signatures...

2 years ago · 786a17fc61
parent 8f3f93d8c6
commit 786a17fc61
10 changed files with 123 additions and 21 deletions
--- a/.gitignore
+++ b/.gitignore
@ -8,4 +8,8 @@ neato_deploy.tar.gz
 neatoDeploy.phar
 neato_deploy.tar.gz.self
 phpstan.neon
-composer.lock
+composer.lock
+build/neatoDeploy.phar.pubkey
+build/neatoDeploy.phar.sig
+build/private.pem
+build/sumfiles.sig
--- a/app/just_testing.sh
+++ b/app/just_testing.sh
@ -3,4 +3,4 @@ if [ ! -L deploy_files ]; then
   ln -s ../deploy_files .
 fi

-php -c build/neatoDeploy.ini -f neato.php $@
+php -c build/neato_deploy_php_cli.ini -f neato.php $@
--- a/app/neato.php
+++ b/app/neato.php
@ -6,7 +6,11 @@ error_reporting(E_ALL);

 $cwd = getcwd();

-$pk = "@ghsP4JAuhCUxEGpk2y;mP"; // XOR for sha256sum, CHANGE ME!!
+$pk = file_get_contents($cwd . "/sumfiles.sig");
+if ($pk === false) {
+    echo "No Signatures for sum file checking!";
+    exit(1);
+}

 if (!isset($argv[1])) {
    echo 'Please give Script to run, example: ./neato_deploy.sh apache' . PHP_EOL;
@ -103,7 +107,7 @@ if (file_exists($cwd . '/deploy_files/deploy_' . $file.'.php')) {
    }
    
    if ($skipdeploy) {
-        echo "Skipping Deploy php file...\r\n";
+        echo "Skipping running of Deploy php file...\r\n";
        exit(0);
    }
    
--- a/build/compile-phar.php
+++ b/build/compile-phar.php
@ -17,23 +17,27 @@ $phar = new Phar($pharFile);
 // start buffering. Mandatory to modify stub to add shebang
 $phar->startBuffering();

-// Create the default stub from main.php entrypoint
-$defaultStub = $phar->createDefaultStub('neato.php');
-
 // Add the rest of the apps files
 $phar->buildFromDirectory(
    __DIR__ . '/../app', // Base APP folder
    '/\.php$/',  // Regular expression to include only PHP files
 );

+$phar->stopBuffering();
+
+//$phar->setSignatureAlgorithm(Phar::SHA512);
+$private_key = file_get_contents("private.pem");
+$phar->setSignatureAlgorithm(Phar::OPENSSL, $private_key);
+
+// Create the default stub from main.php entrypoint
+$defaultStub = $phar->createDefaultStub('neato.php');
+
 // Customize the stub to add the shebang
 $stub = "\n" . $defaultStub;

 // Add the stub
 $phar->setStub($stub);

-$phar->stopBuffering();
-
 // plus - compressing it into gzip  
 $phar->compressFiles(Phar::GZ);

--- a/build/install_neato.sh
+++ b/build/install_neato.sh
@ -11,7 +11,7 @@ fi
 current_directory=$(pwd)
 target_directory="/opt/neatoDeploy"

-if [ "$current_directory" == "$target_directory" ]; then
+if [ "$current_directory" == "$target_directory" ] || [ "$current_directory" == "$target_directory/build" ]; then
   /usr/bin/echo "Do not run this script inside of source folder /opt/neatoDeploy/build!"
   exit 1
 fi
@ -19,8 +19,11 @@ fi
 /usr/bin/mkdir -p /opt/neatoDeployments/deploy_files
 /usr/bin/mv neato_deploy_php_cli.ini /opt/neatoDeployments/
 /usr/bin/mv neatoDeploy.phar /opt/neatoDeployments/
+/usr/bin/mv neatoDeploy.phar.pubkey /opt/neatoDeployments/
+/usr/bin/mv neatoDeploy.phar.sig /opt/neatoDeployments/
 /usr/bin/mv neato_deploy.sh /opt/neatoDeployments/
 /usr/bin/mv make-sums.sh /opt/neatoDeployments/
+/usr/bin/mv sumfiles.sig /opt/neatoDeployments/
 /usr/bin/mv deploy_files/deploy_*.php /opt/neatoDeployments/deploy_files/
 /usr/bin/rmdir deploy_files

--- a/build/make-sums.sh
+++ b/build/make-sums.sh
@ -2,14 +2,35 @@
 if [ ! -d sums ]; then
    mkdir sums
 fi
+
+if which "openssl" >/dev/null 2>&1; then
+    file_to_verify="/opt/neatoDeployments/neatoDeploy.phar"
+    signature_file="/opt/neatoDeployments/neatoDeploy.phar.sig"
+    public_key_file="neatoDeploy.phar.pubkey"
+
+    # Verify the signature
+    openssl dgst -sha256 -verify "$public_key_file" -signature "$signature_file" "$file_to_verify"
+
+    # Check the exit code to determine the verification result
+    if [ $? -eq 0 ]; then
+      echo "Signature is valid."
+    else
+      echo "Signature is not valid."
+      exit 1
+    fi
+else
+    echo "openssl is not installed!!"
+fi
+
+
 for file in deploy_files/deploy_*.php; do
    if [ -f "$file" ]; then
        echo -e "Making sum file for: $file \r\n"
        
        # Remove "deploy_" from the beginning and ".php" from the end
-        new_file_name=$(echo "$file" | sed 's/^deploy_//;s/\.php$//')
+        new_file_name=$(echo "$file" | sed 's/deploy_files\///;s/^deploy_//;s/\.php$//')

-        php -c /opt/neatoDeployments/neatoDeploy.ini -f /opt/neatoDeployments/neatoDeploy.phar "$new_file_name" -marksafe -skipdeploy
+        php -c /opt/neatoDeployments/neato_deploy_php_cli.ini -f /opt/neatoDeployments/neatoDeploy.phar "$new_file_name" -marksafe -skipdeploy
    fi
 done

--- a/build/neato_deploy.sh
+++ b/build/neato_deploy.sh
@ -1,2 +1,23 @@
 #!/bin/bash
-php -c /opt/neatoDeployments/neatoDeploy.ini -f /opt/neatoDeployments/neatoDeploy.phar $@
+
+if which "openssl" >/dev/null 2>&1; then
+    file_to_verify="/opt/neatoDeployments/neatoDeploy.phar"
+    signature_file="/opt/neatoDeployments/neatoDeploy.phar.sig"
+    public_key_file="neatoDeploy.phar.pubkey"
+
+    # Verify the signature
+    openssl dgst -sha256 -verify "$public_key_file" -signature "$signature_file" "$file_to_verify"
+
+    # Check the exit code to determine the verification result
+    if [ $? -eq 0 ]; then
+      echo "Signature is valid."
+    else
+      echo "Signature is not valid."
+      exit 1
+    fi
+else
+    echo "openssl is not installed!!"
+fi
+
+
+php -c /opt/neatoDeployments/neato_deploy_php_cli.ini -f /opt/neatoDeployments/neatoDeploy.phar $@
--- a/build/neato_deploy_php_cli.ini
+++ b/build/neato_deploy_php_cli.ini
@ -6,9 +6,8 @@ zlib.output_compression = Off
 implicit_flush = Off
 serialize_precision = -1
 open_basedir =
-; exec,shell_exec, preg_replace,
 disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,passthru,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source,eval,assert,create_function,telnet
-disable_classes = ReflectionFunction
+disable_classes = 
 zend.enable_gc = On
 expose_php = Off
 max_execution_time = 0
@ -33,3 +32,4 @@ default_socket_timeout = 60
 cli_server.color = On
 [Phar]
 phar.readonly = On
+phar.require_hash = On
--- a/build/neato_php_cli_phar.ini
+++ b/build/neato_php_cli_phar.ini
@ -6,8 +6,8 @@ zlib.output_compression = Off
 implicit_flush = Off
 serialize_precision = -1
 open_basedir = 
-disable_functions = 
-disable_classes =
+disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,passthru,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source,eval,assert,create_function,telnet
+disable_classes = ReflectionFunction
 zend.enable_gc = On
 expose_php = Off
 max_execution_time = 0
@ -31,4 +31,5 @@ default_socket_timeout = 60
 ; Whether the CLI web server uses ANSI color coding in its terminal output.
 cli_server.color = On
 [Phar]
-phar.readonly = Off 
+phar.readonly = Off
+phar.require_hash = On 
--- a/make-installer.sh
+++ b/make-installer.sh
@ -1,11 +1,55 @@
 #!/bin/bash
-pushd build
+pushd build || exit 2
+
+generate_password() {
+    # Define character sets for the password
+    uppercase="ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+    lowercase="abcdefghijklmnopqrstuvwxyz"
+    numbers="0123456789"
+    special_chars="!@#$%-^&*(_)+=?"
+
+    # Combine character sets
+    all_chars="${uppercase}${lowercase}${numbers}${special_chars}"
+
+    # Use /dev/urandom to generate random bytes and base64 encode them
+    password=$(head /dev/urandom | tr -dc "$all_chars" | head -c 16)
+
+    echo "$password" > sumfiles.sig
+}
+
+if [ ! -f "sumfiles.sig" ]; then
+    generate_password
+fi
+
+if [ ! -f "private.pem" ]; then
+    openssl genrsa -out private.pem 4096
+    openssl rsa -in private.pem -pubout -out neatoDeploy.phar.pubkey
+fi
+
 /usr/bin/php -c neato_php_cli_phar.ini -f compile-phar.php
+if [ $? -eq 0 ]; then
+   echo "Cool -> Created PHAR file!"
+else
+   echo "ERROR: Unable to make PHAR file!"
+   exit 1 
+fi
+
+file_to_sign="neatoDeploy.phar"
+private_key_file="private.pem"
+signature_output_file="neatoDeploy.phar.sig"
+
+# Sign the file
+openssl dgst -sha256 -sign "$private_key_file" -out "$signature_output_file" "$file_to_sign"
+if [ $? -eq 0 ]; then
+    echo "Made signature."
+else
+    echo "Unable to make signature!!"
+fi

 /usr/bin/chmod +x install_neato.sh

 TAR_FILE=neato_deploy.tar.gz
-/usr/bin/tar -czvf $TAR_FILE install_neato.sh make-sums.sh neatoDeploy.phar neato_deploy_php_cli.ini neato_deploy.sh ../deploy_files/deploy_*.php
+/usr/bin/tar -czvf $TAR_FILE install_neato.sh make-sums.sh sumfiles.sig neatoDeploy.phar.sig neatoDeploy.phar.pubkey neatoDeploy.phar neato_deploy_php_cli.ini neato_deploy.sh ../deploy_files/deploy_*.php

 EXIT_COMMAND="./install_neato.sh"

@ -18,4 +62,4 @@ SELF_EXTRACTABLE="$TAR_FILE.self"
 /usr/bin/cat $TAR_FILE >> $SELF_EXTRACTABLE
 /usr/bin/chmod a+x $SELF_EXTRACTABLE
 /usr/bin/mv $SELF_EXTRACTABLE ..
-popd
+popd || exit 2