451bf3512e3d5bd317f09ad826a65d2e8d2028456e2f0 ./FileMap.md
|
||||
4393dfc3184bb3ce55bf4c611b5aabaebc551da4cf748570a01e9f7a3a79b837 ./keystore/README.md
|
||||
8d09ddfa82784ae6b88962d72712b10d9c555de791034c44ba7a5e5a7630a0f4 ./out/contents/README.md
|
||||
6f0b8bd158eb8608beca242d60257765c5ec0fa97e0a2a67c16482c8c9ee33ec ./out/README.md
|
||||
5e795860b295d132e2382c137b1a61211e4e315cb064a40a41dccaa4692f64fb ./out/test_validate_passphrase.sh
|
||||
af78d32024215da3f69c817440855e7c34e4d05d4ba17ccacc0162a56127cfd0 ./out/verify-everything.sh
|
||||
2c873d9dd7fabc18b139d18c094ed16b5c3107448ce92c812e05474e8e1f5652 ./README-instructions.txt
|
||||
327a649a4851981e8d4dcdd473a577210b1cd7c6e078789c821d2c29fee20e0d ./README.md
|
||||
065d7229fbf08a2b6e0098435fa12221398e4386026f6bebd3ac5b756f73616d ./Specification.md
|
||||
5e795860b295d132e2382c137b1a61211e4e315cb064a40a41dccaa4692f64fb ./test_validate_passphrase.txt
|
||||
af78d32024215da3f69c817440855e7c34e4d05d4ba17ccacc0162a56127cfd0 ./verify-everything.txt
|
||||
@@ -0,0 +1,40 @@
|
||||
#!/bin/bash
|
||||
# file paths
|
||||
sha256_file_path=./checksums.sha256
|
||||
md5_file_path=./checksums.md5
|
||||
error_log=./checksums_error.log
|
||||
|
||||
# text colors
|
||||
RED='\e[31m'
|
||||
YELLOW='\033['
|
||||
GREEN='\e[32m'
|
||||
RESET='\e[0m'
|
||||
|
||||
# output errors to error log
|
||||
exec 2> >(tee -a "$error_log" >&2)
|
||||
|
||||
if [ -f "sha256_file_path" ]; then
|
||||
echo -e "${YELLOW}Warn${RESET}: Existing $sha256_file_path Found, Deleting..."
|
||||
rm -f "sha256_file_path"
|
||||
fi
|
||||
|
||||
if [ -f "$md5_file_path" ]; then
|
||||
echo -e "${YELLOW}Warn${RESET}: Existing $md5_file_path Found, Deleting..."
|
||||
rm -f "$md5_file_path"
|
||||
fi
|
||||
|
||||
if [ -f "$error_log" ]; then
|
||||
echo -e "${YELLOW}Warn${RESET}: Existing $error_log Found, Deleting..."
|
||||
rm -f "$error_log"
|
||||
fi
|
||||
|
||||
# notify user
|
||||
echo "Calculating SHA256 and MD5 Checksums Recursively into $sha256_file_path and $md5_file_path\n\t${YELLOW}This May Take a Long Time!${RESET}"
|
||||
# exclude git
|
||||
if find . -type f ! -path "*/.git/*" ! -path "$error_log" ! -path "$md5_file_path" ! -path "$sha256_file_path" -exec bash -c "file_path={} && sha256sum \$file_path 1>> $sha256_file_path && md5sum \$file_path 1>> $md5_file_path" \;; then
|
||||
echo -e "\n${GREEN}SUCCESS!${RESET} Generated SHA256 and MD5 Checksums into $sha256sum and $md5_file_path Respectively!\n"
|
||||
exit 0 # explicitly exit success
|
||||
else
|
||||
echo -e "\n${RED}FAIL!${RESET} Failed to Generate SHA256 and MD5 Checksums! Check Error Output or Check Error Log: $error_log\n" >&2
|
||||
exit 1 # explicitly fail
|
||||
fi
|
||||
Executable
+357
@@ -0,0 +1,357 @@
|
||||
#!/usr/bin/env bash
|
||||
# packages: 7zip, shred, secure-delete, cracklib-runtime, openssl, curl
|
||||
|
||||
set -o errtrace
|
||||
set -o nounset
|
||||
set -o pipefail
|
||||
IFS=$'\n\t'
|
||||
|
||||
unix_seconds=$(date +%s)
|
||||
key_path="./private_ed25519_${unix_seconds}"
|
||||
signature_tag="file-integrity"
|
||||
out_dir="./out"
|
||||
inner_dir="$out_dir/contents"
|
||||
|
||||
RED='\033[31m'
|
||||
GREEN='\033[32m'
|
||||
RESET='\033[0m'
|
||||
|
||||
num_of_args="$#"
|
||||
all_args="$@"
|
||||
|
||||
require_command() {
|
||||
if ! command -v "$1" >/dev/null 2>&1; then
|
||||
echo "Missing required command: $1" >&2
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
require_dependencies() {
|
||||
local deps=(bash shred srm openssl curl ssh-keygen 7z sha512sum awk grep realpath)
|
||||
for dep in "${deps[@]}"; do
|
||||
require_command "$dep"
|
||||
done
|
||||
}
|
||||
|
||||
checkcode() {
|
||||
local retcode="${1:-}"
|
||||
if [[ -z "$retcode" ]]; then
|
||||
echo -e "\n${RED}ERROR!${RESET} checkcode missing return code parameter\n" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [[ "$retcode" -ne 0 ]]; then
|
||||
echo -e "${RED}ERROR!${RESET} Response code: $retcode" >&2
|
||||
exit "$retcode"
|
||||
fi
|
||||
|
||||
printf ' %bOK!%b\n' "$GREEN" "$RESET"
|
||||
}
|
||||
|
||||
run_cmd() {
|
||||
"$@"
|
||||
checkcode $?
|
||||
}
|
||||
|
||||
reset() {
|
||||
printf 'Autoshredding known artifacts...\n'
|
||||
find . -maxdepth 1 -type f \( -name 'private_*' -o -name 'attribution_passphrase_*' -o -name '*.sha512' -o -name 'checksums*' -o -name '*.sig' -o -name '*.7z' -o -name 'anonymous_signer' \) -exec shred -uz {} +
|
||||
checkcode $?
|
||||
|
||||
if compgen -G 'private_*' >/dev/null 2>&1; then
|
||||
printf 'Shredding errant private key files...\n'
|
||||
shred -uz private_* || true
|
||||
fi
|
||||
|
||||
if compgen -G 'attribution_passphrase_*' >/dev/null 2>&1; then
|
||||
printf 'Shredding errant attribution passphrase files...\n'
|
||||
shred -uz attribution_passphrase_* || true
|
||||
fi
|
||||
|
||||
printf 'Removing previous output directory...\n'
|
||||
rm -rf "$out_dir"
|
||||
checkcode $?
|
||||
|
||||
printf 'Rebuilding output directory structure...\n'
|
||||
mkdir -p "$inner_dir"
|
||||
checkcode $?
|
||||
|
||||
printf 'Writing placeholder README files...\n'
|
||||
echo 'put files to verifiably archive in here' > "$inner_dir/README.md"
|
||||
checkcode $?
|
||||
echo '# todo: make this nice' > "$out_dir/README.md"
|
||||
checkcode $?
|
||||
|
||||
printf 'Copying verification helpers...\n'
|
||||
cp test_validate_passphrase.txt "$out_dir/test_validate_passphrase.sh"
|
||||
checkcode $?
|
||||
chmod +x "$out_dir/test_validate_passphrase.sh"
|
||||
checkcode $?
|
||||
cp verify-everything.txt "$out_dir/verify-everything.sh"
|
||||
checkcode $?
|
||||
chmod +x "$out_dir/verify-everything.sh"
|
||||
checkcode $?
|
||||
|
||||
local housekeeping_dirs=(archives keystore)
|
||||
for dir in "${housekeeping_dirs[@]}"; do
|
||||
if [[ -d "$dir" ]]; then
|
||||
printf 'Hardening %s...\n' "$dir"
|
||||
chmod 700 "$dir"
|
||||
checkcode $?
|
||||
|
||||
find "$dir" -mindepth 1 -type d -exec srm -r -z -l '{}' + >/dev/null 2>&1 || true
|
||||
find "$dir" -type f \( -name 'private_ed25519_*' -o -name 'attribution_passphrase_*' \) -exec shred -uz '{}' + >/dev/null 2>&1 || true
|
||||
find "$dir" -type f -exec chmod 600 '{}' +
|
||||
checkcode $?
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
audit_passphrase() {
|
||||
local raw_password="$1"
|
||||
local check_password="$2"
|
||||
|
||||
if [[ -z "$raw_password" ]]; then
|
||||
echo '[ERROR] No passphrase provided for validation.' >&2
|
||||
return 2
|
||||
fi
|
||||
|
||||
if [[ -z "$check_password" ]]; then
|
||||
echo '[ERROR] No check passphrase provided for validation.' >&2
|
||||
return 2
|
||||
fi
|
||||
|
||||
if [[ "$raw_password" != "$check_password" ]]; then
|
||||
echo '[ERROR] Passphrases do not match!' >&2
|
||||
return 2
|
||||
fi
|
||||
|
||||
unset check_password
|
||||
|
||||
local pass_len=${#raw_password}
|
||||
if [[ "$pass_len" -lt 35 ]]; then
|
||||
echo "❌ REJECTED: Passphrase is too short ($pass_len characters). Minimum length required is 35."
|
||||
return 1
|
||||
fi
|
||||
echo "[PASS] Length verification satisfied ($pass_len characters)."
|
||||
|
||||
if command -v cracklib-check >/dev/null 2>&1; then
|
||||
if ! printf '%s' "$raw_password" | cracklib-check | grep -q 'OK$'; then
|
||||
echo '❌ REJECTED by cracklib-check.'
|
||||
return 1
|
||||
fi
|
||||
echo '[PASS] Local dictionary and structural complexity audit clear.'
|
||||
else
|
||||
echo '[WARN] cracklib-check not found; skipping local dictionary audit.' >&2
|
||||
fi
|
||||
|
||||
local full_hash prefix suffix response
|
||||
full_hash=$(printf '%s' "$raw_password" | openssl dgst -sha1 | awk '{print toupper($2)}')
|
||||
prefix=${full_hash:0:5}
|
||||
suffix=${full_hash:5}
|
||||
|
||||
if ! response=$(curl -fsS -A 'Bash-Passphrase-Audit-Script' "https://api.pwnedpasswords.com/range/$prefix"); then
|
||||
echo -e "${RED}[FATAL]${RESET} Failed to communicate with HIBP API." >&2
|
||||
return 3
|
||||
else
|
||||
echo -e "connected to hibp...${GREEN}OK${RESET}"
|
||||
fi
|
||||
|
||||
if printf '%s\n' "$response" | grep -qi "^$suffix:"; then
|
||||
echo -e "${RED}[FATAL]${RESET} Passphrase has been leaked!" >&2
|
||||
return 1
|
||||
else
|
||||
echo -e "not leaked! (via hibp)... ${GREEN}OK${RESET}"
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
error_handle() {
|
||||
local exit_code=$?
|
||||
local script_path
|
||||
if command -v realpath >/dev/null 2>&1; then
|
||||
script_path=$(realpath "$0")
|
||||
else
|
||||
script_path="$PWD/$0"
|
||||
fi
|
||||
|
||||
local hr='===================================================='
|
||||
echo
|
||||
echo "$hr"
|
||||
echo -e "🚨 ${RED}FATAL ERROR DETECTED${RESET}"
|
||||
echo "$hr"
|
||||
echo "-> Script : $0"
|
||||
echo "-> Num Script Args : $num_of_args"
|
||||
echo "-> Script Args : $all_args"
|
||||
echo "-> Shell : ${SHELL:-unknown}"
|
||||
echo "-> Script Path : $script_path"
|
||||
echo "-> Script (full) : $SHELL $script_path $all_args"
|
||||
echo "-> User : ${USER:-unknown}"
|
||||
echo "-> Working Directory : $PWD"
|
||||
echo "-> Failed Command : $BASH_COMMAND"
|
||||
echo "-> Line Number : $LINENO"
|
||||
echo "-> Exit Status : $exit_code"
|
||||
echo "-> Seconds Elapsed : $SECONDS"
|
||||
echo "-> Date Failed : $(date)"
|
||||
echo '-> Stack Trace'
|
||||
local frame=0
|
||||
while caller "$frame"; do
|
||||
frame=$((frame + 1))
|
||||
done
|
||||
echo
|
||||
echo "$hr"
|
||||
echo
|
||||
exit "$exit_code"
|
||||
}
|
||||
|
||||
exit_cleanup() {
|
||||
printf "cleaning up on exit"
|
||||
reset > /dev/null 2>&1
|
||||
checkcode $?
|
||||
|
||||
# todo: uset vars
|
||||
}
|
||||
|
||||
trap error_handle ERR
|
||||
trap exit_cleanup EXIT
|
||||
|
||||
# ret=`audit_passphrase 'yw0EKY6wbSxU6KJxWN3vFZDgnSjJ4F8wqFrAJMcDxfU' 'yw0EKY6wbSxU6KJxWN3vFZDgnSjJ4F8wqFrAJMcDxfU'`
|
||||
# echo $ret
|
||||
# exit 0
|
||||
|
||||
require_dependencies
|
||||
printf 'Setting up environment...\n'
|
||||
reset
|
||||
|
||||
printf '\n\n'
|
||||
read -n 1 -s -r -p "In another terminal/window, fill $inner_dir with whatever you please then press any key to continue..."
|
||||
printf '\n'
|
||||
|
||||
printf 'ssh-keygen: creating new key: %s...\n' "$key_path"
|
||||
ssh-keygen -t ed25519 -f "$key_path" -C 'anonymous' -N '' >/dev/null 2>&1
|
||||
checkcode $?
|
||||
|
||||
printf 'ssh-keygen: fixing permissions on %s and %s...\n' "$key_path" "${key_path}.pub"
|
||||
chmod 600 "$key_path" "${key_path}.pub"
|
||||
checkcode $?
|
||||
|
||||
printf 'ssh-keygen: creating %s/anonymous_signer...\n' "$out_dir"
|
||||
echo "anonymous namespaces=\"$signature_tag\" $(cat "${key_path}.pub")" > "$out_dir/anonymous_signer"
|
||||
checkcode $?
|
||||
|
||||
printf 'Inject random data? (y/N): '
|
||||
read -r random
|
||||
if [[ -z "$random" || "$random" =~ ^[nN]$ ]]; then
|
||||
echo -e "No random data added. ${GREEN}OK!${RESET}\n"
|
||||
else
|
||||
printf 'random: adding 1/2 random blocks of data (128 bytes) to outer archive...\n'
|
||||
openssl rand -out "$out_dir/.$RANDOM" 128 >/dev/null 2>&1
|
||||
checkcode $?
|
||||
|
||||
printf 'random: adding 2/2 random blocks of data (128 bytes) to inner archive...\n'
|
||||
openssl rand -out "$inner_dir/.$RANDOM" 128 >/dev/null 2>&1
|
||||
checkcode $?
|
||||
fi
|
||||
|
||||
printf '7z: compressing inner volume...\n'
|
||||
7z a "$out_dir/contents.7z" "$inner_dir" >/dev/null 2>&1
|
||||
checkcode $?
|
||||
|
||||
printf 'Deleting %s...\n' "$inner_dir"
|
||||
rm -rf "$inner_dir"
|
||||
checkcode $?
|
||||
|
||||
printf 'ssh: signing %s...\n' "$out_dir/contents.7z"
|
||||
ssh-keygen -Y sign -f "$key_path" -n "$signature_tag" "$out_dir/contents.7z" >/dev/null 2>&1
|
||||
checkcode $?
|
||||
|
||||
printf 'Changing directory to %s...\n' "$out_dir"
|
||||
cd "$out_dir"
|
||||
checkcode $?
|
||||
|
||||
printf 'sha512: generating checksums...\n'
|
||||
sha512sum * > checksums.sha512
|
||||
checkcode $?
|
||||
|
||||
printf 'Changing directory back...\n'
|
||||
cd ..
|
||||
checkcode $?
|
||||
|
||||
printf 'Enter attribution passphrase:\n'
|
||||
read -r -s attribution_passphrase
|
||||
printf '\nEnter attribution passphrase again:\n'
|
||||
read -r -s attribution_passphrase_check
|
||||
printf '\n'
|
||||
|
||||
printf 'Auditing attribution passphrase...\n'
|
||||
ret==`audit_passphrase "$attribution_passphrase" "$attribution_passphrase_check"`
|
||||
echo "$ret"
|
||||
|
||||
printf 'Unsetting attribution_passphrase_check...\n'
|
||||
unset attribution_passphrase_check
|
||||
|
||||
printf 'Calculating attribution checksum...\n'
|
||||
{
|
||||
printf '%s' "$attribution_passphrase"
|
||||
cat "$out_dir/contents.7z"
|
||||
} | sha512sum | awk '{print $1}' > "$out_dir/attribution-checksum.sha512"
|
||||
checkcode $?
|
||||
|
||||
printf 'Sanity checking: changing working directory to %s...\n' "$out_dir"
|
||||
cd "$out_dir"
|
||||
checkcode $?
|
||||
|
||||
printf 'Sanity checking: verification...\n'
|
||||
bash verify-everything.sh "$attribution_passphrase"
|
||||
checkcode $?
|
||||
|
||||
printf 'Sanity checking: validate attribution passphrase...\n'
|
||||
bash test_validate_passphrase.sh "$attribution_passphrase"
|
||||
checkcode $?
|
||||
|
||||
printf 'Returning to project root...\n'
|
||||
cd ..
|
||||
checkcode $?
|
||||
|
||||
printf 'Unsetting attribution_passphrase...\n'
|
||||
unset attribution_passphrase
|
||||
|
||||
printf '7z archiving outer dir...\n'
|
||||
7z a ./out.7z "$out_dir" >/dev/null 2>&1
|
||||
checkcode $?
|
||||
|
||||
printf 'Moving out.7z to archives...\n'
|
||||
mv out.7z "archives/verifiable_archive_${unix_seconds}.7z"
|
||||
checkcode $?
|
||||
|
||||
printf 'Enter keystore passphrase:\n'
|
||||
read -r -s keystore_passphrase
|
||||
printf '\nEnter keystore passphrase again:\n'
|
||||
read -r -s keystore_passphrase_check
|
||||
printf '\n'
|
||||
|
||||
printf 'Auditing keystore passphrase...\n'
|
||||
ret=`audit_passphrase "$keystore_passphrase" "$keystore_passphrase_check"`
|
||||
echo -e "$ret"
|
||||
|
||||
printf 'Unsetting keystore_passphrase_check...\n'
|
||||
unset keystore_passphrase_check
|
||||
|
||||
printf 'Archiving keys...\n'
|
||||
set +u
|
||||
shopt -s nullglob
|
||||
private_files=(private_*)
|
||||
passphrase_files=(attribution_passphrase_*)
|
||||
shopt -u nullglob
|
||||
set -u
|
||||
if [[ ${#private_files[@]} -eq 0 && ${#passphrase_files[@]} -eq 0 ]]; then
|
||||
echo 'No key or attribution passphrase files found to archive.' >&2
|
||||
exit 1
|
||||
fi
|
||||
7z a "keystore/keystore_${unix_seconds}.7z" "${private_files[@]}" "${passphrase_files[@]}" -p"$keystore_passphrase" -mhe=on >/dev/null 2>&1
|
||||
checkcode $?
|
||||
|
||||
printf 'Testing key archive...\n'
|
||||
7z t "keystore/keystore_${unix_seconds}.7z" -p"$keystore_passphrase" >/dev/null 2>&1
|
||||
checkcode $?
|
||||
@@ -0,0 +1 @@
|
||||
Tuesday, May 26 2026 at 06:42:27 PM MDT (unix seconds 1779842547)
|
||||
@@ -1,51 +0,0 @@
|
||||
#!/bin/bash
|
||||
# packages required: git trufflehog gitsecrets pup
|
||||
|
||||
# todo: make dis an arg
|
||||
github_username='nationalsecurityagency'
|
||||
github_base='https://github.com/'
|
||||
github_repos_page="$github_base/$github_username/"
|
||||
|
||||
# todo: make dis handle pagination
|
||||
repos=$(curl -sS "${github_repos_page}?tab=repositories" | grep 'name codeRepository' | pup 'a attr{href}' | sed 's/\/PrincessPi3\///')
|
||||
|
||||
out_dir="$PWD/$github_username" #todo: make dis an arg
|
||||
mkdir -p "$out_dir"
|
||||
secretsfile="$PWD/secrets_${github_username}.txt"
|
||||
|
||||
nuke_repos_dir() {
|
||||
if [ -d "$out_dir" ]; then
|
||||
printf "deleting existing $out_dir... "
|
||||
rm -rf "$out_dir" > /dev/null 2>&1
|
||||
printf "$?\n"
|
||||
|
||||
printf "remaking $out_dir... "
|
||||
mkdir -p "$out_dir"
|
||||
printf "$?\n"
|
||||
fi
|
||||
}
|
||||
|
||||
clone_repos() {
|
||||
for repo in "${repos[@]}"; do
|
||||
printf "cloning $repo into $out_dir/$repo..."
|
||||
|
||||
git clone --recursive "$github_repos_page/$repo" "$out_dir/$repo" > /dev/null 2>&1
|
||||
|
||||
printf "$?\n"
|
||||
done
|
||||
}
|
||||
|
||||
snoop_repos() {
|
||||
for repo in "${repos[@]}"; do
|
||||
cd "$out_dir/$repo"
|
||||
pwd | tee -a "$secretsfile"
|
||||
trufflehog git file://. | tee -a "$secretsfile"
|
||||
gitleaks detect -v | tee -a "$secretsfile"
|
||||
cd -
|
||||
done
|
||||
}
|
||||
|
||||
# run em ig
|
||||
nuke_repos_dir
|
||||
clone_repos
|
||||
snoop_repos
|
||||
@@ -0,0 +1,2 @@
|
||||
# Keystore
|
||||
where encrypted archives of previous keys and attibriution passphrases are stored
|
||||
@@ -0,0 +1 @@
|
||||
# todo: make this nice
|
||||
@@ -0,0 +1 @@
|
||||
put files to verifiably archive in here
|
||||
Executable
+19
@@ -0,0 +1,19 @@
|
||||
#!/bin/bash
|
||||
set -e
|
||||
attrib_hash=$(cat "./attribution-checksum.sha512")
|
||||
|
||||
if [ -z "$1" ]; then
|
||||
echo "enter passphrase to test"
|
||||
read passphrase
|
||||
echo
|
||||
else
|
||||
passphrase="$1"
|
||||
fi
|
||||
|
||||
tested_hash=$( ( echo -n "$passphrase"; cat "./contents.7z" ) | sha512sum | awk '{print $1}')
|
||||
|
||||
if [[ "$attrib_hash" == "$tested_hash" ]]; then
|
||||
echo -e "Attribution With Password $passphrase: \033[0;32mOK!\033[0m"
|
||||
else
|
||||
echo -e "Attribution With Password $passphrase: \033[0;31mFAIL!\033[0m"
|
||||
fi
|
||||
Executable
+29
@@ -0,0 +1,29 @@
|
||||
#!/bin/bash
|
||||
set -e
|
||||
|
||||
checkcode () {
|
||||
if [ -z "$1" ]; then
|
||||
echo -e "\n\e[31mERROR!\033[0m chkcode missing return code paramater\n"
|
||||
exit 1
|
||||
else
|
||||
retcode=$1
|
||||
fi
|
||||
|
||||
if [ $retcode -ne 0 ]; then
|
||||
echo -e "\t\e[31mERROR!\033[0m Response Code: $retcode"
|
||||
else
|
||||
printf '\e[1;32mOK!\e[0m\n'
|
||||
fi
|
||||
}
|
||||
|
||||
printf "Testing contents.7z integrity... "
|
||||
7z t contents.7z > /dev/null 2>&1
|
||||
checkcode $?
|
||||
|
||||
printf "Checking sha512 checksums... "
|
||||
sha512sum -c checksums.sha512 > /dev/null 2>&1
|
||||
checkcode $?
|
||||
|
||||
printf "Checking signature against provided public key... "
|
||||
ssh-keygen -Y verify -f "./anonymous_signer" -I "anonymous" -n "file-integrity" -s contents.7z.sig < contents.7z > /dev/null > /dev/null > /dev/null 2>&1
|
||||
checkcode $?
|
||||
Binary file not shown.
|
Before Width: | Height: | Size: 589 KiB |
@@ -0,0 +1,19 @@
|
||||
#!/bin/bash
|
||||
set -e
|
||||
attrib_hash=$(cat "./attribution-checksum.sha512")
|
||||
|
||||
if [ -z "$1" ]; then
|
||||
echo "enter passphrase to test"
|
||||
read passphrase
|
||||
echo
|
||||
else
|
||||
passphrase="$1"
|
||||
fi
|
||||
|
||||
tested_hash=$( ( echo -n "$passphrase"; cat "./contents.7z" ) | sha512sum | awk '{print $1}')
|
||||
|
||||
if [[ "$attrib_hash" == "$tested_hash" ]]; then
|
||||
echo -e "Attribution With Password $passphrase: \033[0;32mOK!\033[0m"
|
||||
else
|
||||
echo -e "Attribution With Password $passphrase: \033[0;31mFAIL!\033[0m"
|
||||
fi
|
||||
@@ -0,0 +1,29 @@
|
||||
#!/bin/bash
|
||||
set -e
|
||||
|
||||
checkcode () {
|
||||
if [ -z "$1" ]; then
|
||||
echo -e "\n\e[31mERROR!\033[0m chkcode missing return code paramater\n"
|
||||
exit 1
|
||||
else
|
||||
retcode=$1
|
||||
fi
|
||||
|
||||
if [ $retcode -ne 0 ]; then
|
||||
echo -e "\t\e[31mERROR!\033[0m Response Code: $retcode"
|
||||
else
|
||||
printf '\e[1;32mOK!\e[0m\n'
|
||||
fi
|
||||
}
|
||||
|
||||
printf "Testing contents.7z integrity... "
|
||||
7z t contents.7z > /dev/null 2>&1
|
||||
checkcode $?
|
||||
|
||||
printf "Checking sha512 checksums... "
|
||||
sha512sum -c checksums.sha512 > /dev/null 2>&1
|
||||
checkcode $?
|
||||
|
||||
printf "Checking signature against provided public key... "
|
||||
ssh-keygen -Y verify -f "./anonymous_signer" -I "anonymous" -n "file-integrity" -s contents.7z.sig < contents.7z > /dev/null > /dev/null > /dev/null 2>&1
|
||||
checkcode $?
|
||||
Reference in New Issue
Block a user