-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Creates scripts for regenerating rulesets
Trying to bottle up the humdrum tasks into a single action, as far as possible. Some more guiding language about the specific steps of the airgap procedure would be welcome, but likely best handled in separate documentation.
- Loading branch information
Conor Schaefer
committed
Dec 9, 2020
1 parent
276c1da
commit 50b258e
Showing
2 changed files
with
46 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| #!/bin/bash | ||
| # Utility script to generate the SecureDrop HTTPS Everywhere rulesets, | ||
| # used for managing Onion Names for SecureDrop instances. | ||
| # | ||
| # Much of the business logic is taken verbatim from the EFF HTTPSE repo: | ||
| # | ||
| # https://github.com/EFForg/https-everywhere/blob/master/docs/en_US/ruleset-update-channels.md#signing | ||
| # | ||
| set -e | ||
| set -u | ||
| set -o pipefail | ||
|
|
||
|
|
||
| # We need the upstream repo by EFF for a few select scripts. | ||
| https_everywhere_repo="https-everywhere" | ||
| if [[ ! -d "$https_everywhere_repo" ]]; then | ||
| echo "Cloning upstream https-everywhere repo for scripts..." | ||
| echo "WARNING: Can take a long time! ~10m even on fast connections." | ||
| git clone https://github.com/EFForg/https-everywhere | ||
| else | ||
| echo "Found https-everywhere repo locally, reusing..." | ||
| fi | ||
|
|
||
| # Generate the SD rulesets | ||
| echo "Generating SecureDrop Onion Name rulesets..." | ||
| python3 sddir.py | ||
|
|
||
| # The EFF scripts require paths to be relative, so copy into subdirs. | ||
| echo "Copying SecureDrop Onion Name rulesets ..." | ||
| rm -f "${https_everywhere_repo}/rules/"*.xml | ||
| cp rulesets/*.xml "${https_everywhere_repo}/rules/" | ||
| cp public_release.pem "${https_everywhere_repo}/" | ||
|
|
||
| pushd "$https_everywhere_repo" | ||
| sd_rules_dir="securedrop-rules" | ||
| rm -rf "$sd_rules_dir" | ||
| mkdir "$sd_rules_dir" | ||
| docker run -it -v "$(pwd):/opt" --workdir /opt python:3.6 python3 utils/merge-rulesets.py | ||
| echo "Preparing rulesets for airgapped signature request..." | ||
| docker run -it -v "$(pwd):/opt" --workdir /opt python:3.6 utils/sign-rulesets/async-request.sh public_release.pem "$sd_rules_dir" | ||
|
|
||
| echo "Finished. Review files in ${https_everywhere_repo}/${sd_rules_dir}/" | ||
| cp -v "${https_everywhere_repo}/${sd_rules_dir}/"* . |