Authenticated Downloads

[reelsense]

Introduction

4S needs to verify its authenticity when it downloads an update. If the update fails to be signed by the signing key it should move the inauthentic file to /tmp and print an error.

You can verify this Minisign public key is signed by us:

RWSmY4o5Bad1vS60aYAiQUswWYVV2EuSdqc3ry7CWWF1E6bVbFG9kR/y

You can verify the signature below by copying the signature into keybase.io/verify it's signed by this public key.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

RWSmY4o5Bad1vS60aYAiQUswWYVV2EuSdqc3ry7CWWF1E6bVbFG9kR/y
-----BEGIN PGP SIGNATURE-----

wsFcBAABCgAGBQJX010gAAoJEBTBGCvFeTayH+UP/2cc+UNhGyDdLACyv7+eHI93
NAdskZQ+d8iiOkxgiMXoTg3W9/B6skRL5eZIX1QTgg7xldVcczOUr9/7/fGhQMHB
vEU6RwB/SnyRSqPiqnbsP8K7Xl6GHty2VorIKWR3zPCFSdMq2sOYJVXR0IZrB5O5
jMzkBLZQMUH+fgeiapassjN8hzl8Gc0A8HO48MVSsS2MQx05DN9uqAnX5XzY6dQL
jA9AatVTsx904fgz3TJogEOCoEbPSl02zZ5J5uRGMA5e5cyWU9+rTL4hhN/6HrAA
6Oe4ihEEGECTxC59LEgbPTxka8QU0ngrgVzrJZxBI7Q05oyznGazFWtJz53cxp60
b8jBht+PeVBnoKCodmAZu54N3f5BTNMldivvclRJDv0TAOJZK/UJW52BdBqrEHek
luFxCBlJ7MQe56fiQwCS1+KIBTTOzxFtQAi35gcZv/mqb2WRMBJWCtB4f0NC9TqT
BShvxk8N4z7yVZiykjpdHxslNtfoVR1iRcZ0+xVQBtT+pEdl5ONexSazUsvKXGxR
g9IKP0qTNBu38lHDZSABsb3b+WTax+xDd/mcZC3SJO9aFXPP0uoL0ON1JpB/d0FQ
54ixCr4VK9aO9RNZuvV9yYKWTsNXh3hqY+AuRfv4Cv0YkEnqKVgUUozIkSI9WP57
rkYQXUCXXP1XUMDpJCfo
=BL+u
-----END PGP SIGNATURE-----

Simulate a 4S Alias User.

I setup a virtual machine with a fresh Ubuntu Desktop install and I snapshot it with a Terminal window open and a browser window with the instructions open. That way I can rapidly restore to that snapshot over and over for testing on a vanilla install.

💾📖 Ubuntu Setup Step-by-Step

I've had problems with the linuxbrew-wrapper package in the Ubuntu repos, so I install brew with the instructions on the website. I'll have to submit a bug report to fix linuxbrew-wrapper.

Here are the steps taken on the website:

Copy & paste to install brew dependencies + brew + brew aliases all at once.

sudo apt install ruby git curl build-essential python-setuptools wget ; ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Linuxbrew/install/master/install)" ; echo 'export PATH="/home/linuxbrew/.linuxbrew/bin:$PATH"' >> ~/.bashrc ; echo 'export MANPATH="/home/linuxbrew/.linuxbrew/share/man:$MANPATH"' >> ~/.bashrc ; echo 'export INFOPATH="/home/linuxbrew/.linuxbrew/share/info:$INFOPATH"' >> ~/.bashrc ; echo 'export XDG_DATA_DIRS="/home/linuxbrew/.linuxbrew/share:$XDG_DATA_DIRS"' >> ~/.bashrc ; PATH="/home/linuxbrew/.linuxbrew/bin:$PATH" ; brew update --force ; brew install bash-completion ; echo "  [ -f /home/linuxbrew/.linuxbrew/bash_completion ] && . /home/linuxbrew/.linuxbrew/etc/bash_completion" >> ~/.bashrc ; source ~/.bashrc

Then install minisign: brew install minisign

Install the 4S alias files.

cd ~ ; mkdir .4s-core ; wget -q https://raw.githubusercontent.com/4-S/4S/master/ubuntu-bash/.4s-index -O ~/.4s-core/.4s-index ; echo 'source ~/.4s-core/.4s-index' >> ~/.bashrc ; wget -q https://raw.githubusercontent.com/4-S/4S-core/master/ubuntu-bash/.4s-core/.4s-core-index -O ~/.4s-core/.4s-core-index ; cd ~ ; wget -q https://raw.githubusercontent.com/4-S/4S-core/master/ubuntu-bash/.4s-core-custom-updater-config -O ~/.4s-core-custom-updater-config ; source ~/.bashrc

💾⚠️ Or, Ubuntu setup in 1 copy & paste

sudo apt -y install ruby git curl build-essential python-setuptools wget ; ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Linuxbrew/install/master/install)" ; echo 'export PATH="/home/linuxbrew/.linuxbrew/bin:$PATH"' >> ~/.bashrc ; echo 'export MANPATH="/home/linuxbrew/.linuxbrew/share/man:$MANPATH"' >> ~/.bashrc ; echo 'export INFOPATH="/home/linuxbrew/.linuxbrew/share/info:$INFOPATH"' >> ~/.bashrc ; echo 'export XDG_DATA_DIRS="/home/linuxbrew/.linuxbrew/share:$XDG_DATA_DIRS"' >> ~/.bashrc ; PATH="/home/linuxbrew/.linuxbrew/bin:$PATH" ; brew update --force ; brew install bash-completion ; echo "  [ -f /home/linuxbrew/.linuxbrew/bash_completion ] && . /home/linuxbrew/.linuxbrew/etc/bash_completion" >> ~/.bashrc ; source ~/.bashrc ; brew install minisign ; cd ~ ; mkdir .4s-core ; wget -q https://raw.githubusercontent.com/4-S/4S/master/ubuntu-bash/.4s-index -O ~/.4s-core/.4s-index ; echo 'source ~/.4s-core/.4s-index' >> ~/.bashrc ; wget -q https://raw.githubusercontent.com/4-S/4S-core/master/ubuntu-bash/.4s-core/.4s-core-index -O ~/.4s-core/.4s-core-index ; cd ~ ; wget -q https://raw.githubusercontent.com/4-S/4S-core/master/ubuntu-bash/.4s-core-custom-updater-config -O ~/.4s-core-custom-updater-config ; source ~/.bashrc

That was fast... 🏁

Goal

Email Context:

It would go something like this:

• I download a file + signature.

wget -q https://example.com/example.txt -O ~/example.txt
wget -q https://example.com/example.txt -O ~/example.txt.minisig

• I verify its authenticity

minisign -Vm example.txt -P RWSmY4o5Bad1vS60aYAiQUswWYVV2EuSdqc3ry7CWWF1E6bVbFG9kR/y

Right now I only wget the .txt file insecurely and use it. I would like to automatically verify-and-pass or verify-and-fail the script.

As you can see in the code snippet below. This 4s-update alias is just telling wget to override its self and then reloading the shell to use the latest changes.

4S/ubuntu-bash/.4s-index

Lines 14 to 16 in 937f966

	## 4S Update command - Re-downloads and overwrites everything except 4s-core-custom-updater stuff.
	alias 4s-update='cd ~ ; wget -q http://4s-stable.ipfu.org/ubuntu-bash/.4s-index -O ~/.4s-core/.4s-index ; wget -q http://4s-stable-core.ipfu.org/ubuntu-bash/.4s-core/.4s-core-index -O ~/.4s-core/.4s-core-index ; source ~/.bashrc'
	##

I would like these update aliases to automatically verify with minisign. For the sake of making things look clean I would like it to be a shell script subroutine that gets called from the alias. But if that's not possible, that's your call.

[reelsense]

Can you identify where in the code you would like me to inert my code?

It’s just a bunch of chained together shell commands. I want to take a download URL and automatically try and pull the additional .minisig file and verify the authenticity or abort. So if it’s possible it could be a separate shell script that I can pipe a URL into? Then I could use it through out the alias for updating.

Download file from URL > pull additional file .minisig > verify or abort:

• If it verifies, let me use the file for the rest of the alias/script.
• If it aborts move it to /tmp/?

[ppbrown]

Do you have any test cases set up? (ie: passing files, and failing files)? This SEEMS to be relatively straightfoward. I'm wondering if there's something I'm missing, it seems so easy :) writing off the cuff, non tested: function getsecurefile() { # cd to appropriate directory wget -q $1 wget -q {$1}.minisig fname=`basename $` if minisign -Vm $fname -P PasswordHere >/dev/null ; then # echo DEBUG: downloaded valid file $fname return 0 fi # File failed signature check .... # echo DEBUG: downloaded file $fname failed signature check mv $$1 $1.minisig /tmp return 1 }

[reelsense]

I’ll make some test files for you either late tonight or tomorrow. If you want you can check out my unofficial ‘Markdeep’ repo, because everything is signed with that minisign key. Just modify one file and it won’t verify.

…

-- PGP:5EC1494DC59141C0 On Oct 29, 2017, at 07:25, ppbrown <notifications@github.com> wrote: Do you have any test cases set up? (ie: passing files, and failing files)? This SEEMS to be relatively straightfoward. I'm wondering if there's something I'm missing, it seems so easy :) writing off the cuff, non tested: function getsecurefile() { # cd to appropriate directory wget -q $1 wget -q {$1}.minisig fname=`basename $` if minisign -Vm $fname -P PasswordHere >/dev/null ; then # echo DEBUG: downloaded valid file $fname return 0 fi # File failed signature check .... # echo DEBUG: downloaded file $fname failed signature check mv $$1 $1.minisig /tmp return 1 } — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#2 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AFYisUN6r_Ge_cUHP-3xX6pTtJNivgBIks5sxIrsgaJpZM4P84io> .

[ppbrown]

Is that function I sent, basically all you were looking for? On Sun, Oct 29, 2017 at 2:35 PM, Bryan Black <notifications@github.com> wrote:

…

I’ll make some test files for you either late tonight or tomorrow. If you want you can check out my unofficial ‘Markdeep’ repo, because everything is signed with that minisign key. Just modify one file and it won’t verify. -- PGP:5EC1494DC59141C0 On Oct 29, 2017, at 07:25, ppbrown ***@***.***> wrote: Do you have any test cases set up? (ie: passing files, and failing files)? This SEEMS to be relatively straightfoward. I'm wondering if there's something I'm missing, it seems so easy :) writing off the cuff, non tested: function getsecurefile() { # cd to appropriate directory wget -q $1 wget -q {$1}.minisig fname=`basename $` if minisign -Vm $fname -P PasswordHere >/dev/null ; then # echo DEBUG: downloaded valid file $fname return 0 fi # File failed signature check .... # echo DEBUG: downloaded file $fname failed signature check mv $$1 $1.minisig /tmp return 1 } — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#2 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AFYisUN6r_Ge_cUHP- 3xX6pTtJNivgBIks5sxIrsgaJpZM4P84io> . — You are receiving this because you were assigned. Reply to this email directly, view it on GitHub <#2 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABpK-Zz3zNLXJ3ruWRoPF2LBfkOjRk70ks5sxO-mgaJpZM4P84io> .

[reelsense]

Yes, that's basically what I'm looking for. Hopefully it will be an ever-green one-trick-pony that's a no-brainer to use so more people can use it in their projects for file authentication.

---

The test files.

http://mutualparity.s3.amazonaws.com/test/fail.min.js
http://mutualparity.s3.amazonaws.com/test/fail.min.js.minisig
http://mutualparity.s3.amazonaws.com/test/pass.min.js
http://mutualparity.s3.amazonaws.com/test/pass.min.js.minisig

[ppbrown]

k. well, give it a try yourself and lemme know

…

On Mon, Oct 30, 2017 at 7:32 PM, Bryan Black ***@***.***> wrote: Yes, that's basically what I'm looking for. Hopefully it will be an *ever-green* one-trick-pony that's a no-brainer to use so more people can use it in their projects for file authentication. ------------------------------ The test files. http://mutualparity.s3.amazonaws.com/test/fail.min.js http://mutualparity.s3.amazonaws.com/test/fail.min.js.minisig http://mutualparity.s3.amazonaws.com/test/pass.min.js http://mutualparity.s3.amazonaws.com/test/pass.min.js.minisig — You are receiving this because you were assigned. Reply to this email directly, view it on GitHub <#2 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABpK-QJkCVzR4ylXzmxp-KDKOt3mHxhuks5sxobKgaJpZM4P84io> .

[reelsense]

I'm trying to figure out how to get it to work as a stand alone shell script for testing purposes:

I run: ./getsecurefile.sh http://mutualparity.s3.amazonaws.com/test/pass.min.js

getsecurefile.sh contents:

#!/bin/bash
# cd to appropriate directory
wget -q $1
wget -q {$1}.minisig
fname=`basename $`
if minisign -Vm $fname -P RWSmY4o5Bad1vS60aYAiQUswWYVV2EuSdqc3ry7CWWF1E6bVbFG9kR\/y >/dev/null ; then
echo 'DEBUG: downloaded valid file $fname'
return 0
fi
# File failed signature check ....
# echo DEBUG: downloaded file $fname failed signature check
mv $$1 $1.minisig /tmp

It returns:

HOST:test user$ ./getsecurefile.sh http://mutualparity.s3.amazonaws.com/test/pass.min.js
$.minisig: No such file or directory
mv: rename 619961 to /tmp/619961: No such file or directory
mv: rename http://mutualparity.s3.amazonaws.com/test/pass.min.js.minisig to /tmp/pass.min.js.minisig: No such file or directory

[reelsense]

RESOLVED.

I managed to get it working by explicitly listing the .minisig URL. Eg. $2

I couldn't figure out the other way.

#!/bin/bash

function getsecurefile() {
# cd to appropriate directory
wget -q $1
wget -q $2
fname=`basename $1`
if minisign -Vm $fname -P RWSmY4o5Bad1vS60aYAiQUswWYVV2EuSdqc3ry7CWWF1E6bVbFG9kR/y >/dev/null ; then
echo DEBUG: downloaded valid file $fname
return 0
fi
# File failed signature check ....
echo DEBUG: downloaded file $fname failed signature check
mv $fname $fname.minisig /tmp
return 1
}

getsecurefile http://mutualparity.s3.amazonaws.com/test/fail.min.js http://mutualparity.s3.amazonaws.com/test/fail.min.js.minisig

This will properly PASS and FAIL the simulated files.

It's amazing what a little RTFM can do for me...

[ppbrown]

but;. but... thats ugly :( seems I made a typo. not supposed to be {$1} was supposed to be ${1} try that, and it will probbly work. Anyways, if youre happy with that, thats great. was fairly trivial for me. not even an hour's effort. So, if you like, just send a few amazon giftcard dollars my way, and I'll be happy :)

…

On Wed, Nov 1, 2017 at 4:50 PM, Bryan Black ***@***.***> wrote: *RESOLVED.* I managed to get it working by explicitly listing the .minisig URL. #!/bin/bash function getsecurefile() { # cd to appropriate directory wget -q $1 wget -q $2 fname=`basename $1` if minisign -Vm $fname -P RWSmY4o5Bad1vS60aYAiQUswWYVV2EuSdqc3ry7CWWF1E6bVbFG9kR/y >/dev/null ; then echo DEBUG: downloaded valid file $fname return 0 fi # File failed signature check .... echo DEBUG: downloaded file $fname failed signature check mv $fname $fname.minisig /tmp return 1 } getsecurefile http://mutualparity.s3.amazonaws.com/test/fail.min.js http://mutualparity.s3.amazonaws.com/test/fail.min.js.minisig It's amazing what a little RTFM can do for me... <https://camo.githubusercontent.com/179d8ee432308af184f707e92643cba1e6bba894/687474703a2f2f692e696d6775722e636f6d2f74387a76632e676966> — You are receiving this because you were assigned. Reply to this email directly, view it on GitHub <#2 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABpK-XTVyMn9RWDxqArSgZelffMw7GcEks5syQPKgaJpZM4P84io> .

[reelsense]

Payment sent.

Thank you.

114-5376270-4386639