secluso
diff --git a/‎update/scripts/secluso_build_bundle.sh‎
Lines changed: 148 additions & 0 deletions b/‎update/scripts/secluso_build_bundle.sh‎
Lines changed: 148 additions & 0 deletions
diff --git a/‎update/scripts/secluso_make_test_bundle.sh‎
Lines changed: 207 additions & 0 deletions b/‎update/scripts/secluso_make_test_bundle.sh‎
Lines changed: 207 additions & 0 deletions
@@ -0,0 +1,148 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+usage() {
+  cat <<EOF
+Usage (artifact bundle only):
+  $0 --tag vX.Y.Z --workdir ./release_work --labels A,B \\
+     --sig-a /path/to/manifest.json.A.asc --sig-b /path/to/manifest.json.B.asc \\
+     --artifact-dir /path/to/builder_bundle_dir
+
+Outputs:
+  <workdir>/<tag>/bundle/
+  <workdir>/<tag>/out/secluso-<tag>.zip
+EOF
+  exit 1
+}
+
+TAG=""
+WORKDIR=""
+LABELS=""
+SIG_A=""
+SIG_B=""
+ARTIFACT_DIR=""
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --tag) TAG="$2"; shift 2;;
+    --workdir) WORKDIR="$2"; shift 2;;
+    --labels) LABELS="$2"; shift 2;;
+    --sig-a) SIG_A="$2"; shift 2;;
+    --sig-b) SIG_B="$2"; shift 2;;
+    --artifact-dir) ARTIFACT_DIR="$2"; shift 2;;
+    -h|--help) usage;;
+    *) echo "Unknown arg: $1" >&2; usage;;
+  esac
+done
+
+[[ -n "$TAG" && -n "$WORKDIR" && -n "$LABELS" && -n "$SIG_A" && -n "$SIG_B" && -n "$ARTIFACT_DIR" ]] || usage
+
+IFS=',' read -r LABEL_A LABEL_B <<<"$LABELS"
+[[ -n "${LABEL_A:-}" && -n "${LABEL_B:-}" ]] || { echo "Need --labels A,B" >&2; exit 1; }
+
+REL_DIR="$WORKDIR/$TAG"
+MANIFEST="$REL_DIR/manifest.json"
+
+[[ -f "$MANIFEST" ]] || { echo "Missing manifest: $MANIFEST" >&2; exit 1; }
+[[ -f "$SIG_A" ]] || { echo "Missing sig-a: $SIG_A" >&2; exit 1; }
+[[ -f "$SIG_B" ]] || { echo "Missing sig-b: $SIG_B" >&2; exit 1; }
+[[ -d "$ARTIFACT_DIR" ]] || { echo "Missing --artifact-dir directory: $ARTIFACT_DIR" >&2; exit 1; }
+[[ -f "$ARTIFACT_DIR/manifest.json" ]] || { echo "--artifact-dir must contain manifest.json" >&2; exit 1; }
+
+hash_file() {
+  local f="$1"
+  if command -v sha256sum >/dev/null 2>&1; then
+    sha256sum "$f" | awk '{print $1}'
+  else
+    shasum -a 256 "$f" | awk '{print $1}'
+  fi
+}
+
+echo "Verifying signatures locally..."
+gpg --verify "$SIG_A" "$MANIFEST" >/dev/null
+gpg --verify "$SIG_B" "$MANIFEST" >/dev/null
+echo "OK: both signatures verify"
+
+fpr_from_sig() {
+  local sig="$1"
+  gpg --status-fd=1 --verify "$sig" "$MANIFEST" 2>/dev/null \
+    | awk '$1=="[GNUPG:]" && $2=="VALIDSIG" {print $3; exit}'
+}
+
+FPR_A="$(fpr_from_sig "$SIG_A")"
+FPR_B="$(fpr_from_sig "$SIG_B")"
+[[ -n "$FPR_A" && -n "$FPR_B" ]] || { echo "Could not extract signer fingerprints" >&2; exit 1; }
+
+if [[ "$FPR_A" == "$FPR_B" ]]; then
+  echo "ERROR: both sigs are from the same key fingerprint: $FPR_A" >&2
+  exit 1
+fi
+
+echo "OK: distinct signer fingerprints"
+echo "  $LABEL_A -> $FPR_A"
+echo "  $LABEL_B -> $FPR_B"
+
+BUNDLE_DIR="$REL_DIR/bundle"
+OUT_DIR="$REL_DIR/out"
+rm -rf "$BUNDLE_DIR"
+mkdir -p "$BUNDLE_DIR" "$OUT_DIR"
+
+echo "Copying builder artifacts from: $ARTIFACT_DIR"
+cp -a "$ARTIFACT_DIR/." "$BUNDLE_DIR/"
+
+# Overwrite manifest.json with the signed one
+cp "$MANIFEST" "$BUNDLE_DIR/manifest.json"
+
+# Drop sigs next to manifest with expected names
+cp "$SIG_A" "$BUNDLE_DIR/manifest.json.${LABEL_A}.asc"
+cp "$SIG_B" "$BUNDLE_DIR/manifest.json.${LABEL_B}.asc"
+
+# Enforce manifest sha256 matches the actual bundle bytes
+if command -v jq >/dev/null 2>&1; then
+  echo "Checking manifest sha256 fields vs bundle contents..."
+
+  jq -r '.artifacts[] | @base64' "$BUNDLE_DIR/manifest.json" | while read -r row; do
+    _jq() { echo "$row" | base64 --decode | jq -r "$1"; }
+
+    bin_path="$(_jq '.bin_path')"
+    sha="$(_jq '.sha256')"
+
+    if [[ -z "$bin_path" || "$bin_path" == "null" ]]; then
+      echo "ERROR: artifact missing bin_path" >&2
+      exit 1
+    fi
+    if [[ -z "$sha" || "$sha" == "null" ]]; then
+      echo "ERROR: artifact $bin_path missing sha256 field in manifest.json" >&2
+      exit 1
+    fi
+
+    f="$BUNDLE_DIR/$bin_path"
+    if [[ ! -f "$f" ]]; then
+      echo "ERROR: manifest references missing file: $bin_path" >&2
+      exit 1
+    fi
+
+    got="$(hash_file "$f")"
+    want="$(echo "$sha" | tr -d ' \t\r\n' | sed 's/^sha256://I' | tr 'A-F' 'a-f')"
+
+    if [[ "$got" != "$want" ]]; then
+      echo "ERROR: sha256 mismatch for $bin_path" >&2
+      echo "  manifest: $want" >&2
+      echo "  actual:   $got" >&2
+      exit 1
+    fi
+  done
+
+  echo "OK: manifest sha256 matches all artifact files"
+else
+  echo "WARN: jq not found, skipping manifest sha256 verification"
+fi
+
+ZIP_PATH="$OUT_DIR/secluso-${TAG}.zip"
+rm -f "$ZIP_PATH"
+( cd "$BUNDLE_DIR" && zip -qr "$ZIP_PATH" . )
+
+echo
+echo "Bundle folder: $BUNDLE_DIR"
+echo "Zip asset: $ZIP_PATH"
+echo "Upload this zip as the Release asset in GitHub UI."
@@ -0,0 +1,207 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+usage() {
+  cat <<EOF
+Usage:
+  $0 --tag vX.Y.Z --workdir ./release_work --labels L1,L2 [--test-gnupg-home /tmp/secluso_test_gnupg]
+
+Creates a realistic builder-style bundle with dummy binaries:
+  <workdir>/<tag>/builder_out/manifest.json
+  <workdir>/<tag>/builder_out/{aarch64-unknown-linux-gnu,x86_64-unknown-linux-gnu}/...
+  <workdir>/<tag>/manifest.json + manifest.sha256   (manager copy + hash)
+  <workdir>/<tag>/sigs/                             (both .asc)
+  <workdir>/<tag>/out/secluso-<tag>.zip             (to be uploaded as test release)
+
+Reuses the same two test keys across runs by keeping GNUPGHOME stable.
+EOF
+  exit 1
+}
+
+TAG=""
+WORKDIR=""
+LABELS=""
+TEST_GNUPG_HOME="/tmp/secluso_test_gnupg"
+
+# Validate args
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --tag) TAG="$2"; shift 2;;
+    --workdir) WORKDIR="$2"; shift 2;;
+    --labels) LABELS="$2"; shift 2;;
+    --test-gnupg-home) TEST_GNUPG_HOME="$2"; shift 2;;
+    -h|--help) usage;;
+    *) echo "Unknown arg: $1" >&2; usage;;
+  esac
+done
+
+[[ -n "$TAG" && -n "$WORKDIR" && -n "$LABELS" ]] || usage
+IFS=',' read -r L1 L2 <<<"$LABELS"
+[[ -n "${L1:-}" && -n "${L2:-}" ]] || { echo "Need --labels L1,L2" >&2; exit 1; }
+[[ "$L1" != "$L2" ]] || { echo "Labels must be distinct" >&2; exit 1; }
+
+# Require a v-prefixed tag
+if [[ "$TAG" != v* ]]; then
+  echo "Tag must start with 'v' (example: v0.1.0). Got: $TAG" >&2
+  exit 1
+fi
+
+REL_DIR="$WORKDIR/$TAG"
+mkdir -p "$REL_DIR"
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# Stable test keyring
+GNUPG_HOME="$TEST_GNUPG_HOME"
+mkdir -p "$GNUPG_HOME"
+chmod 700 "$GNUPG_HOME"
+export GNUPGHOME="$GNUPG_HOME"
+
+# Sha256 helper (mac + linux)
+sha256_file() {
+  local f="$1"
+  if command -v sha256sum >/dev/null 2>&1; then
+    sha256sum "$f" | awk '{print $1}'
+  else
+    shasum -a 256 "$f" | awk '{print $1}'
+  fi
+}
+
+# Create fake "builder output" directory
+ARTIFACT_DIR="$REL_DIR/builder_out"
+rm -rf "$ARTIFACT_DIR"
+mkdir -p "$ARTIFACT_DIR/aarch64-unknown-linux-gnu" "$ARTIFACT_DIR/x86_64-unknown-linux-gnu"
+
+# Dummy binaries (make them executable, updater will install them)
+cat > "$ARTIFACT_DIR/aarch64-unknown-linux-gnu/secluso-config-tool" <<EOF
+#!/usr/bin/env sh
+echo "dummy secluso-config-tool aarch64 for ${TAG}"
+EOF
+chmod +x "$ARTIFACT_DIR/aarch64-unknown-linux-gnu/secluso-config-tool"
+
+cat > "$ARTIFACT_DIR/x86_64-unknown-linux-gnu/secluso-config-tool" <<EOF
+#!/usr/bin/env sh
+echo "dummy secluso-config-tool x86_64 for ${TAG}"
+EOF
+chmod +x "$ARTIFACT_DIR/x86_64-unknown-linux-gnu/secluso-config-tool"
+
+# Compute sha256s that will be embedded in the signed manifest
+SHA_A="$(sha256_file "$ARTIFACT_DIR/aarch64-unknown-linux-gnu/secluso-config-tool")"
+SHA_X="$(sha256_file "$ARTIFACT_DIR/x86_64-unknown-linux-gnu/secluso-config-tool")"
+
+# Create builder-style manifest.json w/ per-artifact sha256
+cat > "$ARTIFACT_DIR/manifest.json" <<EOF
+{
+  "build": {
+    "target": "test",
+    "profile": "release",
+    "run_id": "1",
+    "timestamp": "$(date -u +"%Y-%m-%dT%H:%M:%SZ")"
+  },
+  "artifacts": [
+    {
+      "package": "config_tool",
+      "target": "aarch64-unknown-linux-gnu",
+      "bin": "secluso-config-tool",
+      "bin_path": "aarch64-unknown-linux-gnu/secluso-config-tool",
+      "crate": "config_tool",
+      "version": "${TAG#v}",
+      "crate_lock_sha256": "test",
+      "rust_digest": "test",
+      "sha256": "${SHA_A}"
+    },
+    {
+      "package": "config_tool",
+      "target": "x86_64-unknown-linux-gnu",
+      "bin": "secluso-config-tool",
+      "bin_path": "x86_64-unknown-linux-gnu/secluso-config-tool",
+      "crate": "config_tool",
+      "version": "${TAG#v}",
+      "crate_lock_sha256": "test",
+      "rust_digest": "test",
+      "sha256": "${SHA_X}"
+    }
+  ]
+}
+EOF
+
+echo "Created fake builder_out at: $ARTIFACT_DIR"
+echo "  aarch64 sha256: $SHA_A"
+echo "  x86_64  sha256: $SHA_X"
+echo
+
+# Manager step: copy builder manifest into <workdir>/<tag>/manifest.json + write manifest.sha256
+"$SCRIPT_DIR/secluso_prepare_release_dir.sh" \
+  --tag "$TAG" \
+  --workdir "$WORKDIR" \
+  --labels "$LABELS" \
+  --artifact-dir "$ARTIFACT_DIR"
+
+MANIFEST="$REL_DIR/manifest.json"
+SHA_FILE="$REL_DIR/manifest.sha256"
+SIG_DIR="$REL_DIR/sigs"
+mkdir -p "$SIG_DIR"
+
+# Find an existing key by UID fragment, otherwisewe can create it.
+ensure_key() {
+  local uid="$1"
+  local existing
+  existing="$(gpg --with-colons --list-keys "$uid" 2>/dev/null | awk -F: '$1=="fpr" {print $10; exit}' || true)"
+  if [[ -n "$existing" ]]; then
+    echo "$existing"
+    return
+  fi
+
+  gpg --batch --pinentry-mode loopback --passphrase "" \
+    --quick-generate-key "$uid" ed25519 sign 5y >/dev/null
+
+  gpg --with-colons --fingerprint "$uid" | awk -F: '$1=="fpr" {print $10; exit}'
+}
+
+UID1="secluso-test-${L1} <secluso-test-${L1}@example.invalid>"
+UID2="secluso-test-${L2} <secluso-test-${L2}@example.invalid>"
+
+FPR1="$(ensure_key "$UID1")"
+FPR2="$(ensure_key "$UID2")"
+
+if [[ "$FPR1" == "$FPR2" ]]; then
+  echo "ERROR: both labels resolved to the same key fingerprint; aborting" >&2
+  exit 1
+fi
+
+echo "Using test keys from GNUPGHOME=$GNUPG_HOME"
+echo "  $L1 -> $FPR1"
+echo "  $L2 -> $FPR2"
+echo
+
+# Sign as each label (signer script verifies sha-file etc)
+"$SCRIPT_DIR/secluso_sign_manifest.sh" \
+  --manifest "$MANIFEST" \
+  --sha-file "$SHA_FILE" \
+  --label "$L1" \
+  --key "$FPR1" \
+  --outdir "$SIG_DIR"
+
+"$SCRIPT_DIR/secluso_sign_manifest.sh" \
+  --manifest "$MANIFEST" \
+  --sha-file "$SHA_FILE" \
+  --label "$L2" \
+  --key "$FPR2" \
+  --outdir "$SIG_DIR"
+
+# Build a real bundle (copies builder_out, overlays the signed manifest + signature files)
+"$SCRIPT_DIR/secluso_build_bundle.sh" \
+  --tag "$TAG" \
+  --workdir "$WORKDIR" \
+  --labels "$LABELS" \
+  --sig-a "$SIG_DIR/manifest.json.${L1}.asc" \
+  --sig-b "$SIG_DIR/manifest.json.${L2}.asc" \
+  --artifact-dir "$ARTIFACT_DIR"
+
+echo
+echo "Test bundle ready at: $REL_DIR/out/secluso-${TAG}.zip"
+echo "Keys are persisted at: $GNUPG_HOME"
+echo
+echo "If you want the updater to accept these via GitHub keys, export + add them to your GitHub account:"
+echo "  gpg --armor --export $FPR1"
+echo "  gpg --armor --export $FPR2"