Created warrant_canary and first signature

This commit is contained in:
DarkFeather 2019-12-06 17:08:05 -06:00
parent 72eb72c54a
commit b016ae782b
4 changed files with 174 additions and 1 deletions

View File

@ -2,3 +2,15 @@
Warrant canaries are a security industry standard for ensuring our network has not been compromised. Warrant canaries are a security industry standard for ensuring our network has not been compromised.
https://en.wikipedia.org/wiki/Warrant_canary https://en.wikipedia.org/wiki/Warrant_canary
## ./warrant_canary
```
Use this script to seed or verify a warrant canary
Usage: ./warrant_canary -V # Verify the AniNIX's warrant canary
./warrant_canary -V -k KEY -K KEYSERVER -c CANARY # Verify another warrant canary
./warrant_canary -s # Seed a warrant canary.
Add -v to increase verbosity.
```
## ./canary.asc
This is the AniNIX's current warrant canary.

22
canary Normal file
View File

@ -0,0 +1,22 @@
As of 2019-12-06, aninix.net has not received any National Security Letters or FISA court orders, and we have not been subject to any gag order(s) by a FISA court, or any other similar court(s) of any government. AniNIX has never placed any backdoors in our hardware or software and has not received any requests to do so. AniNIX has never disclosed any user communications to any third party. No searches or seizures of any kind have ever been performed on AniNIX assets.
The next two updates should be on or before:
* 2020-03-05
* 2020-06-03
Recent news:
* https://www.aljazeera.com/blogs/americas/2019/12/chile-protesters-rich-powerful-threw-stone-191206211320350.html
* https://www.npr.org/2019/12/06/785671274/remembering-tetsu-nakamura-japanese-doctor-who-spent-decades-working-in-afghanis
To verify this message, on the terminal import our public key from pool.sks-keyservers.net and verify the canary:
$ gpg --keyserver pool.sks-keyservers.net --recv-key 1CC1E3F4ED06F296
$ gpg2 --fingerprint 1CC1E3F4ED06F296
pub ed25519 2019-05-19 [SC] [expires: 2021-05-18]
904D E627 5579 CB58 9D85 720C 1CC1 E3F4 ED06 F296
uid [ultimate] Shikoba Kage <DarkFeather@AniNIX.net>
sub cv25519 2019-05-19 [E] [expires: 2021-05-18]
$ gpg --verify <(curl -s https://foundation.aninix.net/AniNIX/WarrantCanary/raw/branch/master/canary.asc) 2>&1 | grep 'Good signature'
gpg: Good signature from "Shikoba Kage <darkfeather@aninix.net>"
There will most likely be other lines in the output from that last command, but as long as it says "Good signature", the verification worked correctly.

32
canary.asc Normal file
View File

@ -0,0 +1,32 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
As of 2019-12-06, aninix.net has not received any National Security Letters or FISA court orders, and we have not been subject to any gag order(s) by a FISA court, or any other similar court(s) of any government. AniNIX has never placed any backdoors in our hardware or software and has not received any requests to do so. AniNIX has never disclosed any user communications to any third party. No searches or seizures of any kind have ever been performed on AniNIX assets.
The next two updates should be on or before:
* 2020-03-05
* 2020-06-03
Recent news:
* https://www.aljazeera.com/blogs/americas/2019/12/chile-protesters-rich-powerful-threw-stone-191206211320350.html
* https://www.npr.org/2019/12/06/785671274/remembering-tetsu-nakamura-japanese-doctor-who-spent-decades-working-in-afghanis
To verify this message, on the terminal import our public key from pool.sks-keyservers.net and verify the canary:
$ gpg --keyserver pool.sks-keyservers.net --recv-key 1CC1E3F4ED06F296
$ gpg2 --fingerprint 1CC1E3F4ED06F296
pub ed25519 2019-05-19 [SC] [expires: 2021-05-18]
904D E627 5579 CB58 9D85 720C 1CC1 E3F4 ED06 F296
uid [ultimate] Shikoba Kage <DarkFeather@AniNIX.net>
sub cv25519 2019-05-19 [E] [expires: 2021-05-18]
$ gpg --verify <(curl -s https://foundation.aninix.net/AniNIX/WarrantCanary/raw/branch/master/canary.asc) 2>&1 | grep 'Good signature'
gpg: Good signature from "Shikoba Kage <darkfeather@aninix.net>"
There will most likely be other lines in the output from that last command, but as long as it says "Good signature", the verification worked correctly.
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQSQTeYnVXnLWJ2FcgwcweP07QbylgUCXerfBQAKCRAcweP07Qby
lny4AQDuEc/4nlBcZXeU1CzMiYE5lMvTHCRZJXkpF5sVzJ+ytAEAoLT6yaYrFtMl
BZWZScUx3lsJ0Q/k/pEcV5XabVFVfQA=
=z9mI
-----END PGP SIGNATURE-----

107
warrant_canary Executable file
View File

@ -0,0 +1,107 @@
#!/bin/bash
source /opt/aninix/Uniglot/Bash/header
unset canaryText
# cscanary=https://cryptostorm.is/canary.txt
# cskeyserver=pgp.mit.edu
# cskey=E9C7C942
keyserver=pool.sks-keyservers.net
key=1CC1E3F4ED06F296
canary=https://foundation.aninix.net/AniNIX/WarrantCanary/raw/branch/master/canary.asc
alJazeera='https://www.aljazeera.com/xml/rss/all.xml'
npr='https://www.npr.org/rss/rss.php?id=1004'
function Usage() {
# Show helptext
# param retcode: what to exit
retcode=$1
echo "Usage: $0 -V # Verify the AniNIX's warrant canary"
echo " $0 -V -k KEY -K KEYSERVER -c CANARY # Verify another warrant canary"
echo " $0 -s # Seed a warrant canary."
echo "Add -v to increase verbosity."
exit $retcode
}
function ConfirmGPGKeys() {
# Try to make sure we either have or can pull the key
if ! gpg2 --fingerprint "$key"; then
gpg --keyserver "$keyserver" --recv-key "$key"
if ! [ $? -eq 0 ] || gpg2 --fingerprint "$key"; then
echo Cannot pull the key: "$key".
exit 1;
fi
fi
}
function RecentNews() {
# Pull the first recent news article from an RSS feed.
# param rssFeed: the url to pull
rssFeed="$1"
curl -s "$rssFeed" | tr '<' '\n' | egrep -m 5 link | tail -n 1 | cut -f 2 -d '>' | cut -f 1 -d '?'
}
function CanarySeed() {
header Creating and signing a canary message
time=`date +%s`
cat > ./canary << EOM
As of $(date +%F), aninix.net has not received any National Security Letters or FISA court orders, and we have not been subject to any gag order(s) by a FISA court, or any other similar court(s) of any government. AniNIX has never placed any backdoors in our hardware or software and has not received any requests to do so. AniNIX has never disclosed any user communications to any third party. No searches or seizures of any kind have ever been performed on AniNIX assets.
The next two updates should be on or before:
* `date -d @$(( $time + 7776000 )) +%F`
* `date -d @$(( $time + 15552000 )) +%F`
Recent news:
* $(RecentNews "$alJazeera")
* $(RecentNews "$npr")
To verify this message, on the terminal import our public key from $keyserver and verify the canary:
$ gpg --keyserver $keyserver --recv-key $key
$ gpg2 --fingerprint $key
$(gpg2 --fingerprint $key)
$ gpg --verify <(curl -s $canary) 2>&1 | grep 'Good signature'
gpg: Good signature from "Shikoba Kage <darkfeather@aninix.net>"
There will most likely be other lines in the output from that last command, but as long as it says "Good signature", the verification worked correctly.
EOM
gpg --default-key "$key" --personal-digest-preferences sha512 --clear-sign ./canary
retcode=$?
if [ $retcode -eq 0 ]; then header Success; else errorheader Fail; fi
exit $retcode
}
function CanaryVerify() {
# Verify a canary
header Fingerprinting:
ConfirmGPGKeys
echo
header Verification:
if [ -f "$canary" ]; then
canaryText="$(cat "$canary")"
else
canaryText="$(curl -s "$canary")"
fi
gpg --verify <(echo "$canaryText") 2>&1 | grep -v 'WARNING: not a detached signature'
retcode=$?
echo
header Human-readable text:
echo "$canaryText" | grep -B 99 'To verify this' | grep -v 'To verify this'
exit $retcode
}
# Parse arguments
while getopts 'c:hk:K:svV' OPTION; do
case "$OPTION" in
c) canary="$OPTARG" ;;
h) echo Use this script to seed or verify a warrant canary; Usage 0 ;;
k) key="$OPTARG" ;;
K) keyserver="$OPTARG" ;;
s) CanarySeed ;;
v) set -x ;;
V) CanaryVerify ;;
*) Usage 1 ;;
esac
done
CanaryVerify