Skip to content
Browse files

Closed #7.

- adding Whonix deb repository signing key with apt-key while building Whonix
- added whonix_shared/usr/bin/whonix_repository which can be used to easily disable Whonix's deb repository
- added DISTRUST_WHONIX_DEB_REPO environment variable, which can be used to easily set to 1 to disable Whonix's dep repository permanently
  • Loading branch information...
1 parent e4287c6 commit cfa0c2ee6560c99e4fc591ee9ae76ee1c0677645 adrelanos committed Jun 10, 2013
View
66 man/whonix_shared/whonix_repository
@@ -0,0 +1,66 @@
+whonix_repository(8) -- enable or disable Whonix deb repository
+=============================================
+
+## SYNOPSIS
+
+`whonix_repository` [option]
+
+## DESCRIPTION
+
+Enables or disables Whonix deb repository.
+
+Default action, if no option is given, is enabling Whonix repository.
+
+## OPTIONS
+ * --enable
+
+ Enables Whonix deb repository.
+
+ * --disable
+
+ Disables Whonix deb repository.
+
+ * --verbose
+
+ Verbose output
+
+## ENVIRONMENT VARIABLES
+ * DISTRUST_WHONIX_DEB_REPO
+
+ In case the environment variable DISTRUST_WHONIX_DEB_REPO is set to _1_,
+ Whonix deb repository will be disabled in any case, no matter what
+ option is given. If you want that, create a file /etc/environment and add
+
+ `DISTRUST_WHONIX_DEB_REPO=1`
+
+ reboot and run `whonix_repository` after reboot. This will ensure, that the
+ Whonix deb repository will always be disabled, even if you manually
+ updated Whonix.
+
+## RETURN VALUES
+
+0 Success
+
+1 Error
+
+## EXAMPLE
+
+`sudo whonix_repository`
+
+`sudo whonix_repository --enable`
+
+`sudo whonix_repository --enable --verbose`
+
+`sudo whonix_repository --disable`
+
+`sudo whonix_repository --disable --verbose`
+
+
+## WWW
+
+https://sourceforge.net/p/whonix/wiki/Trust/
+
+## AUTHOR
+
+This man page has been written by adrelanos (adrelanos at riseup dot net)
+
View
158 whonix_shared/usr/bin/whonix_repository
@@ -0,0 +1,158 @@
+#!/bin/bash
+
+SCRIPTNAME="$(basename $0)"
+
+error_handler() {
+ BUG="1"
+ show_output
+
+ local MSG="\
+###############################################################################
+## $SCRIPTNAME script bug.
+## Please report this bug!
+##
+## BASH_COMMAND: $BASH_COMMAND
+##
+## Experts only:
+## $SCRIPTNAME --verbose
+## for verbose output. Clean the output and
+## submit to Whonix developers.
+###############################################################################\
+"
+ echo "$MSG"
+ exit 1
+}
+
+trap "error_handler" ERR
+
+root_check() {
+ if [ "$(id -u)" != "0" ]; then
+ echo "ERROR: This must be run as root (sudo)!"
+ exit 1
+ else
+ true "INFO: Script running as root."
+ fi
+}
+
+parse_cmd_options() {
+ ## Thanks to:
+ ## http://mywiki.wooledge.org/BashFAQ/035
+
+ local HELP_MSG="See:
+man $SCRIPTNAME"
+
+ ## defaults, in case run by postinst script, can
+ ## be overruled with the DISTRUST_WHONIX_DEB_REPO variable,
+ ## see: man $SCRIPTNAME
+ ENABLE="1"
+ DISABLE="0"
+
+ while :
+ do
+ case $1 in
+ -h | --help | -\?)
+ echo "$HELP_MSG"
+ exit 0
+ ;;
+ -v | --verbose)
+ echo "$SCRIPTNAME verbose output..."
+ set -x
+ VERBOSE="1"
+ shift
+ ;;
+ -e | --enable)
+ ENABLE="1"
+ DISABLE="0"
+ shift
+ ;;
+ -d | --disable)
+ DISABLE="1"
+ ENABLE="0"
+ shift
+ ;;
+ --)
+ shift
+ break
+ ;;
+ -*)
+ echo "$SCRIPTNAME unknown option: $1" >&2
+ exit 1
+ ;;
+ *)
+ break
+ ;;
+ esac
+ done
+
+ ## If there are input files (for example) that follow the options, they
+ ## will remain in the "$@" positional parameters.
+}
+
+add_keys() {
+ echo "$0: Adding from signing keys from "$1"."
+ apt-key add $1 #>/dev/null 2>/dev/null
+}
+
+revoke_keys() {
+ GPG_TMP="$(mktemp --directory)"
+
+ mkdir --parents "$GPG_TMP"
+ chmod 700 "$GPG_TMP"
+
+ gpg \
+ --homedir "$GPG_TMP" \
+ --no-default-keyring \
+ --import $1 \
+ 2>/dev/null
+
+ gpg \
+ --homedir "$GPG_TMP" \
+ --no-default-keyring \
+ --keyid-format "0xlong" \
+ --fingerprint \
+ 2>/dev/null \
+ | \
+
+ while read LINE; do
+ local FIRST_WORD="$(echo $LINE | awk '{print $1}')"
+
+ if [ ! "$FIRST_WORD" = "pub" ]; then
+ continue
+ fi
+
+ ## Ex: 4096R/0x9C131AD3713AAEEF
+ MIDDLE_WORD="$(echo $LINE | awk '{print $2}')"
+
+ FINGERPRINT="$(echo "$MIDDLE_WORD" | awk -F"/" '{ print $2 }')"
+
+ apt-key del "$FINGERPRINT" #>/dev/null 2>/dev/null
+ done
+}
+
+main_function() {
+ root_check
+
+ parse_cmd_options ${1+"$@"}
+
+ if [ "$DISTRUST_WHONIX_DEB_REPO" = "1" ]; then
+ echo "INFO $0: Environment variable DISTRUST_WHONIX_DEB_REPO is set to 1, revoking all Whonix apt keys in /usr/share/whonix/keys/whonix-keys.d/* and /usr/share/whonix/keys/whonix-keys-revoked.d/*..."
+ ENABLE="0"
+ DISABLE="1"
+ fi
+
+ if [ "$DISABLE" = "1" ]; then
+ echo "INFO $0: Revoking all Whonix apt keys in /usr/share/whonix/keys/whonix-keys.d/* and /usr/share/whonix/keys/whonix-keys-revoked.d/*..."
+ revoke_keys "/usr/share/whonix/keys/whonix-keys.d/*"
+ revoke_keys "/usr/share/whonix/keys/whonix-keys-revoked.d/*"
+ echo "INFO $0: Revoked all Whonix apt keys. Feel free to manually verify using \"sudo apt-key finger\". Showing output of \"apt-key finger\"..."
+ echo " "
+ else
+ add_keys "/usr/share/whonix/keys/whonix-keys.d/*"
+ revoke_keys "/usr/share/whonix/keys/whonix-keys-revoked.d/*"
+ fi
+
+ apt-key finger
+}
+
+main_function ${1+"$@"}
+
View
1 whonix_shared/usr/share/whonix/keys/whonix-keys-revoked.d/placeholder
@@ -0,0 +1 @@
+
View
25 whonix_shared/usr/share/whonix/postinst.d/70_whonix_deb_key
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+set -x
+
+error_handler() {
+ echo "
+#############################################################
+## postinst script: ERROR detected. Please report this bug! #
+#############################################################
+"
+
+ exit 1
+}
+
+trap "error_handler" ERR
+
+own_filename="$(basename $0)"
+case $skip_scripts in
+ *$own_filename*) true "INFO: Skipping $own_filename, because skip_scripts includes it."
+ exit 0
+ ;;
+esac
+
+/usr/bin/whonix_repository
+

0 comments on commit cfa0c2e

Please sign in to comment.
Something went wrong with that request. Please try again.