From 324dbed3129e73b01e5d8405a2671a304c42ac4a Mon Sep 17 00:00:00 2001 From: Sun Knudsen Date: Sun, 6 Jun 2021 10:12:01 -0400 Subject: [PATCH] Implemented update feature --- .../README.md | 62 ++++++++--- .../update.sh | 105 ++++++++++++++++++ .../update.sh.sig | 16 +++ 3 files changed, 170 insertions(+), 13 deletions(-) create mode 100755 how-to-create-encrypted-paper-backup/update.sh create mode 100644 how-to-create-encrypted-paper-backup/update.sh.sig diff --git a/how-to-create-encrypted-paper-backup/README.md b/how-to-create-encrypted-paper-backup/README.md index 0d9230e..062b589 100644 --- a/how-to-create-encrypted-paper-backup/README.md +++ b/how-to-create-encrypted-paper-backup/README.md @@ -252,10 +252,12 @@ $ sudo curl -o /etc/udev/rules.d/51-trezor.rules https://data.trezor.io/udev/51- ### Step 10: import Sun’s PGP public key (used to verify downloads below) ```console -$ curl https://sunknudsen.com/sunknudsen.asc | gpg --import +$ curl -o /home/pi/sunknudsen.asc https://sunknudsen.com/sunknudsen.asc % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed -100 6896 100 6896 0 0 6499 0 0:00:01 0:00:01 --:--:-- 6499 +100 6896 100 6896 0 0 7569 0 --:--:-- --:--:-- --:--:-- 7561 + +$ gpg --import /home/pi/sunknudsen.asc gpg: key C1323A377DE14C8B: public key "Sun Knudsen " imported gpg: Total number processed: 1 gpg: imported: 1 @@ -475,16 +477,16 @@ Good signature $ curl -o /home/pi/.local/bin/secure-erase.sh https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/secure-erase.sh % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed -100 1283 100 1283 0 0 1189 0 0:00:01 0:00:01 --:--:-- 1189 +100 1350 100 1350 0 0 992 0 0:00:01 0:00:01 --:--:-- 992 $ curl -o /home/pi/.local/bin/secure-erase.sh.sig https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/secure-erase.sh.sig % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed -100 833 100 833 0 0 944 0 --:--:-- --:--:-- --:--:-- 944 +100 833 100 833 0 0 805 0 0:00:01 0:00:01 --:--:-- 805 $ gpg --verify /home/pi/.local/bin/secure-erase.sh.sig gpg: assuming signed data in '/home/pi/.local/bin/secure-erase.sh' -gpg: Signature made Mon 19 Apr 2021 12:51:50 EDT +gpg: Signature made Thu 03 Jun 2021 19:34:35 BST gpg: using RSA key A98CCD122243655B26FAFB611FA767862BBD1305 gpg: Good signature from "Sun Knudsen " [unknown] gpg: WARNING: This key is not certified with a trusted signature! @@ -571,7 +573,41 @@ Good signature 👍 -### Step 20: make filesystem read-only +### Step 20: download and verify [update.sh](./update.sh) (uupdate Trezor devices) + +```console +$ curl -o /home/pi/.local/bin/update.sh https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/update.sh + % Total % Received % Xferd Average Speed Time Time Time Current + Dload Upload Total Spent Left Speed +100 1494 100 1494 0 0 1498 0 --:--:-- --:--:-- --:--:-- 149 + +$ curl -o /home/pi/.local/bin/update.sh.sig https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/update.sh.sig + % Total % Received % Xferd Average Speed Time Time Time Current + Dload Upload Total Spent Left Speed +100 833 100 833 0 0 929 0 --:--:-- --:--:-- --:--:-- 928 + +$ gpg --verify /home/pi/.local/bin/update.sh.sig +gpg: assuming signed data in '/home/pi/.local/bin/update.sh' +gpg: Signature made Sat 05 Jun 2021 16:01:37 BST +gpg: using RSA key A98CCD122243655B26FAFB611FA767862BBD1305 +gpg: Good signature from "Sun Knudsen " [unknown] +gpg: WARNING: This key is not certified with a trusted signature! +gpg: There is no indication that the signature belongs to the owner. +Primary key fingerprint: C4FB DDC1 6A26 2672 920D 0A0F C132 3A37 7DE1 4C8B + Subkey fingerprint: A98C CD12 2243 655B 26FA FB61 1FA7 6786 2BBD 1305 + +$ chmod 700 /home/pi/.local/bin/update.sh +``` + +Primary key fingerprint matches [published](../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-its-fingerprint) fingerprints + +👍 + +Good signature + +👍 + +### Step 21: make filesystem read-only > Heads-up: shout-out to Nico Kaiser for his amazing [guide](https://gist.github.com/nicokaiser/08aa5b7b3958f171cf61549b70e8a34b) on how to configure a read-only Raspberry Pi. @@ -643,13 +679,13 @@ $ sudo sed -i -e 's/vfat\s*defaults\s/vfat defaults,ro/' /etc/fstab $ sudo sed -i -e 's/ext4\s*defaults,noatime\s/ext4 defaults,noatime,ro,noload/' /etc/fstab ``` -### Step 21: disable Wi-Fi (if not using ethernet) +### Step 22: disable Wi-Fi (if not using ethernet) ```shell echo "dtoverlay=disable-wifi" | sudo tee -a /boot/config.txt ``` -### Step 22: disable `dhcpcd`, `networking` and `wpa_supplicant` services and “fix” `rfkill` bug +### Step 23: disable `dhcpcd`, `networking` and `wpa_supplicant` services and “fix” `rfkill` bug ```console $ sudo systemctl disable dhcpcd networking wpa_supplicant @@ -657,13 +693,13 @@ $ sudo systemctl disable dhcpcd networking wpa_supplicant $ sudo rm /etc/profile.d/wifi-check.sh ``` -### Step 23: delete macOS hidden files (if present) +### Step 24: delete macOS hidden files (if present) ```shell sudo rm -fr /boot/.fseventsd /boot/.DS_Store /boot/.Spotlight-V100 ``` -### Step 24: reboot +### Step 25: reboot ```shell sudo systemctl reboot @@ -671,9 +707,9 @@ sudo systemctl reboot > WARNING: DO NOT CONNECT RASPBERRY PI TO NETWORK EVER AGAIN WITHOUT REINSTALLING RASPBERRY PI OS FIRST (DEVICE IS NOW “READ-ONLY” AND “COLD”). -### Step 25 (optional): disable auto-mount of `boot` volume (on macOS) +### Step 26 (optional): disable auto-mount of `boot` volume (on macOS) -> Heads-up: done to prevent macOS from writing [hidden files](#step-23-delete-macos-hidden-files-if-present) to `boot` volume which would invalidate stored SHA512 hash of micro SD card. +> Heads-up: done to prevent macOS from writing [hidden files](#step-24-delete-macos-hidden-files-if-present) to `boot` volume which would invalidate stored SHA512 hash of micro SD card. #### Enable read-only mode using switch on micro SD to SD adapter @@ -689,7 +725,7 @@ volume_uuid=$(diskutil info "$volume_path" | awk '/Volume UUID:/ { print $3 }') echo "UUID=$volume_uuid none msdos ro,noauto" | sudo tee -a /etc/fstab ``` -### Step 26 (optional): compute SHA512 hash of SD card and store in password manager (on macOS) +### Step 27 (optional): compute SHA512 hash of SD card and store in password manager (on macOS) Run `diskutil list` to find disk ID of micro SD card with “Raspberry Pi OS Lite” installed (`disk2` in the following example). diff --git a/how-to-create-encrypted-paper-backup/update.sh b/how-to-create-encrypted-paper-backup/update.sh new file mode 100755 index 0000000..5b8d4bf --- /dev/null +++ b/how-to-create-encrypted-paper-backup/update.sh @@ -0,0 +1,105 @@ +#! /bin/bash + +set -e +set -o pipefail + +if [ "$1" = "--help" ]; then + printf "%s\n" "Usage: update.sh" + exit 0 +fi + +bold=$(tput bold) +red=$(tput setaf 1) +normal=$(tput sgr0) + +basedir=$(dirname "$0") + +dev="/dev/sda1" +tmp="/tmp/pi" +usb="/tmp/usb" + +tput reset + +wait_for_usb_flash_drive () { + if [ ! -e $dev ]; then + printf "$bold%s$normal" "Insert USB flash drive and press enter" + read -r confirmation + wait_for_usb_flash_drive + fi +} + +wait_for_usb_flash_drive + +sudo mkdir -p $usb + +if ! mount | grep $dev > /dev/null; then + sudo mount $dev $usb --options uid=pi,gid=pi +fi + +printf "$bold%s$normal\n" "Please type current date (ISO 8601 format) and press enter" +read -r current_date + +if [[ "$current_date" =~ ^\d{4}-\d{2}-\d{2}$ ]]; then + printf "$bold$red%s$normal\n" "Invalid date" + exit 1 +fi + +sudo timedatectl set-timezone America/Montreal +sudo date --set="$current_date" + +gpg --import /home/pi/sunknudsen.asc + +update=$(ls -t $usb/pi-qr-update-*-*-*.zip | head -1 || echo "") + +if [ -z "$update" ]; then + printf "$bold$red%s$normal\n" "Update archive not found" + exit 1 +fi + +update_sig=$(ls -t $update.sig | head -1 || echo "") + +if [ -z "$update_sig" ]; then + printf "$bold$red%s$normal\n" "Update signature not found" + exit 1 +fi + +printf "%s\n" "Verifying integrity of update…" + +gpg --verify $update_sig + +printf "%s\n" "Decompressing update…" + +unzip -d $tmp -o $update + +update_dir=$tmp/$(basename $update .zip) + +sudo mount -o rw,remount / +sudo mount -o rw,remount /boot + +printf "%s\n" "Updating…" + +cd $update_dir + +./run.sh + +printf "%s\n" "Done" + +coutdown() { + tput rc + tput ed + second_s="seconds" + if [ "$1" = "1" ]; then + second_s="second" + fi + printf "$bold%s$normal" "Rebooting in $1 $second_s" +} + +tput sc + +for ((index=10; index > 0; index--)) +do + coutdown $index + sleep 1 +done + +sudo systemctl reboot diff --git a/how-to-create-encrypted-paper-backup/update.sh.sig b/how-to-create-encrypted-paper-backup/update.sh.sig new file mode 100644 index 0000000..84ceb1b --- /dev/null +++ b/how-to-create-encrypted-paper-backup/update.sh.sig @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEqYzNEiJDZVsm+vthH6dnhiu9EwUFAmC8zeQACgkQH6dnhiu9 +EwURXA//Yb7dCnTa4lkoi5MlJnmfoIxtpd8GhLr0CxQZc4ocQt3aO8rUiQ62gwcS +ocjKlb0v/4XVyP/KZxHmaoMjJJr5bNEBeJTJjMaN+0/QY8eQ+3eYjcr5QGsrVQCq +FzpKYMd2zyHFRshsvHlwPlkTK/hA++cyNYcMGZJDX7RMvl3Z8+XkECgjs2Z0QDhq +h8hg1/wvJoVeLxC8qmFnM1c0tBIa7xpfJYZmsPIgVHK0o4EykLInGqrNpsYcIgQv +869WWBrnQylpnIcA25QkfTOS2CXJxaMA7CcG79Ooh6I8Rwgl9PbzogLY2o2Z1W96 +r+0E5DdKqGgD500hoYCRRUftCc/aHZKqD60aktWhXUivLvD0QU5CvRT/1RcHvghB ++9SKh202jY45ixgyQqWYuIfIn2s/51tCFBu4D5Qf8t1WiKmYDZF261tDx4KlnGTG +WVqwS0YzZPBL1fmzW/3O9OaC/xlO+4u6WHFXnleOdAddyXiW1e+Ev0/xOzcQdT1o +n4n5Qh1gJZcJHVM5X8qVTDmUGTVVTP0hqfGv15pYkTTVYnoInuOE2riXmaVjPumV +1Yo2YoC5oQ68BsWKCPy81fequMoxD0dkiBkloY9j2u/i9QyLucejOKWgWGcUNF5V +VGAgs244VuUdKD1IMcQrEEvakyd+snY2cb+jQiOAqoeh+PLyte4= +=7s6E +-----END PGP SIGNATURE-----