From 3d216cf01b7e19e8cc108bec7af2ac0bf9960c53 Mon Sep 17 00:00:00 2001
From: Conor Schaefer <conor@freedom.press>
Date: Tue, 8 Dec 2020 09:45:54 -0800
Subject: [PATCH] Creates scripts for regenerating rulesets

Trying to bottle up the humdrum tasks into a single action, as
far as possible. Some more guiding language about the specific steps of
the airgap procedure would be welcome, but likely best handled in
separate documentation.
---
 .gitignore                |  3 +++
 scripts/generate-and-sign | 43 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 46 insertions(+)
 create mode 100755 scripts/generate-and-sign

diff --git a/.gitignore b/.gitignore
index 0e8c263..bd036f0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,6 +6,9 @@ private.pem
 test-key.jwk
 public.pem
 
+# Ignore upstream EFF repo
+https-everywhere/
+
 # Byte-compiled / optimized / DLL files
 __pycache__/
 *.py[cod]
diff --git a/scripts/generate-and-sign b/scripts/generate-and-sign
new file mode 100755
index 0000000..75cf1f2
--- /dev/null
+++ b/scripts/generate-and-sign
@@ -0,0 +1,43 @@
+#!/bin/bash
+# Utility script to generate the SecureDrop HTTPS Everywhere rulesets,
+# used for managing Onion Names for SecureDrop instances.
+#
+# Much of the business logic is taken verbatim from the EFF HTTPSE repo:
+#
+#   https://github.com/EFForg/https-everywhere/blob/master/docs/en_US/ruleset-update-channels.md#signing
+#
+set -e
+set -u
+set -o pipefail
+
+
+# We need the upstream repo by EFF for a few select scripts.
+https_everywhere_repo="https-everywhere"
+if [[ ! -d "$https_everywhere_repo" ]]; then
+    echo "Cloning upstream https-everywhere repo for scripts..."
+    echo "WARNING: Can take a long time! ~10m even on fast connections."
+    git clone https://github.com/EFForg/https-everywhere
+else
+    echo "Found https-everywhere repo locally, reusing..."
+fi
+
+# Generate the SD rulesets
+echo "Generating SecureDrop Onion Name rulesets..."
+python3 sddir.py
+
+# The EFF scripts require paths to be relative, so copy into subdirs.
+echo "Copying SecureDrop Onion Name rulesets ..."
+rm -f "${https_everywhere_repo}/rules/"*.xml
+cp rulesets/*.xml "${https_everywhere_repo}/rules/"
+cp public_release.pem "${https_everywhere_repo}/"
+
+pushd "$https_everywhere_repo"
+sd_rules_dir="securedrop-rules"
+rm -rf "$sd_rules_dir"
+mkdir "$sd_rules_dir"
+docker run -it -v "$(pwd):/opt" --workdir /opt python:3.6 python3 utils/merge-rulesets.py
+echo "Preparing rulesets for airgapped signature request..."
+docker run -it -v "$(pwd):/opt" --workdir /opt python:3.6 utils/sign-rulesets/async-request.sh public_release.pem "$sd_rules_dir"
+
+echo "Finished. Review files in ${https_everywhere_repo}/${sd_rules_dir}/"
+cp -v "${https_everywhere_repo}/${sd_rules_dir}/"* .