git-sig/sig

#! /usr/bin/env bash
set -e

MIN_BASH_VERSION=4
MIN_GPG_VERSION=2.2
MIN_OPENSSL_VERSION=1.1

die() {
	echo "$@" >&2
	exit 1
}

check_version(){
    [[ $2 == $3 ]] && return 0
    local IFS=.
    local i ver1=($2) ver2=($3)
    for ((i=${#ver1[@]}; i<${#ver2[@]}; i++));
    	do ver1[i]=0;
    done
    for ((i=0; i<${#ver1[@]}; i++)); do
        [[ -z ${ver2[i]} ]] && ver2[i]=0
        ((10#${ver1[i]} > 10#${ver2[i]})) && return 0
        ((10#${ver1[i]} < 10#${ver2[i]})) && die \
			"Error: ${1} ${3}+ not found"
    done
}

check_tools(){
	if [ -z "${BASH_VERSINFO}" ] \
	|| [ -z "${BASH_VERSINFO[0]}" ] \
	|| [ ${BASH_VERSINFO[0]} -lt ${MIN_BASH_VERSION} ]; then
		die "Error: bash ${MIN_BASH_VERSION}+ not found";
	fi
	for cmd in "$@"; do
		command -v "$1" >/dev/null || die "Error: $cmd not found"
		case $cmd in
			gpg)
				version=$(gpg --version | head -n1 | cut -d" " -f3)
				check_version "gpg" "${version}" "${MIN_GPG_VERSION}"
			;;
			openssl)
				version=$(openssl version | cut -d" " -f2 | sed 's/[a-z]//g')
				check_version "openssl" "${version}" "${MIN_OPENSSL_VERSION}"
			;;
		esac
	done
}

get_temp(){
	echo "$(
		mktemp \
			--quiet \
			--directory \
			-t "$(basename "$0").XXXXXX" 2>/dev/null
		|| mktemp \
			--quiet \
			--directory
	)"
}

get_files(){
	if command -v git >/dev/null; then
		git ls-files | grep -v ".${PROGRAM}"
	else
		find . \
			-type f \
			-not -path "./.git/*" \
			-not -path "./.${PROGRAM}/*"
	fi
}

cmd_manifest() {
	mkdir -p ".${PROGRAM}"
	printf "$(get_files | xargs openssl sha256 -r)" \
	| sed -e 's/ \*/ /g' -e 's/ \.\// /g' \
	| LC_ALL=C sort -k2 \
	> ".${PROGRAM}/manifest.txt"
}

verify_file() {
	[ $# -eq 3 ] || die \
		"Usage: verify_file <threshold> <group> <file>"
	local threshold="${1}"
	local group="${2}"
	local filename="${3}"
	local group_config=""
	local sig_count=0
	local seen_fingerprints=""
	local fingerprint
	local signer

	[ ! -z "$group" ] && group_config="$( \
		gpg --with-colons --list-config group \
		| grep -i "^cfg:group:${group}:" \
	)" || die "Error: group \"${group}\" not found in ~/.gnupg/gpg.conf"

	for sig_filename in "${filename%.*}".*.asc; do
		gpg --verify "${sig_filename}" "${filename}" >/dev/null 2>&1 || {
			echo "Invalid signature: ${sig_filename}";
			exit 1;
		}
		fingerprint=$( \
			gpg --list-packets "${sig_filename}" \
			| grep keyid \
			| sed 's/.*keyid //g'
		)
		signer=$( \
			gpg \
				--list-keys \
				--with-colons "${fingerprint}" 2>&1 \
			| awk -F: '$1 == "uid" {print $10}' \
			| head -n1 \
		)

		[[ "${seen_fingerprints}" == *"${fingerprint}"* ]] \
			&& die "Duplicate signature: ${sig_filename}";

		[ ! -z "$group_config" ] \
			&& [[ "${group_config}" != *"${fingerprint}"* ]] \
			&& die "Signature not in group \"${group}\": ${sig_filename}";

		echo "Verified signature by \"${signer}\""

		seen_fingerprints="${seen_fingerprints} ${fingerprint}"
		((sig_count=sig_count+1))
	done
	[[ "$sig_count" -ge "$threshold" ]] || {
		echo "Minimum number of signatures not met: ${sig_count}/${threshold}";
		exit 1;
	}
}

cmd_verify() {
	local opts selected_line min=1 group=""
	opts="$(getopt -o m:g: -l min:,group: -n "$PROGRAM" -- "$@")"
	local err=$?
	eval set -- "$opts"
	while true; do case $1 in
		-m|--min) min="$2"; shift 2 ;;
		-g|--group) group="$2"; shift 2 ;;
		--) shift; break ;;
	esac done

	#TODO: if git: show git signature status to aid in trust building
	#TODO: if git and if invalid: show diff against last valid version
	( [ -d ".${PROGRAM}" ] && ls .${PROGRAM}/*.asc >/dev/null 2>&1 ) \
		|| die "Error: No signatures"
	cmd_manifest
	verify_file "${min}" "${group}" .${PROGRAM}/manifest.txt
}

cmd_add(){
	cmd_manifest
	gpg --armor --detach-sig .${PROGRAM}/manifest.txt
	local fingerprint=$( \
		gpg --list-packets .${PROGRAM}/manifest.txt.asc \
			| grep "issuer key ID" \
			| sed 's/.*\([A-Z0-9]\{16\}\).*/\1/g' \
	)
	mv .${PROGRAM}/manifest.{"txt.asc","${fingerprint}.asc"}
}

cmd_version() {
	cat <<-_EOF
	==========================================
	=  sig: simple multisig trust toolchain  =
	=                                        =
	=                  v0.0.1                =
	=                                        =
	=     https://gitlab.com/pchq/sig        =
	==========================================
	_EOF
}

cmd_usage() {
	cmd_version
	cat <<-_EOF
	Usage:
	    $PROGRAM verify [--group=<group>,-g <group>] [--min=<N>,-m <N>]
	        Verify all signing policies for this directory are met
	    $PROGRAM add
	        Add signature to manifest for this directory
	    $PROGRAM manifest
	        Generate hash manifest for this directory
	    $PROGRAM help
	        Show this text.
	    $PROGRAM version
	        Show version information.
	_EOF
}

check_tools head cut find sort sed gpg openssl getopt

PROGRAM="${0##*/}"
COMMAND="$1"

case "$1" in
	verify) shift;              cmd_verify "$@" ;;
	add) shift;                 cmd_add "$@" ;;
	manifest) shift;            cmd_manifest "$@" ;;
	version|--version) shift;   cmd_version "$@" ;;
	help|--help) shift;         cmd_usage "$@" ;;
	*)                          cmd_usage "$@" ;;
esac
exit 0
initial commit 2020-11-12 22:56:38 +00:00			`#! /usr/bin/env bash`
			`set -e`

working sign/verify 2020-11-13 02:31:26 +00:00			`MIN_BASH_VERSION=4`
			`MIN_GPG_VERSION=2.2`
			`MIN_OPENSSL_VERSION=1.1`

initial commit 2020-11-12 22:56:38 +00:00			`die() {`
			`echo "$@" >&2`
			`exit 1`
			`}`

working sign/verify 2020-11-13 02:31:26 +00:00			`check_version(){`
			`[[ $2 == $3 ]] && return 0`
			`local IFS=.`
			`local i ver1=($2) ver2=($3)`
			`for ((i=${#ver1[@]}; i<${#ver2[@]}; i++));`
			`do ver1[i]=0;`
			`done`
			`for ((i=0; i<${#ver1[@]}; i++)); do`
			`[[ -z ${ver2[i]} ]] && ver2[i]=0`
			`((10#${ver1[i]} > 10#${ver2[i]})) && return 0`
			`((10#${ver1[i]} < 10#${ver2[i]})) && die \`
			`"Error: ${1} ${3}+ not found"`
			`done`
			`}`

			`check_tools(){`
			`if [ -z "${BASH_VERSINFO}" ] \`
			`\|\| [ -z "${BASH_VERSINFO[0]}" ] \`
			`\|\| [ ${BASH_VERSINFO[0]} -lt ${MIN_BASH_VERSION} ]; then`
			`die "Error: bash ${MIN_BASH_VERSION}+ not found";`
			`fi`
reorder functions 2020-11-12 23:02:19 +00:00			`for cmd in "$@"; do`
working sign/verify 2020-11-13 02:31:26 +00:00			`command -v "$1" >/dev/null \|\| die "Error: $cmd not found"`
			`case $cmd in`
			`gpg)`
			`version=$(gpg --version \| head -n1 \| cut -d" " -f3)`
			`check_version "gpg" "${version}" "${MIN_GPG_VERSION}"`
			`;;`
			`openssl)`
			`version=$(openssl version \| cut -d" " -f2 \| sed 's/[a-z]//g')`
			`check_version "openssl" "${version}" "${MIN_OPENSSL_VERSION}"`
			`;;`
			`esac`
reorder functions 2020-11-12 23:02:19 +00:00			`done`
			`}`

working sign/verify 2020-11-13 02:31:26 +00:00			`get_temp(){`
			`echo "$(`
			`mktemp \`
			`--quiet \`
			`--directory \`
			`-t "$(basename "$0").XXXXXX" 2>/dev/null`
			`\|\| mktemp \`
			`--quiet \`
			`--directory`
			`)"`
			`}`

use multisig verification flow 2020-11-13 03:24:37 +00:00			`get_files(){`
			`if command -v git >/dev/null; then`
			`git ls-files \| grep -v ".${PROGRAM}"`
			`else`
			`find . \`
			`-type f \`
			`-not -path "./.git/*" \`
			`-not -path "./.${PROGRAM}/*"`
			`fi`
initial commit 2020-11-12 22:56:38 +00:00			`}`

use multisig verification flow 2020-11-13 03:24:37 +00:00			`cmd_manifest() {`
			`mkdir -p ".${PROGRAM}"`
			`printf "$(get_files \| xargs openssl sha256 -r)" \`
			`\| sed -e 's/ \*/ /g' -e 's/ \.\// /g' \`
			`\| LC_ALL=C sort -k2 \`
			`> ".${PROGRAM}/manifest.txt"`
initial commit 2020-11-12 22:56:38 +00:00			`}`

			`verify_file() {`
almost fully working group/min support 2020-11-13 22:40:49 +00:00			`[ $# -eq 3 ] \|\| die \`
			`"Usage: verify_file <threshold> <group> <file>"`
use multisig verification flow 2020-11-13 03:24:37 +00:00			`local threshold="${1}"`
almost fully working group/min support 2020-11-13 22:40:49 +00:00			`local group="${2}"`
			`local filename="${3}"`
			`local group_config=""`
working sign/verify 2020-11-13 02:31:26 +00:00			`local sig_count=0`
			`local seen_fingerprints=""`
			`local fingerprint`
			`local signer`
almost fully working group/min support 2020-11-13 22:40:49 +00:00
			`[ ! -z "$group" ] && group_config="$( \`
			`gpg --with-colons --list-config group \`
			`\| grep -i "^cfg:group:${group}:" \`
			`)" \|\| die "Error: group \"${group}\" not found in ~/.gnupg/gpg.conf"`

initial commit 2020-11-12 22:56:38 +00:00			`for sig_filename in "${filename%.}"..asc; do`
			`gpg --verify "${sig_filename}" "${filename}" >/dev/null 2>&1 \|\| {`
			`echo "Invalid signature: ${sig_filename}";`
			`exit 1;`
			`}`
			`fingerprint=$( \`
			`gpg --list-packets "${sig_filename}" \`
			`\| grep keyid \`
			`\| sed 's/.*keyid //g'`
			`)`
			`signer=$( \`
			`gpg \`
			`--list-keys \`
			`--with-colons "${fingerprint}" 2>&1 \`
			`\| awk -F: '$1 == "uid" {print $10}' \`
			`\| head -n1 \`
			`)`
almost fully working group/min support 2020-11-13 22:40:49 +00:00
			`[[ "${seen_fingerprints}" == "${fingerprint}" ]] \`
			`&& die "Duplicate signature: ${sig_filename}";`

			`[ ! -z "$group_config" ] \`
			`&& [[ "${group_config}" != "${fingerprint}" ]] \`
			`&& die "Signature not in group \"${group}\": ${sig_filename}";`

initial commit 2020-11-12 22:56:38 +00:00			`echo "Verified signature by \"${signer}\""`
almost fully working group/min support 2020-11-13 22:40:49 +00:00
initial commit 2020-11-12 22:56:38 +00:00			`seen_fingerprints="${seen_fingerprints} ${fingerprint}"`
			`((sig_count=sig_count+1))`
			`done`
			`[[ "$sig_count" -ge "$threshold" ]] \|\| {`
			`echo "Minimum number of signatures not met: ${sig_count}/${threshold}";`
			`exit 1;`
			`}`
			`}`

			`cmd_verify() {`
almost fully working group/min support 2020-11-13 22:40:49 +00:00			`local opts selected_line min=1 group=""`
			`opts="$(getopt -o m:g: -l min:,group: -n "$PROGRAM" -- "$@")"`
			`local err=$?`
			`eval set -- "$opts"`
			`while true; do case $1 in`
			`-m\|--min) min="$2"; shift 2 ;;`
			`-g\|--group) group="$2"; shift 2 ;;`
			`--) shift; break ;;`
			`esac done`

add todos 2020-11-13 03:39:11 +00:00			`#TODO: if git: show git signature status to aid in trust building`
			`#TODO: if git and if invalid: show diff against last valid version`
working sign/verify 2020-11-13 02:31:26 +00:00			`( [ -d ".${PROGRAM}" ] && ls .${PROGRAM}/*.asc >/dev/null 2>&1 ) \`
			`\|\| die "Error: No signatures"`
initial commit 2020-11-12 22:56:38 +00:00			`cmd_manifest`
almost fully working group/min support 2020-11-13 22:40:49 +00:00			`verify_file "${min}" "${group}" .${PROGRAM}/manifest.txt`
initial commit 2020-11-12 22:56:38 +00:00			`}`

rename to sig 2020-11-13 02:47:11 +00:00			`cmd_add(){`
working sign/verify 2020-11-13 02:31:26 +00:00			`cmd_manifest`
			`gpg --armor --detach-sig .${PROGRAM}/manifest.txt`
			`local fingerprint=$( \`
			`gpg --list-packets .${PROGRAM}/manifest.txt.asc \`
			`\| grep "issuer key ID" \`
			`\| sed 's/.\([A-Z0-9]\{16\}\)./\1/g' \`
			`)`
			`mv .${PROGRAM}/manifest.{"txt.asc","${fingerprint}.asc"}`
			`}`

initial commit 2020-11-12 22:56:38 +00:00			`cmd_version() {`
			`cat <<-_EOF`
almost fully working group/min support 2020-11-13 22:40:49 +00:00			`==========================================`
			`= sig: simple multisig trust toolchain =`
			`= =`
			`= v0.0.1 =`
			`= =`
			`= https://gitlab.com/pchq/sig =`
			`==========================================`
initial commit 2020-11-12 22:56:38 +00:00			`_EOF`
			`}`

			`cmd_usage() {`
			`cmd_version`
			`cat <<-_EOF`
			`Usage:`
almost fully working group/min support 2020-11-13 22:40:49 +00:00			`$PROGRAM verify [--group=<group>,-g <group>] [--min=<N>,-m <N>]`
initial commit 2020-11-12 22:56:38 +00:00			`Verify all signing policies for this directory are met`
rename to sig 2020-11-13 02:47:11 +00:00			`$PROGRAM add`
initial commit 2020-11-12 22:56:38 +00:00			`Add signature to manifest for this directory`
working sign/verify 2020-11-13 02:31:26 +00:00			`$PROGRAM manifest`
			`Generate hash manifest for this directory`
initial commit 2020-11-12 22:56:38 +00:00			`$PROGRAM help`
			`Show this text.`
			`$PROGRAM version`
			`Show version information.`
			`_EOF`
			`}`

almost fully working group/min support 2020-11-13 22:40:49 +00:00			`check_tools head cut find sort sed gpg openssl getopt`
rename to sig 2020-11-13 02:47:11 +00:00
initial commit 2020-11-12 22:56:38 +00:00			`PROGRAM="${0##*/}"`
			`COMMAND="$1"`

			`case "$1" in`
tabs/spacing 2020-11-12 22:59:26 +00:00			`verify) shift; cmd_verify "$@" ;;`
rename to sig 2020-11-13 02:47:11 +00:00			`add) shift; cmd_add "$@" ;;`
working sign/verify 2020-11-13 02:31:26 +00:00			`manifest) shift; cmd_manifest "$@" ;;`
tabs/spacing 2020-11-12 22:59:26 +00:00			`version\|--version) shift; cmd_version "$@" ;;`
			`help\|--help) shift; cmd_usage "$@" ;;`
			`*) cmd_usage "$@" ;;`
initial commit 2020-11-12 22:56:38 +00:00			`esac`
			`exit 0`