add netsigil with --sign support
This commit is contained in:
parent
26e9248e1a
commit
be7d18d2f5
|
@ -0,0 +1,128 @@
|
|||
#!/bin/sh
|
||||
|
||||
# Sign an entire [Website]/[Gemini capsule]/[Gopher hole]
|
||||
# Verify any file on a signed [Website]/[Gemini capsule]/[Gopher hole]
|
||||
|
||||
helptext='Usage:
|
||||
netsigil --sign <dir> Sign a local copy of your site
|
||||
netsigil --verify <URL> Verify remote signature'
|
||||
|
||||
set -o errexit # -e
|
||||
set -o nounset # -u
|
||||
#set -o xtrace # for debugging
|
||||
|
||||
finish() {
|
||||
# Clean up on exit
|
||||
rm -rf $tempdir
|
||||
}
|
||||
trap finish EXIT
|
||||
|
||||
# Process input
|
||||
if [ "$#" -lt 2 ] || [ "$#" -gt 2 ]; then
|
||||
>&2 echo "$helptext"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
action="${1:-}"
|
||||
target="${2:-}"
|
||||
|
||||
if [ "$action" = '--sign' ]; then
|
||||
action='sign'
|
||||
[ -z "$target" ] && >&2 echo 'Directory not provided' && exit 1
|
||||
[ ! -d "$target" ] && >&2 echo 'Directory does not exist' && exit 1
|
||||
elif [ "$action" = '--verify' ]; then
|
||||
action='verify'
|
||||
[ -z "$target" ] && >&2 echo 'URL not provided' && exit 1
|
||||
else
|
||||
>&2 echo "$helptext"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Check if signify is installed
|
||||
if ! command -v signify >/dev/null; then
|
||||
if command -v signify-openbsd >/dev/null; then
|
||||
alias signify='signify-openbsd'
|
||||
else
|
||||
>&2 echo 'signify could not be found.'
|
||||
# Offer to install it
|
||||
if command -v apt >/dev/null; then
|
||||
printf 'Do you want to install it? [Y/n] '
|
||||
read -r reply
|
||||
reply="$(echo "$reply" | cut -c1)" # get first character of $reply
|
||||
case $reply in
|
||||
''|[Yy]) echo "Running \`sudo apt install -y signify-openbsd\`"
|
||||
sudo apt install -y signify-openbsd || exit 1
|
||||
alias signify='signify-openbsd';;
|
||||
*) exit 1;;
|
||||
esac
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
# Create temporary directory with a random suffix
|
||||
tempdir=$(mktemp -d -t netsigil-XXXXXXX)
|
||||
|
||||
|
||||
# Sign
|
||||
if [ "$action" = 'sign' ]; then
|
||||
|
||||
# Go to specified directory
|
||||
cd "$target" || exit 1
|
||||
|
||||
dir=$(pwd)
|
||||
|
||||
# Generate keypair
|
||||
datadir=${XDG_DATA_HOME:-~/.local/share}
|
||||
public_key=$datadir/signify/key.pub
|
||||
secret_key=$datadir/signify/key.sec
|
||||
if [ ! -f "$public_key" ] && [ ! -f "$secret_key" ]; then
|
||||
if [ ! -d "$datadir/signify" ]; then
|
||||
mkdir "$datadir/signify" || exit 1
|
||||
fi
|
||||
echo 'Generating keypair...'
|
||||
signify -G -p "$public_key" -s "$secret_key" || exit 1
|
||||
echo "Keypair saved in $datadir/signify/"
|
||||
fi
|
||||
|
||||
# Copy public key to temporary directory
|
||||
cp "$public_key" "$tempdir/key.pub"
|
||||
|
||||
# Generate SHA256SUMS file
|
||||
find -- * -type f -print0 | xargs -0 sha256sum > "$tempdir/SHA256SUMS"
|
||||
# TODO: option to include hidden files
|
||||
|
||||
# Go to temporary directory
|
||||
cd "$tempdir" || exit 1
|
||||
|
||||
# Compress
|
||||
tar -czf signature-bundle-unsigned --remove-files key.pub SHA256SUMS
|
||||
|
||||
# Sign the archive
|
||||
echo "Signing with $datadir/signify/key.sec"
|
||||
signify -Sz -s "$secret_key" -m signature-bundle-unsigned -x signature-bundle || exit 1
|
||||
rm signature-bundle-unsigned
|
||||
|
||||
# Go back to user-specified directory
|
||||
cd "$dir" || exit 1
|
||||
|
||||
# Create .well-known directory, if it does not exist
|
||||
if [ ! -d .well-known ]; then
|
||||
mkdir .well-known || exit 1
|
||||
fi
|
||||
|
||||
mv -f "$tempdir/signature-bundle" .well-known/ || exit 1
|
||||
|
||||
printf "Done. Signature saved in:\\n%s/.well-known/signature-bundle\\n" "$dir"
|
||||
|
||||
|
||||
# Verify
|
||||
elif [ "$action" = 'verify' ]; then
|
||||
|
||||
#cd "$tempdir" || exit 1
|
||||
#dir=$(pwd)
|
||||
|
||||
echo 'TODO'
|
||||
|
||||
fi
|
Loading…
Reference in New Issue