diff --git a/.gitignore b/.gitignore index 4bdf173..0ddca29 100644 --- a/.gitignore +++ b/.gitignore @@ -8,4 +8,8 @@ neato_deploy.tar.gz neatoDeploy.phar neato_deploy.tar.gz.self phpstan.neon -composer.lock \ No newline at end of file +composer.lock +build/neatoDeploy.phar.pubkey +build/neatoDeploy.phar.sig +build/private.pem +build/sumfiles.sig diff --git a/app/just_testing.sh b/app/just_testing.sh index 782209e..7765080 100755 --- a/app/just_testing.sh +++ b/app/just_testing.sh @@ -3,4 +3,4 @@ if [ ! -L deploy_files ]; then ln -s ../deploy_files . fi -php -c build/neatoDeploy.ini -f neato.php $@ +php -c build/neato_deploy_php_cli.ini -f neato.php $@ diff --git a/app/neato.php b/app/neato.php index e9c451b..7b8238f 100644 --- a/app/neato.php +++ b/app/neato.php @@ -6,7 +6,11 @@ error_reporting(E_ALL); $cwd = getcwd(); -$pk = "@ghsP4JAuhCUxEGpk2y;mP"; // XOR for sha256sum, CHANGE ME!! +$pk = file_get_contents($cwd . "/sumfiles.sig"); +if ($pk === false) { + echo "No Signatures for sum file checking!"; + exit(1); +} if (!isset($argv[1])) { echo 'Please give Script to run, example: ./neato_deploy.sh apache' . PHP_EOL; @@ -103,7 +107,7 @@ if (file_exists($cwd . '/deploy_files/deploy_' . $file.'.php')) { } if ($skipdeploy) { - echo "Skipping Deploy php file...\r\n"; + echo "Skipping running of Deploy php file...\r\n"; exit(0); } diff --git a/build/compile-phar.php b/build/compile-phar.php index 620d0b2..a2dcd94 100644 --- a/build/compile-phar.php +++ b/build/compile-phar.php @@ -17,23 +17,27 @@ $phar = new Phar($pharFile); // start buffering. Mandatory to modify stub to add shebang $phar->startBuffering(); -// Create the default stub from main.php entrypoint -$defaultStub = $phar->createDefaultStub('neato.php'); - // Add the rest of the apps files $phar->buildFromDirectory( __DIR__ . '/../app', // Base APP folder '/\.php$/', // Regular expression to include only PHP files ); +$phar->stopBuffering(); + +//$phar->setSignatureAlgorithm(Phar::SHA512); +$private_key = file_get_contents("private.pem"); +$phar->setSignatureAlgorithm(Phar::OPENSSL, $private_key); + +// Create the default stub from main.php entrypoint +$defaultStub = $phar->createDefaultStub('neato.php'); + // Customize the stub to add the shebang $stub = "\n" . $defaultStub; // Add the stub $phar->setStub($stub); -$phar->stopBuffering(); - // plus - compressing it into gzip $phar->compressFiles(Phar::GZ); diff --git a/build/install_neato.sh b/build/install_neato.sh index 3478d79..9a39373 100755 --- a/build/install_neato.sh +++ b/build/install_neato.sh @@ -11,7 +11,7 @@ fi current_directory=$(pwd) target_directory="/opt/neatoDeploy" -if [ "$current_directory" == "$target_directory" ]; then +if [ "$current_directory" == "$target_directory" ] || [ "$current_directory" == "$target_directory/build" ]; then /usr/bin/echo "Do not run this script inside of source folder /opt/neatoDeploy/build!" exit 1 fi @@ -19,8 +19,11 @@ fi /usr/bin/mkdir -p /opt/neatoDeployments/deploy_files /usr/bin/mv neato_deploy_php_cli.ini /opt/neatoDeployments/ /usr/bin/mv neatoDeploy.phar /opt/neatoDeployments/ +/usr/bin/mv neatoDeploy.phar.pubkey /opt/neatoDeployments/ +/usr/bin/mv neatoDeploy.phar.sig /opt/neatoDeployments/ /usr/bin/mv neato_deploy.sh /opt/neatoDeployments/ /usr/bin/mv make-sums.sh /opt/neatoDeployments/ +/usr/bin/mv sumfiles.sig /opt/neatoDeployments/ /usr/bin/mv deploy_files/deploy_*.php /opt/neatoDeployments/deploy_files/ /usr/bin/rmdir deploy_files diff --git a/build/make-sums.sh b/build/make-sums.sh index 29dbe49..5161328 100644 --- a/build/make-sums.sh +++ b/build/make-sums.sh @@ -2,14 +2,35 @@ if [ ! -d sums ]; then mkdir sums fi + +if which "openssl" >/dev/null 2>&1; then + file_to_verify="/opt/neatoDeployments/neatoDeploy.phar" + signature_file="/opt/neatoDeployments/neatoDeploy.phar.sig" + public_key_file="neatoDeploy.phar.pubkey" + + # Verify the signature + openssl dgst -sha256 -verify "$public_key_file" -signature "$signature_file" "$file_to_verify" + + # Check the exit code to determine the verification result + if [ $? -eq 0 ]; then + echo "Signature is valid." + else + echo "Signature is not valid." + exit 1 + fi +else + echo "openssl is not installed!!" +fi + + for file in deploy_files/deploy_*.php; do if [ -f "$file" ]; then echo -e "Making sum file for: $file \r\n" # Remove "deploy_" from the beginning and ".php" from the end - new_file_name=$(echo "$file" | sed 's/^deploy_//;s/\.php$//') + new_file_name=$(echo "$file" | sed 's/deploy_files\///;s/^deploy_//;s/\.php$//') - php -c /opt/neatoDeployments/neatoDeploy.ini -f /opt/neatoDeployments/neatoDeploy.phar "$new_file_name" -marksafe -skipdeploy + php -c /opt/neatoDeployments/neato_deploy_php_cli.ini -f /opt/neatoDeployments/neatoDeploy.phar "$new_file_name" -marksafe -skipdeploy fi done diff --git a/build/neato_deploy.sh b/build/neato_deploy.sh index 0e9bae7..8defe9e 100755 --- a/build/neato_deploy.sh +++ b/build/neato_deploy.sh @@ -1,2 +1,23 @@ #!/bin/bash -php -c /opt/neatoDeployments/neatoDeploy.ini -f /opt/neatoDeployments/neatoDeploy.phar $@ + +if which "openssl" >/dev/null 2>&1; then + file_to_verify="/opt/neatoDeployments/neatoDeploy.phar" + signature_file="/opt/neatoDeployments/neatoDeploy.phar.sig" + public_key_file="neatoDeploy.phar.pubkey" + + # Verify the signature + openssl dgst -sha256 -verify "$public_key_file" -signature "$signature_file" "$file_to_verify" + + # Check the exit code to determine the verification result + if [ $? -eq 0 ]; then + echo "Signature is valid." + else + echo "Signature is not valid." + exit 1 + fi +else + echo "openssl is not installed!!" +fi + + +php -c /opt/neatoDeployments/neato_deploy_php_cli.ini -f /opt/neatoDeployments/neatoDeploy.phar $@ diff --git a/build/neato_deploy_php_cli.ini b/build/neato_deploy_php_cli.ini index 895040c..4c22271 100644 --- a/build/neato_deploy_php_cli.ini +++ b/build/neato_deploy_php_cli.ini @@ -6,9 +6,8 @@ zlib.output_compression = Off implicit_flush = Off serialize_precision = -1 open_basedir = -; exec,shell_exec, preg_replace, disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,passthru,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source,eval,assert,create_function,telnet -disable_classes = ReflectionFunction +disable_classes = zend.enable_gc = On expose_php = Off max_execution_time = 0 @@ -33,3 +32,4 @@ default_socket_timeout = 60 cli_server.color = On [Phar] phar.readonly = On +phar.require_hash = On diff --git a/build/neato_php_cli_phar.ini b/build/neato_php_cli_phar.ini index f235c2b..cc53804 100644 --- a/build/neato_php_cli_phar.ini +++ b/build/neato_php_cli_phar.ini @@ -6,8 +6,8 @@ zlib.output_compression = Off implicit_flush = Off serialize_precision = -1 open_basedir = -disable_functions = -disable_classes = +disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,passthru,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source,eval,assert,create_function,telnet +disable_classes = ReflectionFunction zend.enable_gc = On expose_php = Off max_execution_time = 0 @@ -31,4 +31,5 @@ default_socket_timeout = 60 ; Whether the CLI web server uses ANSI color coding in its terminal output. cli_server.color = On [Phar] -phar.readonly = Off +phar.readonly = Off +phar.require_hash = On diff --git a/make-installer.sh b/make-installer.sh index 04c4f57..ca6c47c 100755 --- a/make-installer.sh +++ b/make-installer.sh @@ -1,11 +1,55 @@ #!/bin/bash -pushd build +pushd build || exit 2 + +generate_password() { + # Define character sets for the password + uppercase="ABCDEFGHIJKLMNOPQRSTUVWXYZ" + lowercase="abcdefghijklmnopqrstuvwxyz" + numbers="0123456789" + special_chars="!@#$%-^&*(_)+=?" + + # Combine character sets + all_chars="${uppercase}${lowercase}${numbers}${special_chars}" + + # Use /dev/urandom to generate random bytes and base64 encode them + password=$(head /dev/urandom | tr -dc "$all_chars" | head -c 16) + + echo "$password" > sumfiles.sig +} + +if [ ! -f "sumfiles.sig" ]; then + generate_password +fi + +if [ ! -f "private.pem" ]; then + openssl genrsa -out private.pem 4096 + openssl rsa -in private.pem -pubout -out neatoDeploy.phar.pubkey +fi + /usr/bin/php -c neato_php_cli_phar.ini -f compile-phar.php +if [ $? -eq 0 ]; then + echo "Cool -> Created PHAR file!" +else + echo "ERROR: Unable to make PHAR file!" + exit 1 +fi + +file_to_sign="neatoDeploy.phar" +private_key_file="private.pem" +signature_output_file="neatoDeploy.phar.sig" + +# Sign the file +openssl dgst -sha256 -sign "$private_key_file" -out "$signature_output_file" "$file_to_sign" +if [ $? -eq 0 ]; then + echo "Made signature." +else + echo "Unable to make signature!!" +fi /usr/bin/chmod +x install_neato.sh TAR_FILE=neato_deploy.tar.gz -/usr/bin/tar -czvf $TAR_FILE install_neato.sh make-sums.sh neatoDeploy.phar neato_deploy_php_cli.ini neato_deploy.sh ../deploy_files/deploy_*.php +/usr/bin/tar -czvf $TAR_FILE install_neato.sh make-sums.sh sumfiles.sig neatoDeploy.phar.sig neatoDeploy.phar.pubkey neatoDeploy.phar neato_deploy_php_cli.ini neato_deploy.sh ../deploy_files/deploy_*.php EXIT_COMMAND="./install_neato.sh" @@ -18,4 +62,4 @@ SELF_EXTRACTABLE="$TAR_FILE.self" /usr/bin/cat $TAR_FILE >> $SELF_EXTRACTABLE /usr/bin/chmod a+x $SELF_EXTRACTABLE /usr/bin/mv $SELF_EXTRACTABLE .. -popd \ No newline at end of file +popd || exit 2 \ No newline at end of file