george/blackbox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: george:v1.20150222
Branches Tags
george:master george:tlim_quoted
george:v1.20220610 george:stable george:production george:v1.20200429 george:v1.20181219 george:v1.20180618 george:v1.20180615 george:v1.20170611 george:v1.20170309 george:v1.20160122 george:v1.20151111 george:v1.20150730 george:v1.20150609 george:v1.20150318 george:v1.20150304 george:v1.20150222 george:v1.20150216 george:v1.20150203 george:v1.20151110 george:release
..
compare: george:v1.20150304
Branches Tags
george:master george:tlim_quoted
george:v1.20220610 george:stable george:production george:v1.20200429 george:v1.20181219 george:v1.20180618 george:v1.20180615 george:v1.20170611 george:v1.20170309 george:v1.20160122 george:v1.20151111 george:v1.20150730 george:v1.20150609 george:v1.20150318 george:v1.20150304 george:v1.20150222 george:v1.20150216 george:v1.20150203 george:v1.20151110 george:release

18 Commits
v1.2015022 ... v1.2015030

Author SHA1 Message Date
tlimoncelli@stackexchange.com
8d1d09b454 Remove irrelevant error check 2015-03-04 18:23:12 -05:00
Tom Limoncelli
d7a3c791e9 Merge pull request #49 from law/master 
adding rudimentary debian package building support
 2015-03-04 16:18:34 -05:00
tlimoncelli@stackexchange.com
f505eb96dc Merge branch 'Gnouc-master' 2015-03-04 15:27:56 -05:00
LE Manh Cuong
19532b82d5 Issue 50: 
- Fix forgetting unquotes command substitution in function vcs_relative_path.
 - Using old test instead of new test in Makefile.
 - Fix some variables for Bob in "confidence_test.sh".
 2015-03-03 09:31:09 +07:00
Lee Whalen
6e32500adc Mangling Makefile to make better sense - generates .deb inputfile list from the RPM list, and does so for each run of 'make packages-deb' 2015-03-01 14:58:09 -08:00
Lee Whalen
2591c768e7 Fixing issues with Makefile per PR feedback 2015-03-01 14:37:07 -08:00
Lee Whalen
b183931cf5 adding rudimentary debian package building support 2015-02-28 20:44:28 -08:00
tlimoncelli@stackexchange.com
9c9691c5d6 BUG: "make confidence" should work on Mac OS X 2015-02-28 08:18:26 -06:00
tlimoncelli@stackexchange.com
a9562e73d6 "make confidence" should work on mac (partial implementation) 2015-02-28 07:58:30 -06:00
Tom Limoncelli
5baec75e4b Merge pull request #47 from Gnouc/master 
Fix many bugs for unquote variables.
 2015-02-28 07:56:57 -06:00
LE Manh Cuong
5428aed2d7 Fix many bugs for unquote variables. 2015-02-27 01:09:59 +07:00
Tom Limoncelli
971b6bf63a Merge pull request #45 from unixorn/add-antigen-zgen-instructions 
Add antigen and zgen instructions
 2015-02-24 14:33:38 -05:00
Joe Block
f8016871f5 Add antigen and zgen instructions 2015-02-24 11:27:13 -08:00
Tom Limoncelli
65d11ff6d5 Merge pull request #44 from jpluscplusm/patch-1 
Fix typo in Readme
 2015-02-24 11:45:35 -05:00
JCM
d380b43ab7 Fix typo in Readme 2015-02-24 16:29:11 +00:00
tlimoncelli@stackexchange.com
d6fc4b1dac NEWS: Blackbox is now available via MacPorts! 2015-02-24 11:06:57 -05:00
tlimoncelli@stackexchange.com
b8881d7bff Refine the upgrade procedure 2015-02-22 13:31:27 -05:00
tlimoncelli@stackexchange.com
19facd35da Better MacPorts release flow. 2015-02-22 11:25:42 -05:00
22 changed files with 379 additions and 68 deletions
Expand all files Collapse all files

37
Makefile
View File

@@ -5,6 +5,7 @@ PKGNAME=stack_blackbox
all: all:
@echo 'Menu:' @echo 'Menu:'
@echo ' make packages Make RPM packages' @echo ' make packages Make RPM packages'
@echo ' make packages-deb Make DEB packages'
@echo ' make install (incomplete)' @echo ' make install (incomplete)'
install: install:
@@ -24,13 +25,12 @@ packages: packages-rpm
tools/mk_macports.vcs_blackbox.txt: tools/mk_rpm_fpmdir.stack_blackbox.txt tools/mk_macports.vcs_blackbox.txt: tools/mk_rpm_fpmdir.stack_blackbox.txt
sed -e 's@/usr/blackbox/bin/@bin/@g' -e '/profile.d-usrblackbox.sh/d' <tools/mk_rpm_fpmdir.stack_blackbox.txt >$@ sed -e 's@/usr/blackbox/bin/@bin/@g' -e '/profile.d-usrblackbox.sh/d' <tools/mk_rpm_fpmdir.stack_blackbox.txt >$@
check-destdir: # Make mk_deb_fpmdir.vcs_blackbox.txt from mk_rpm_fpmdir.stack_blackbox.txt:
ifndef DESTDIR tools/mk_deb_fpmdir.stack_blackbox.txt: tools/mk_rpm_fpmdir.stack_blackbox.txt
$(error DESTDIR is undefined) sed -e 's@/usr/blackbox/bin/@/usr/bin/@g' -e '/profile.d-usrblackbox.sh/d' <tools/mk_deb_fpmdir.stack_blackbox.txt >$@
endif
# MacPorts expects to run: make packages-macports DESTDIR=${destroot} # MacPorts expects to run: make packages-macports DESTDIR=${destroot}
packages-macports: tools/mk_macports.vcs_blackbox.txt check-destdir packages-macports: tools/mk_macports.vcs_blackbox.txt
mkdir -p $(DESTDIR)/bin mkdir -p $(DESTDIR)/bin
cd tools && ./mk_macports mk_macports.vcs_blackbox.txt cd tools && ./mk_macports mk_macports.vcs_blackbox.txt
@@ -60,16 +60,35 @@ lock-rpm:
unlock-rpm: unlock-rpm:
sudo yum versionlock clear sudo yum versionlock clear
#
# DEB builds
#
packages-deb: tools/mk_deb_fpmdir.stack_blackbox.txt
cd tools && PKGRELEASE="$${PKGRELEASE}" PKGDESCRIPTION="Safely store secrets in git/hg/svn repos using GPG encryption" ./mk_deb_fpmdir stack_blackbox mk_deb_fpmdir.stack_blackbox.txt
packages-deb-debug: tools/mk_deb_fpmdir.stack_blackbox.txt
@echo BUILD:
@PKGRELEASE=99 make packages-deb
@echo ITEMS TO BE PACKAGED:
find ~/debbuild-$(PKGNAME)/installroot -type f
@echo ITEMS ACTUALLY IN PACKAGE:
@dpkg --contents $$(cat ~/debbuild-$(PKGNAME)/bin-packages.txt)
local-deb:
@PKGRELEASE=1 make packages
-@sudo dpkg -e $(PKGNAME)
sudo dpkg -i $$(cat ~/rpmbuild-$(PKGNAME)/bin-packages.txt)
# Add other package types here. # Add other package types here.
# #
# System Test: # System Test:
# #
confidence: confidence:
@if [[ -e ~/.gnupg ]]; then echo ERROR: '~/.gnupg should not exist. If it does, bugs may polute your .gnupg configuration. If the code has no bugs everything will be fine. Do you feel lucky?'; false ; fi @if [ -e ~/.gnupg ]; then echo ERROR: '~/.gnupg should not exist. If it does, bugs may polute your .gnupg configuration. If the code has no bugs everything will be fine. Do you feel lucky?'; false ; fi
@if which >/dev/null gpg-agent ; then pkill gpg-agent ; rm -rf /tmp/tmp.* ; fi @if which >/dev/null gpg-agent ; then pkill gpg-agent ; rm -rf /tmp/tmp.* ; fi
@export PATH=~/gitwork/blackbox/bin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin ; @export PATH=~/gitwork/blackbox/bin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/opt/local/bin ; tools/confidence_test.sh
cd ~/gitwork/blackbox && tools/confidence_test.sh cd ~/gitwork/blackbox && tools/confidence_test.sh
@if which >/dev/null gpg-agent ; then pkill gpg-agent ; fi @if which >/dev/null gpg-agent ; then pkill gpg-agent ; fi
@if [[ -e ~/.gnupg ]]; then echo ERROR: '~/.gnupg was created which means the scripts might be poluting GnuPG configuration. Fix this bug.'; false ; fi @if [ -e ~/.gnupg ]; then echo ERROR: '~/.gnupg was created which means the scripts might be poluting GnuPG configuration. Fix this bug.'; false ; fi

12
README.md
View File

@@ -74,6 +74,16 @@ exception of a few specific files, is key to the kind of
collaboration that DevOps and modern IT practitioniers collaboration that DevOps and modern IT practitioniers
need to do. need to do.
Installation Instructions:
==========================
* *The RPM way*: `make packages-rpm` and now you have an RPM you can install.
* *The MacPorts Way*: `sudo port install vcs_blackbox`
* *The hard way*: Copy all the files in "bin" to your "bin".
* *The Antigen Way*: Add `antigen bundle StackExchange/blackbox` to your .zshrc
* *The Zgen Way*: Add `zgen load StackExchange/blackbox` to your .zshrc where you're loading your other plugins.
Commands: Commands:
============================ ============================
@@ -90,7 +100,7 @@ Commands:
| `blackbox_register_new_file` | Encrypt a file for the first time | | `blackbox_register_new_file` | Encrypt a file for the first time |
| `blackbox_removeadmin` | Remove someone from the list of people that can encrypt/decrypt secrets | | `blackbox_removeadmin` | Remove someone from the list of people that can encrypt/decrypt secrets |
| `blackbox_shred_all_files` | Safely delete any decrypted files | | `blackbox_shred_all_files` | Safely delete any decrypted files |
| `blackbox_update_all_file` | Decrypt then re-encrypt all files. Useful after keys are changed | | `blackbox_update_all_files` | Decrypt then re-encrypt all files. Useful after keys are changed |
Compatibility: Compatibility:
============================ ============================

74
RELEASE_ENGINEERING.TXT
View File

@@ -43,3 +43,77 @@ R="v1.$(date +%Y%m%d)"
git tag "$R" git tag "$R"
git push origin tag "$R" git push origin tag "$R"
``` ```
# Updating MacPorts (automatic)
Step 1: Generate the Portfile
```
tools/macports_report_upgrade.sh 1.20150222
```
This script will generate a file called `Portfile-vcs_blackbox.diff` and instructions on how to submit it as a update request.
Step 2: Submit the update request.
Submit the diff file as a bug as instructed. The instructions should look like this:
* PLEASE OPEN A TICKET WITH THIS INFORMATION:
https://trac.macports.org/newticket
* Summary: `vcs_blackbox @1.20150222 Update to latest upstream`
* Description: ```New upstream of vcs_blackbox.
github.setup and checksums updated.```
* Type: `update`
* Component: `ports`
* Port: `vcs_blackbox`
* Keywords: `maintainer`
* Attach this file: `Portfile-vcs_blackbox.diff`
Step 3: Watch for the update to happen.
# Updating MacPorts (manual)
This is the old, manual, procedure. If the automated procedure work, these notes may or may not be helpful.
The ultimate result of the script should be a `diff -u Portfile.orig Portfile`. The new `Portfile` should have these changes:
1. The `github.setup` line should have a new version number.
2. The `checksums` line(s) should have updated checksums.
How to generate the checksums?
The easiest way is to to make a Portfile with incorrect checksums, then run `sudo port -v checksum vcs_blackbox` to see what they should have been. Fix the file, and try again.
When the the checksum command works, run `port lint vcs_blackbox` and make sure it has no errors.
Some useful commands:
Change repos in sources.conf:
```
sudo vi /opt/local/etc/macports/sources.conf
Add this line early in the file:
file:///var/tmp/ports
```
Add a local repo in an automated manner:
```
fgrep >/dev/null -x 'file:///var/tmp/ports' /opt/local/etc/macports/sources.conf || sudo sed -i -e '1s@^@file:///var/tmp/ports\'$'\n@' /opt/local/etc/macports/sources.conf
```
Remove the local repo in an automated manner:
```
sudo sed -i -e '\@^file:///var/tmp/ports@d' /opt/local/etc/macports/sources.conf
```
Test a Portfile:
```
sudo port uninstall vcs_blackbox
sudo port clean --all vcs_blackbox
rm -rf ~/.macports/opt/local/var/macports/sources/rsync.macports.org/release/tarballs/ports/security/vcs_blackbox/
rm -rf /var/tmp/ports
mkdir -p /var/tmp/ports/security/vcs_blackbox
cp Portfile /var/tmp/ports/security/vcs_blackbox
cd /var/tmp/ports && portindex
sudo port -v checksum vcs_blackbox
sudo port install vcs_blackbox
```

34
bin/_blackbox_common.sh
View File

@@ -10,13 +10,13 @@
# . _blackbox_common.sh # . _blackbox_common.sh
# Where in the VCS repo should the blackbox data be found? # Where in the VCS repo should the blackbox data be found?
: ${BLACKBOXDATA:=keyrings/live} ; # If BLACKBOXDATA not set, set it. : "${BLACKBOXDATA:=keyrings/live}" ; # If BLACKBOXDATA not set, set it.
# If $EDITOR is not set, set it to "vi": # If $EDITOR is not set, set it to "vi":
: ${EDITOR:=vi} ; : "${EDITOR:=vi}" ;
# Outputs a string that is the base directory of this VCS repo. # Outputs a string that is the base directory of this VCS repo.
# By side-effect, sets the variable VCS_TYPE to either 'git', 'hg', # By side-effect, sets the variable VCS_TYPE to either 'git', 'hg',
# 'svn' or 'unknown'. # 'svn' or 'unknown'.
@@ -27,19 +27,19 @@ function _determine_vcs_base_and_type() {
#find topmost dir with .svn sub-dir #find topmost dir with .svn sub-dir
parent="" parent=""
grandparent="." grandparent="."
mydir=`pwd` mydir=$(pwd)
while [ -d "$grandparent/.svn" ]; do while [ -d "$grandparent/.svn" ]; do
parent=$grandparent parent=$grandparent
grandparent="$parent/.." grandparent="$parent/.."
done done
if [ ! -z "$parent" ]; then if [ ! -z "$parent" ]; then
cd $parent cd "$parent"
echo `pwd` echo "$(pwd)"
else else
exit 1 exit 1
fi fi
cd $mydir cd "$mydir"
VCS_TYPE=svn VCS_TYPE=svn
elif hg root 2>/dev/null ; then elif hg root 2>/dev/null ; then
# NOTE: hg has to be tested last because it always "succeeds". # NOTE: hg has to be tested last because it always "succeeds".
@@ -61,7 +61,7 @@ BB_FILES_FILE="blackbox-files.txt"
BB_FILES="${KEYRINGDIR}/${BB_FILES_FILE}" BB_FILES="${KEYRINGDIR}/${BB_FILES_FILE}"
SECRING="${KEYRINGDIR}/secring.gpg" SECRING="${KEYRINGDIR}/secring.gpg"
PUBRING="${KEYRINGDIR}/pubring.gpg" PUBRING="${KEYRINGDIR}/pubring.gpg"
: ${DECRYPT_UMASK:=0022} ; : "${DECRYPT_UMASK:=0022}" ;
# : ${DECRYPT_UMASK:=o=} ; # : ${DECRYPT_UMASK:=o=} ;
# Return error if not on cryptlist. # Return error if not on cryptlist.
@@ -184,9 +184,9 @@ function decrypt_file() {
echo "========== EXTRACTING $unencrypted" echo "========== EXTRACTING $unencrypted"
old_umask=$(umask) old_umask=$(umask)
umask $DECRYPT_UMASK umask "$DECRYPT_UMASK"
gpg -q --decrypt -o "$unencrypted" "$encrypted" gpg -q --decrypt -o "$unencrypted" "$encrypted"
umask $old_umask umask "$old_umask"
} }
# Decrypt .gpg file, overwriting unencrypted file if it exists. # Decrypt .gpg file, overwriting unencrypted file if it exists.
@@ -206,12 +206,12 @@ function decrypt_file_overwrite() {
fi fi
old_umask=$(umask) old_umask=$(umask)
umask $DECRYPT_UMASK umask "$DECRYPT_UMASK"
gpg --yes -q --decrypt -o "$unencrypted" "$encrypted" gpg --yes -q --decrypt -o "$unencrypted" "$encrypted"
umask $old_umask umask "$old_umask"
new_hash=$(md5sum_file "$unencrypted") new_hash=$(md5sum_file "$unencrypted")
if [[ $old_hash != $new_hash ]]; then if [[ "$old_hash" != "$new_hash" ]]; then
echo "========== EXTRACTED $unencrypted" echo "========== EXTRACTED $unencrypted"
fi fi
} }
@@ -250,8 +250,8 @@ function enumerate_subdirs() {
while read filename; do while read filename; do
dir=$(dirname "$filename") dir=$(dirname "$filename")
while [[ $dir != '.' && $dir != '/' ]]; do while [[ $dir != '.' && $dir != '/' ]]; do
echo $dir echo "$dir"
dir=$(dirname $dir) dir=$(dirname "$dir")
done done
done <"$listfile" | sort -u done <"$listfile" | sort -u
} }
@@ -260,7 +260,7 @@ function enumerate_subdirs() {
function vcs_relative_path() { function vcs_relative_path() {
# Usage: vcs_relative_path file # Usage: vcs_relative_path file
local name="$1" local name="$1"
python -c 'import os ; print(os.path.relpath("'$(pwd -P)'/'"$name"'", "'"$REPOBASE"'"))' python -c 'import os ; print(os.path.relpath("'"$(pwd -P)"'/'"$name"'", "'"$REPOBASE"'"))'
} }
# #
@@ -338,7 +338,7 @@ function is_in_svn() {
echo true echo true
else else
echo false echo false
fi fi
} }

2
bin/_stack_lib.sh
View File

@@ -79,7 +79,7 @@ function make_tempdir() {
case $(uname -s) in case $(uname -s) in
Darwin ) Darwin )
: ${TMPDIR:=/tmp} ; : "${TMPDIR:=/tmp}" ;
name=$(mktemp -d -t _stacklib_ ) name=$(mktemp -d -t _stacklib_ )
;; ;;
Linux ) Linux )

23
bin/blackbox_addadmin
View File

@@ -16,17 +16,7 @@ source ${blackbox_home}/_stack_lib.sh
fail_if_not_in_repo fail_if_not_in_repo
KEYNAME="$1" KEYNAME="$1"
: ${KEYNAME:?ERROR: First argument must be a keyname (email address)} ; : "${KEYNAME:?ERROR: First argument must be a keyname (email address)}" ;
# The second argument, if present, is the directory to find the GPG keys to be imported.
if [[ "$2" == "" ]]; then
GPGEXPORTOPTIONS=""
else
GPGEXPORTOPTIONS=--homedir="${2}"
fi
# TODO(tlim): This could probably be done with GNUPGHOME
# but that affects all commands; we just want it to affect the key export.
# Add the email address to the BB_ADMINS file. Remove any duplicates. # Add the email address to the BB_ADMINS file. Remove any duplicates.
# The file must exist for sort to act as we expect. # The file must exist for sort to act as we expect.
@@ -38,7 +28,16 @@ sort -fdu -o "$BB_ADMINS" <(echo "$1") "$BB_ADMINS"
# Extract it: # Extract it:
make_self_deleting_tempfile pubkeyfile make_self_deleting_tempfile pubkeyfile
gpg $GPGEXPORTOPTIONS --export -a "$KEYNAME" >"$pubkeyfile"
# The second argument, if present, is the directory to find the GPG keys to be imported.
if [[ -z $2 ]]; then
gpg --export -a "$KEYNAME" >"$pubkeyfile"
else
# TODO(tlim): This could probably be done with GNUPGHOME
# but that affects all commands; we just want it to affect the key export.
gpg --homedir="$2" --export -a "$KEYNAME" >"$pubkeyfile"
fi
if [[ $(wc -l < "$pubkeyfile") = 0 ]]; then if [[ $(wc -l < "$pubkeyfile") = 0 ]]; then
fail_out "GPG key '$KEYNAME' not found. Please create it with: gpg --gen-key" fail_out "GPG key '$KEYNAME' not found. Please create it with: gpg --gen-key"
exit 1 exit 1

2
bin/blackbox_cat
View File

@@ -5,7 +5,7 @@
# #
set -e set -e
blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
source ${blackbox_home}/_blackbox_common.sh source "${blackbox_home}/_blackbox_common.sh"
for param in """$@""" ; do for param in """$@""" ; do
shreddable=0 shreddable=0

4
bin/blackbox_edit
View File

@@ -5,7 +5,7 @@
# #
set -e set -e
blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
source ${blackbox_home}/_blackbox_common.sh source "${blackbox_home}/_blackbox_common.sh"
for param in """$@""" ; do for param in """$@""" ; do
unencrypted_file=$(get_unencrypted_filename "$param") unencrypted_file=$(get_unencrypted_filename "$param")
@@ -22,6 +22,6 @@ for param in """$@""" ; do
esac esac
fi fi
blackbox_edit_start "$param" blackbox_edit_start "$param"
$EDITOR $(get_unencrypted_filename $param) "$EDITOR" "$(get_unencrypted_filename "$param")"
blackbox_edit_end "$param" blackbox_edit_end "$param"
done done

2
bin/blackbox_edit_end
View File

@@ -6,7 +6,7 @@
set -e set -e
blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
source ${blackbox_home}/_blackbox_common.sh source "${blackbox_home}/_blackbox_common.sh"
unencrypted_file=$(get_unencrypted_filename "$1") unencrypted_file=$(get_unencrypted_filename "$1")
encrypted_file=$(get_encrypted_filename "$1") encrypted_file=$(get_encrypted_filename "$1")

2
bin/blackbox_edit_start
View File

@@ -6,7 +6,7 @@
set -e set -e
blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
source ${blackbox_home}/_blackbox_common.sh source "${blackbox_home}/_blackbox_common.sh"
for param in """$@""" ; do for param in """$@""" ; do
unencrypted_file=$(get_unencrypted_filename "$param") unencrypted_file=$(get_unencrypted_filename "$param")

2
bin/blackbox_initialize
View File

@@ -10,7 +10,7 @@
set -e set -e
blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
source ${blackbox_home}/_blackbox_common.sh source "${blackbox_home}/_blackbox_common.sh"
_determine_vcs_base_and_type # Sets VCS_TYPE _determine_vcs_base_and_type # Sets VCS_TYPE

2
bin/blackbox_list_files
View File

@@ -5,5 +5,5 @@
# #
set -e set -e
blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
source ${blackbox_home}/_blackbox_common.sh source "${blackbox_home}/_blackbox_common.sh"
cat "$BB_FILES" cat "$BB_FILES"

4
bin/blackbox_postdeploy
View File

@@ -15,7 +15,7 @@ export PATH=/usr/bin:/bin:"$PATH"
set -e set -e
blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
source ${blackbox_home}/_blackbox_common.sh source "${blackbox_home}/_blackbox_common.sh"
if [[ "$1" == "" ]]; then if [[ "$1" == "" ]]; then
FILE_GROUP="" FILE_GROUP=""
@@ -33,7 +33,7 @@ while IFS= read <&99 -r unencrypted_file; do
decrypt_file_overwrite "$encrypted_file" "$unencrypted_file" decrypt_file_overwrite "$encrypted_file" "$unencrypted_file"
chmod g+r "$unencrypted_file" chmod g+r "$unencrypted_file"
if [[ ! -z "$FILE_GROUP" ]]; then if [[ ! -z "$FILE_GROUP" ]]; then
chgrp $FILE_GROUP "$unencrypted_file" chgrp "$FILE_GROUP" "$unencrypted_file"
fi fi
done 99<"$BB_FILES" done 99<"$BB_FILES"
echo '========== Decrypting new/changed files: DONE' echo '========== Decrypting new/changed files: DONE'

8
bin/blackbox_register_new_file
View File

@@ -12,13 +12,13 @@
set -e set -e
blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
source ${blackbox_home}/_blackbox_common.sh source "${blackbox_home}/_blackbox_common.sh"
_determine_vcs_base_and_type _determine_vcs_base_and_type
unencrypted_file=$(get_unencrypted_filename "$1") unencrypted_file=$(get_unencrypted_filename "$1")
encrypted_file=$(get_encrypted_filename "$1") encrypted_file=$(get_encrypted_filename "$1")
if [[ $1 == $encrypted_file ]]; then if [[ "$1" == "$encrypted_file" ]]; then
echo ERROR: Please only register unencrypted files. echo ERROR: Please only register unencrypted files.
exit 1 exit 1
fi fi
@@ -34,13 +34,13 @@ encrypt_file "$unencrypted_file" "$encrypted_file"
add_filename_to_cryptlist "$unencrypted_file" add_filename_to_cryptlist "$unencrypted_file"
# Is the unencrypted file already in HG? (ie. are we correcting a bad situation) # Is the unencrypted file already in HG? (ie. are we correcting a bad situation)
SECRETSEXPOSED=$(is_in_vcs ${unencrypted_file}) SECRETSEXPOSED=$(is_in_vcs "${unencrypted_file}")
echo "========== CREATED: ${encrypted_file}" echo "========== CREATED: ${encrypted_file}"
echo "========== UPDATING REPO:" echo "========== UPDATING REPO:"
shred_file "$unencrypted_file" shred_file "$unencrypted_file"
VCSCMD=$(which_vcs) VCSCMD=$(which_vcs)
if $SECRETSEXPOSED ; then if "$SECRETSEXPOSED" ; then
vcs_remove "$unencrypted_file" vcs_remove "$unencrypted_file"
vcs_add "$encrypted_file" vcs_add "$encrypted_file"
COMMIT_FILES="$BB_FILES $encrypted_file $unencrypted_file" COMMIT_FILES="$BB_FILES $encrypted_file $unencrypted_file"

6
bin/blackbox_removeadmin
View File

@@ -11,13 +11,13 @@
set -e set -e
blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
source ${blackbox_home}/_blackbox_common.sh source "${blackbox_home}/_blackbox_common.sh"
source ${blackbox_home}/_stack_lib.sh source "${blackbox_home}/_stack_lib.sh"
fail_if_not_in_repo fail_if_not_in_repo
KEYNAME="$1" KEYNAME="$1"
: ${KEYNAME:?ERROR: First argument must be a keyname (email address)} ; : "${KEYNAME:?ERROR: First argument must be a keyname (email address)}" ;
# Remove the email address from the BB_ADMINS file. # Remove the email address from the BB_ADMINS file.
make_self_deleting_tempfile bbtemp make_self_deleting_tempfile bbtemp

2
bin/blackbox_shred_all_files
View File

@@ -17,7 +17,7 @@
set -e set -e
blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
source ${blackbox_home}/_blackbox_common.sh source "${blackbox_home}/_blackbox_common.sh"
change_to_root change_to_root

4
bin/blackbox_update_all_files
View File

@@ -6,7 +6,7 @@
set -e set -e
blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
source ${blackbox_home}/_blackbox_common.sh source "${blackbox_home}/_blackbox_common.sh"
if [[ -z $GPG_AGENT_INFO ]]; then if [[ -z $GPG_AGENT_INFO ]]; then
echo 'WARNING: You probably want to run gpg-agent as' echo 'WARNING: You probably want to run gpg-agent as'
@@ -31,7 +31,7 @@ for i in $(<"$BB_FILES") ; do
echo " $unencrypted_file" echo " $unencrypted_file"
fi fi
done done
if $need_warning ; then if "$need_warning" ; then
echo echo
echo 'WARNING: This will overwrite any unencrypted files laying about.' echo 'WARNING: This will overwrite any unencrypted files laying about.'
read -r -p 'Press CTRL-C now to stop. ENTER to continue: ' read -r -p 'Press CTRL-C now to stop. ENTER to continue: '

31
tools/Portfile.template Normal file
View File

@@ -0,0 +1,31 @@
# -*- coding: utf-8; mode: tcl; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- vim:fenc=utf-8:ft=tcl:et:sw=4:ts=4:sts=4
# $Id: Portfile 132962 2015-02-16 10:33:02Z ryandesign@macports.org $
PortSystem 1.0
PortGroup github 1.0
github.setup StackExchange blackbox @@VERSION@@ v
name vcs_blackbox
categories security
platforms darwin
maintainers whatexit.org:tal openmaintainer
license BSD
supported_archs noarch
description Safely store secrets in git/hg/svn repos using GPG encryption
long_description Storing secrets such as passwords, certificates and private keys \
in Git/Mercurial/SubVersion is dangerous. Blackbox makes it easy \
to store secrets safely using GPG encryption. They can be easily \
decrypted for editing or use in production.
checksums rmd160 @@RMD160@@ \
sha256 @@SHA256@@
use_configure no
build {}
# This project's Makefile uses DESTDIR incorrectly.
destroot.destdir DESTDIR=${destroot}${prefix}
destroot.target packages-macports

39
tools/confidence_test.sh
View File

@@ -1,7 +1,7 @@
#!/usr/bin/env bash #!/usr/bin/env bash
blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )/../bin blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )/../bin
export PATH=${blackbox_home}:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin export PATH="${blackbox_home}:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/opt/local/bin"
. _stack_lib.sh . _stack_lib.sh
@@ -15,6 +15,25 @@ function PHASE() {
echo '********************' echo '********************'
} }
function md5sum_file() {
# Portably generate the MD5 hash of file $1.
case $(uname -s) in
Darwin )
md5 -r "$1" | awk '{ print $1 }'
;;
Linux )
md5sum "$1" | awk '{ print $1 }'
;;
CYGWIN* )
md5sum "$1" | awk '{ print $1 }'
;;
* )
echo 'ERROR: Unknown OS. Exiting.'
exit 1
;;
esac
}
function assert_file_missing() { function assert_file_missing() {
if [[ -e "$1" ]]; then if [[ -e "$1" ]]; then
echo "ASSERT FAILED: ${1} should not exist." echo "ASSERT FAILED: ${1} should not exist."
@@ -36,7 +55,7 @@ function assert_file_md5hash() {
local file="$1" local file="$1"
local wanted="$2" local wanted="$2"
assert_file_exists "$file" assert_file_exists "$file"
local found=$(md5sum <"$file" | cut -d' ' -f1 ) local found=$(md5sum_file "$file")
if [[ "$wanted" != "$found" ]]; then if [[ "$wanted" != "$found" ]]; then
echo "ASSERT FAILED: $file hash wanted=$wanted found=$found" echo "ASSERT FAILED: $file hash wanted=$wanted found=$found"
exit 1 exit 1
@@ -54,7 +73,7 @@ function assert_file_group() {
;; ;;
esac esac
local found=$(ls -l "$file" | awk '{ print $4 }') local found=$(ls -lg "$file" | awk '{ print $3 }')
# NB(tlim): We could do this with 'stat' but it would break on BSD-style OSs. # NB(tlim): We could do this with 'stat' but it would break on BSD-style OSs.
if [[ "$wanted" != "$found" ]]; then if [[ "$wanted" != "$found" ]]; then
echo "ASSERT FAILED: $file chgrp wanted=$wanted found=$found" echo "ASSERT FAILED: $file chgrp wanted=$wanted found=$found"
@@ -96,7 +115,7 @@ eval $(gpg-agent --homedir "$fake_alice_home" --daemon)
GPG_AGENT_INFO_ALICE="$GPG_AGENT_INFO" GPG_AGENT_INFO_ALICE="$GPG_AGENT_INFO"
export GNUPGHOME="$fake_bob_home" export GNUPGHOME="$fake_bob_home"
eval $(gpg-agent --homedir "$fake_alice_home" --daemon) eval $(gpg-agent --homedir "$fake_bob_home" --daemon)
GPG_AGENT_INFO_BOB="$GPG_AGENT_INFO" GPG_AGENT_INFO_BOB="$GPG_AGENT_INFO"
function become_alice() { function become_alice() {
@@ -108,8 +127,8 @@ function become_alice() {
} }
function become_bob() { function become_bob() {
export GNUPGHOME="$fake_alice_home" export GNUPGHOME="$fake_bob_home"
export GPG_AGENT_INFO="$GPG_AGENT_INFO_ALICE" export GPG_AGENT_INFO="$GPG_AGENT_INFO_BOB"
git config --global user.name "Bob Example" git config --global user.name "Bob Example"
git config --global user.email bob@example.com git config --global user.email bob@example.com
} }
@@ -217,12 +236,14 @@ PHASE 'Bob makes sure he has all new keys.'
gpg --import keyrings/live/pubring.gpg gpg --import keyrings/live/pubring.gpg
# Pick a GID to use: # Pick a GID to use:
# This users's default group:
DEFAULT_GID_NAME=$(id -gn)
# Pick a group that is not the default group:
TEST_GID_NUM=$(id -G | fmt -1 | tail -n +2 | grep -xv $(id -u) | head -n 1) TEST_GID_NUM=$(id -G | fmt -1 | tail -n +2 | grep -xv $(id -u) | head -n 1)
TEST_GID_NAME=$(getent group "$TEST_GID_NUM" | cut -d: -f1) TEST_GID_NAME=$(python -c 'import grp; print grp.getgrgid('"$TEST_GID_NUM"').gr_name')
DEFAULT_GID_NAME=$(getent group $(id -u) | cut -d: -f1) echo DEFAULT_GID_NAME=$DEFAULT_GID_NAME
echo TEST_GID_NUM=$TEST_GID_NUM echo TEST_GID_NUM=$TEST_GID_NUM
echo TEST_GID_NAME=$TEST_GID_NAME echo TEST_GID_NAME=$TEST_GID_NAME
echo DEFAULT_GID_NAME=$DEFAULT_GID_NAME
PHASE 'Bob postdeploys... default.' PHASE 'Bob postdeploys... default.'
blackbox_postdeploy blackbox_postdeploy

67
tools/macports_report_upgrade.sh Executable file
View File

@@ -0,0 +1,67 @@
#!/usr/bin/env bash
# Turn the Portfile.template into a Portfile.
# Usage:
# mk_portfile.sh TEMPLATE OUTPUTFILE VERSION
set -e
blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
source ${blackbox_home}/../bin/_stack_lib.sh
TEMPLATEFILE=tools/Portfile.template
OUTPUTFILE=Portfile
PORTVERSION=${1?"Arg 1 must be a version number like 1.20150222 (with no v)"} ; shift
# Add the version number to the template.
sed <"$TEMPLATEFILE" >"$OUTPUTFILE" -e 's/@@VERSION@@/'"$PORTVERSION"'/g'
# Test it. Record the failure in $checksumout
fgrep >/dev/null -x 'file:///var/tmp/ports' /opt/local/etc/macports/sources.conf || sudo sed -i -e '1s@^@file:///var/tmp/ports\'$'\n@' /opt/local/etc/macports/sources.conf
rm -rf /var/tmp/ports
mkdir -p /var/tmp/ports/security/vcs_blackbox
cp Portfile /var/tmp/ports/security/vcs_blackbox
( cd /var/tmp/ports && sudo portindex )
make_self_deleting_tempfile checksumout
set +e
sudo port -v checksum vcs_blackbox > "$checksumout" 2>/dev/null
ret=$?
# If it failed, grab the checksums. Then re-process the template with them.
if [[ $ret != 0 ]]; then
RMD160=$(awk <"$checksumout" '/^Distfile checksum: .*rmd160/ { print $NF }')
SHA256=$(awk <"$checksumout" '/^Distfile checksum: .*sha256/ { print $NF }')
echo RMD160=$RMD160
echo SHA256=$SHA256
echo
if [[ $RMD160 != '' && $SHA256 != '' ]]; then
sed <"$TEMPLATEFILE" >"$OUTPUTFILE" -e 's/@@VERSION@@/'"$PORTVERSION"'/g' -e 's/@@RMD160@@/'"$RMD160"'/g' -e 's/@@SHA256@@/'"$SHA256"'/g'
cp Portfile /var/tmp/ports/security/vcs_blackbox
( cd /var/tmp/ports && sudo portindex )
sudo port -v checksum vcs_blackbox
fi
fi
# Generate the diff
cp /opt/local/var/macports/sources/rsync.macports.org/release/tarballs/ports/security/vcs_blackbox/Portfile /var/tmp/ports/security/vcs_blackbox/Portfile.orig
( cd /var/tmp/ports/security/vcs_blackbox && diff -u Portfile.orig Portfile ) > Portfile-vcs_blackbox.diff
open -R Portfile-vcs_blackbox.diff
echo
echo 'portfile is in:'
echo ' /var/tmp/ports/security/vcs_blackbox/Portfile'
echo 'cleanup:'
echo ' sudo vi /opt/local/etc/macports/sources.conf'
echo "
PLEASE OPEN A TICKET WITH THIS INFORMATION:
https://trac.macports.org/newticket
Summary: vcs_blackbox @$PORTVERSION Update to latest upstream
Description:
New upstream of vcs_blackbox.
github.setup and checksums updated.
Type: update
Component: ports
Port: vcs_blackbox
Keywords: maintainer
"
echo 'Attach: Portfile-vcs_blackbox.diff'

76
tools/mk_deb_fpmdir Executable file
View File

@@ -0,0 +1,76 @@
#! /usr/bin/env bash
# Use fpm to package up files into a DEB .
# Usage:
# mk_deb_fpmdir PACKAGENAME MANIFEST1 MANIFEST2 ...
# Example:
# Make a package foopkg manifest.txt
# Where "manifest.txt" contains:
# exec /usr/bin/stack_makefqdn misc/stack_makefqdn.py
# exec /usr/bin/bar bar/bar.sh
# read /usr/man/man1/bar.1 bar/bar.1.man
# 0444 /etc/foo.conf bar/foo.conf
set -e
# Parameters for this DEB:
PACKAGENAME=${1?"First arg must be the package name."}
shift
# Defaults that can be overridden:
# All packages are 1.0 unless otherwise specifed:
: ${PKGVERSION:=1.0} ;
# If there is no iteration setting, assume "1":
: ${PKGRELEASE:=1}
# If there is no epoch, assume 0
: ${PKGEPOCH:=0}
# The DEB is output here: (should be a place that can be wiped)
OUTPUTDIR="${HOME}/debbuild-$PACKAGENAME"
# The TeamCity templates expect to find the list of artifacts here:
DEB_BIN_LIST="${OUTPUTDIR}/bin-packages.txt"
# -- Now the real work can be done.
# Clean the output dir.
rm -rf "$OUTPUTDIR"
mkdir -p "$OUTPUTDIR/installroot"
# Copy the files into place:
set -o pipefail # Error out if any manifest is not found.
cat """$@""" | while read -a arr ; do
PERM="${arr[0]}"
case $PERM in
\#*) continue ;; # Skip comments.
exec) PERM=0755 ;;
read) PERM=0744 ;;
*) ;;
esac
DST="$OUTPUTDIR/installroot/${arr[1]}"
SRC="${arr[2]}"
if [[ $SRC == "cmd/"* || $SRC == *"/cmd/"* ]]; then
( cd $(dirname "$SRC" ) && go build -a -v )
fi
install -D -T -b -m "$PERM" -T "$SRC" "$DST"
done
# Build the DEB:
cd "$OUTPUTDIR" && fpm -s dir -t deb \
-a x86_64 \
-n "${PACKAGENAME}" \
--epoch "${PKGEPOCH}" \
--version "${PKGVERSION}" \
--iteration "${PKGRELEASE}" \
${PKGDESCRIPTION:+ --description="${PKGDESCRIPTION}"} \
${PKGVENDOR:+ --vendor="${PKGVENDOR}"} \
-C "$OUTPUTDIR/installroot" \
.
# TeamCity templates for DEBS expect to find
# the list of all packages created in bin-packages.txt.
# Generate that list:
find "$OUTPUTDIR" -maxdepth 1 -name '*.deb' >"$DEB_BIN_LIST"
# Output it for debugging purposes:
cat "$DEB_BIN_LIST"

14
tools/mk_deb_fpmdir.stack_blackbox.txt Normal file
View File

@@ -0,0 +1,14 @@
exec /usr/bin/_blackbox_common.sh ../bin/_blackbox_common.sh
exec /usr/bin/_stack_lib.sh ../bin/_stack_lib.sh
exec /usr/bin/blackbox_addadmin ../bin/blackbox_addadmin
exec /usr/bin/blackbox_cat ../bin/blackbox_cat
exec /usr/bin/blackbox_edit ../bin/blackbox_edit
exec /usr/bin/blackbox_edit_end ../bin/blackbox_edit_end
exec /usr/bin/blackbox_edit_start ../bin/blackbox_edit_start
exec /usr/bin/blackbox_initialize ../bin/blackbox_initialize
exec /usr/bin/blackbox_postdeploy ../bin/blackbox_postdeploy
exec /usr/bin/blackbox_register_new_file ../bin/blackbox_register_new_file
exec /usr/bin/blackbox_removeadmin ../bin/blackbox_removeadmin
exec /usr/bin/blackbox_shred_all_files ../bin/blackbox_shred_all_files
exec /usr/bin/blackbox_update_all_files ../bin/blackbox_update_all_files
exec /usr/bin/blackbox_list_files ../bin/blackbox_list_files