YunoHost-Apps/trustyhash_ynh
1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/trustyhash_ynh.git synced 2024-09-04 01:15:56 +02:00
Code Issues Activity Actions

Merge pull request #1 from YunoHost-Apps/jarod5001-testing

Browse source 
Jarod5001 testing
This commit is contained in:
jarod5001 2022-05-07 12:07:40 +01:00 committed by GitHub
commit c1c023146d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
17 changed files with 1266 additions and 413 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

393
README.md
View file

@ -1,45 +1,79 @@
# Packaging your an app, starting from this example
- Copy this app before working on it, using the ['Use this template'](https://github.com/YunoHost/example_ynh/generate) button on the Github repo.
- Edit the `manifest.json` with app specific info.
- Edit the `install`, `upgrade`, `remove`, `backup`, and `restore` scripts, and any relevant conf files in `conf/`.
- Using the [script helpers documentation.](https://yunohost.org/packaging_apps_helpers)
- Add a `LICENSE` file for the package.
- Edit `doc/DISCLAIMER*.md`
- The `README.md` files are to be automatically generated by https://github.com/YunoHost/apps/tree/master/tools/README-generator
---
<!--
N.B.: This README was automatically generated by https://github.com/YunoHost/apps/tree/master/tools/README-generator
It shall NOT be edited by hand.
-->
# Example app for YunoHost
# TrustyHash for YunoHost
[![Integration level](https://dash.yunohost.org/integration/example.svg)](https://dash.yunohost.org/appci/app/example) ![](https://ci-apps.yunohost.org/ci/badges/example.status.svg) ![](https://ci-apps.yunohost.org/ci/badges/example.maintain.svg)
[![Install Example app with YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=example)
[![Integration level](https://dash.yunohost.org/integration/trustyhash.svg)](https://dash.yunohost.org/appci/app/trustyhash) ![](https://ci-apps.yunohost.org/ci/badges/trustyhash.status.svg) ![](https://ci-apps.yunohost.org/ci/badges/trustyhash.maintain.svg)
[![Install TrustyHash with YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=trustyhash)
*[Lire ce readme en français.](./README_fr.md)*
> *This package allows you to install Example app quickly and simply on a YunoHost server.
> *This package allows you to install TrustyHash quickly and simply on a YunoHost server.
If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/install) to learn how to install it.*
## Overview
Some long and extensive description of what the app is and does, lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.
# TrustyHash - A Trustable Hash Calculator
### Features
TrustyHash is a small [client-side](https://unhosted.org/) web application that
computes SHA-256 hash values on both local files and on remote URLs, with a
strong emphasis on a process that will allow you to trust the results. Works
offline!
- Ut enim ad minim veniam, quis nostrud exercitation ullamco ;
- Laboris nisi ut aliquip ex ea commodo consequat ;
- Duis aute irure dolor in reprehenderit in voluptate ;
- Velit esse cillum dolore eu fugiat nulla pariatur ;
- Excepteur sint occaecat cupidatat non proident, sunt in culpa."
TrustyHash homepage: https://github.com/sprin/TrustyHash
[Use it here](https://sprin.github.io/TrustyHash/)
## How is this useful?
Integrity: "We have in hand the same set of sequences of bits that came into
existence when the object was created" - [Lynch](http://www.clir.org/pubs/reports/pub92/lynch.html)
"Friends don't let friends use unverified downloads."
This fills a need for a verifiable, web-based hash calculator written in free
JavaScript. If you already use the command-line hash utilities on your
system, you should continue to use those. This is targeted towards users who do
not have or are unable to use the hash utilities on their local systems. While
universal command-line-literacy is a good goal, the concepts of file integrity and
authenticity and the ability to use tools for verification are perhaps more
fundamental.
Integrity is the first link in secure systems, and key to determining
authenticity. If we trust the association between an author and the hash value
of a file they created, perhaps because we trust them and they gave us the
hash in person, we can authenticate whether a file we believe to be the same
really did come from them. We can achieve the same result if the author had
used a signing key, and signed and distributed a hash value along with the
file, and we could trust the association between a particular key and the
author - albeit with somewhat more complexity and caveats (eg, has the signing
key been kept private?).
In a few words, this tool aims to enable verification of integrity and
authenticity claims in an accessible way that depends only on a trusted hash
value and the correctness and integrity of the TrustyHash app and the browser
it executes in. See the section "Trust" below for recommendations on
how to verify integrity of this application.
## Usage
Local files can be opened from a file select dialog, or dragged into the "drop
area". Remote URLs can be entered, and if the remote server allows cross-origin
GET requests via
[CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS),
the file will be downloaded to the browser, with the option of saving locally.
It's recommended to save the application, verify the integrity, and use the
saved copy from then on. To save from the browser, use "Save Page" > "Web Page,
HTML Only", and use a filename of `TrustyHash.html`. To verify, read the
section on "Trust" below.
**Shipped version:** 1.0~ynh1
**Demo:** https://demo.example.com
**Demo:** https://sprin.github.io/TrustyHash/
## Screenshots
@ -47,37 +81,310 @@ Some long and extensive description of what the app is and does, lorem ipsum dol
## Disclaimers / important information
* Any known limitations, constrains or stuff not working, such as (but not limited to):
* requiring a full dedicated domain ?
* architectures not supported ?
* not-working single-sign on or LDAP integration ?
* the app requires an important amount of RAM / disk / .. to install or to work properly
* etc...
## Trust
* Other infos that people should be aware of, such as:
* any specific step to perform after installing (such as manually finishing the install, specific admin credentials, ...)
* how to configure / administrate the application if it ain't obvious
* upgrade process / specificities / things to be aware of ?
* security considerations ?
This app does the hash calculation in the browser using the
[WebCryptoAPI](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest).
This means we can trust the hash calculation under the following assumptions:
- The integrity of the application has been preserved when it executes in the
browser.
- The browser and any extensions can be trusted.
### Integrity of the TrustyHash itself
Because the application itself is a single HTML file which can be saved locally,
there are various means for verifying integrity.
#### Trusted Hash Utility
The most reliable way to verify is to compute the hash of the HTML file with a
trusted hash utility on the local system, and compare against the values
published below.
#### Code Audit
Someone familiar with JavaScript can spend a few minutes reading the concise
source to be assured that the program does what it claims to.
#### No Hash Utility, Can't Audit Code?
Hmm, no trusted hash utility, can't audit the code... you just can't give up
and use your copy of TrustyHash without trusting it! While you could try some
half-measure like getting some kind of consensus on the hash value of
TrustyHash from untrusted hash utilities on the web, maybe other copies of
TrustyHash found elsewhere... ultimately if you really need to trust
TrustyHash, you've got to be a bit more rigorous.
Without knowing a thing about JavaScript until this moment, you can create a
very small, simple program in about 5 minutes, that while not as nice as
TrustyHash perhaps, will get the job of hashing a local file done. As long as
you can follow along as the following code is explained, and you can be pretty
confident the code is not doing anything fishy, you can use this to verify
TrustyHash itself. I'll show you the whole program up-front before I explain
it - see, 5 minutes, no more!
```
<!doctype html>
<html>
<body>
<script>
var fileinput = document.createElement('input')
fileinput.type = 'file'
fileinput.onchange = function(){
var reader = new FileReader()
reader.readAsArrayBuffer(this.files[0]);
reader.onload = function(){
crypto.subtle.digest("SHA-256", this.result)
.then(function(buffer) {
var hexCodes = []
var view = new DataView(buffer)
for (var i = 0; i < view.byteLength; i += 1) {
var stringValue = view.getUint8(i).toString(16)
var paddedValue = ('0' + stringValue).slice(-2)
hexCodes.push(paddedValue)}
alert(hexCodes.join(""))})}}
document.body.appendChild(fileinput)
</script>
</body>
</html>
```
JavaScript programmers may take offense with the lack of conventional
formatting above, but I'm trying to making this easy to re-type for someone who
shouldn't need to be concerned with formatting conventions.
Now a more-or-less line-by-line explanation:
```
<!doctype html>
<html>
<body>
<input type="file">
<script>
```
These lines declare an HTML document with a file input and a script. HTML
technically requires a `<head>` element, but I'm trying to save you a bit of
typing. Now let's get into the JavaScript itself:
```
document.querySelector('input').onchange = function(){
```
This says, when a file is selected via the file input...
```
var reader = new FileReader()
```
...create a reader to read the file.
```
reader.readAsArrayBuffer(this.files[0])
```
Read the file into memory.
```
reader.onload = function(){
```
When the reader finishes...
```
crypto.subtle.digest("SHA-256", this.result)
```
Hash the buffer with SHA-256.
```
.then(function(buffer) {
```
When hashing finishes, we have an unprintable object, called a buffer...
```
var hexCodes = []
```
...that we want to turn in to printable hex codes, which is just a way to
represent a number using only the characters 0 to 9 and 'a' to 'f'. Hex codes
are the standard representation of SHA-256 hash values.
```
var view = new DataView(buffer)
```
We create a view so we can read the buffer in chunks.
```
for (var i = 0; i < view.byteLength; i += 1) {
```
With each byte-size chunk...
```
var stringValue = view.getUint8(i).toString(16)
```
...convert each chunk to a number and get a string, which is just something we
can print. The string will be one or two hex digits.
```
var paddedValue = ('0' + stringValue).slice(-2)
```
To correctly print the string as a hex code, we need to add a zero to the front
in case the number is less than two hex digits, keeping the last two digits.
```
hexCodes.push(paddedValue)}
```
Keep the string we just created before moving on to the next chunk.
```
alert(hexCodes.join(""))})}}
```
Join all the strings created from each chunk together and pop it up on the
screen. That's it!
```
</script>
</body>
</html>
```
Oh, and we need these lines to formally close the HTML document.
If you followed all that, put this code into a file called
`TrustyHashLite.html` and open it up in your browser. I recommend re-typing,
rather than copy-pasting, since there are a bunch of sneaky ways someone could
trick you into copy-pasting something besides what you see on a web page. If
creating HTML files by hand is a bit confusing, you can save [the file I
created for
you](https://raw.githubusercontent.com/sprin/TrustyHash/master/TrustyHashLite.html)
as long as you promise you will make sure the code matches the above after you
have saved it. One way to do this is to open the file in a browser, right-click
and select "View Page Source".
Open the `TrustyHashLite.html` file in your browser, click the file input
button, select the `TrustyHash.html` you saved earlier. If the printed hex code
matches the published hash values, congratulations, you just wrote a program
that computes SHA-256 hashes *and* used it to validate TrustyHash!
### Hash Values
TODO: Publish hash value for 1.0.0
### Integrity of the Browser
In order to trust the results of TrustyHash, we need to trust the browser that
it runs in. Is the implementation of WebCryptoAPI to be trusted? Are extensions
able to modify the result the user sees?
If one is able to see the source of the browser and deterministic, reproducible
builds are possible, then we can start to form a strong basis of trust. Closed
source browsers must be excluded - the vendor is not able to assert a strong
claim of *what* they are distributing. At best, they may be able to publish
complete specifications for all functionality, but users still must trust the
vendor ultimately to actually implement the specifications as claimed. The
point is moot since no closed-source browser vendor publishes complete
specifications anyway.
Currently, open-source browsers are little better off. Deterministic builds are
still a work-in-progress for all popular open-source browsers
([Tor Browser](https://blog.torproject.org/category/tags/deterministic-builds),
[Firefox](https://bugzilla.mozilla.org/show_bug.cgi?id=885777),
[Chromium](https://bugs.chromium.org/p/chromium/issues/detail?id=314403).
Without deterministic builds, we must still trust the vendor ultimately to
build and distribute what they say they are building. If we trust the vendor
when they say, "deterministic builds are hard, we are working on it", and we
can trust them to secure their build environment, then we can take the signed
hash values they publish to represent the objects built from the published
sources.
So then there are three realistic ways we might have a trusted browser on our
systems:
- A verified open-source browser was bundled with our trusted operating system
distro.
- We installed an open-source browser from a trusted package manager that
handled checking verification for us.
- We downloaded the open-source browser directly from the vendor and checked
the signatures/hashes ourselves.
The third possible way, which is only feasible for a tiny fraction of extremely
diligent users, is to build the browser from source, rebuilding whenever
security updates are pushed to users.
Since the majority of browser users do not use an operating system that bundles
a verified open-source browser nor supplies a package manager which can
download and verify an open-source browser for them, this leaves manually
verifying. Because no operating system makes it easy or obvious to verify
signed downloads and awareness of the importance of verification is very low,
we have to conclude that the majority of browser users have very little basis
for trusting their browser. Similar arguments can be made for the operating
system as a whole.
So where does that leave us? Is running any program inside a browser with any
degre of trust hopeless for the vast majority of users? I would say that we may
be forced to accept some uncertainty that a program such as TrustyHash will
produce the correct results in an untrusted browser. If we accept this
uncertainty, we can use TrustyHash to bootstrap trust for a new browser or even
operating system. This, I think, is the real value of TrustyHash - to bootstrap
trust on a system by providing the best possible effort at producing trusted
hash values in an accessible way.
## Deployment
The entire application is packaged in a single, brief HTML file. Simply deploy
the file under the web server root directory.
## Why only SHA-256?
SHA-256 remains the de facto standard for verifying files via hash in 2016.
Here are some popular projects have standardized on SHA-256 for verifying
release materials:
- [Tor Browser](https://www.torproject.org/docs/verifying-signatures.html#BuildVerification)
- [OpenBSD](http://man.openbsd.org/signify)
- [FreeBSD](https://www.freebsd.org/releases/10.2R/signatures.html)
- [Centos](http://mirror.centos.org/centos/7/isos/x86_64/sha256sum.txt)
- [Fedora](https://getfedora.org/verify)
In the interests of standardization and keeping things simple, only SHA-256
will be shown. A possible addition to this project is to allow the user to
select other hash algorithms, with SHA-256 remaining the default.
## Limitations
When the application is retrieved on an HTTPS connection, the application
cannot fetch HTTP URLs due to restrictions against [mixed active
content](https://developer.mozilla.org/en-US/docs/Security/Mixed_content#Mixed_active_content]).
A workaround for this is to save the page locally and open the local copy in
the browser, as recommended anyway.
## Documentation and resources
* Official app website: https://example.com
* Official user documentation: https://yunohost.org/apps
* Official admin documentation: https://yunohost.org/packaging_apps
* Upstream app code repository: https://some.forge.com/example/example
* YunoHost documentation for this app: https://yunohost.org/app_example
* Report a bug: https://github.com/YunoHost-Apps/example_ynh/issues
* Official app website: https://github.com/sprin/TrustyHash
* Official user documentation: https://github.com/sprin/TrustyHash
* Upstream app code repository: https://github.com/sprin/TrustyHash
* YunoHost documentation for this app: https://yunohost.org/app_trustyhash
* Report a bug: https://github.com/YunoHost-Apps/trustyhash_ynh/issues
## Developer info
Please send your pull request to the [testing branch](https://github.com/YunoHost-Apps/example_ynh/tree/testing).
Please send your pull request to the [testing branch](https://github.com/YunoHost-Apps/trustyhash_ynh/tree/testing).
To try the testing branch, please proceed like that.
```
sudo yunohost app install https://github.com/YunoHost-Apps/example_ynh/tree/testing --debug
sudo yunohost app install https://github.com/YunoHost-Apps/trustyhash_ynh/tree/testing --debug
or
sudo yunohost app upgrade example -u https://github.com/YunoHost-Apps/example_ynh/tree/testing --debug
sudo yunohost app upgrade trustyhash -u https://github.com/YunoHost-Apps/trustyhash_ynh/tree/testing --debug
```
**More info regarding app packaging:** https://yunohost.org/packaging_apps

382
README_fr.md
View file

@ -1,30 +1,75 @@
# Example app pour YunoHost
# TrustyHash pour YunoHost
[![Niveau d'intégration](https://dash.yunohost.org/integration/example.svg)](https://dash.yunohost.org/appci/app/example) ![](https://ci-apps.yunohost.org/ci/badges/example.status.svg) ![](https://ci-apps.yunohost.org/ci/badges/example.maintain.svg)
[![Installer Example app avec YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=example)
[![Niveau d'intégration](https://dash.yunohost.org/integration/trustyhash.svg)](https://dash.yunohost.org/appci/app/trustyhash) ![](https://ci-apps.yunohost.org/ci/badges/trustyhash.status.svg) ![](https://ci-apps.yunohost.org/ci/badges/trustyhash.maintain.svg)
[![Installer TrustyHash avec YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=trustyhash)
*[Read this readme in english.](./README.md)*
*[Lire ce readme en français.](./README_fr.md)*
> *Ce package vous permet d'installer Example app rapidement et simplement sur un serveur YunoHost.
> *Ce package vous permet d'installer TrustyHash rapidement et simplement sur un serveur YunoHost.
Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour savoir comment l'installer et en profiter.*
## Vue d'ensemble
Some long and extensive description of what the app is and does, lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.
# TrustyHash - A Trustable Hash Calculator
### Features
TrustyHash is a small [client-side](https://unhosted.org/) web application that
computes SHA-256 hash values on both local files and on remote URLs, with a
strong emphasis on a process that will allow you to trust the results. Works
offline!
- Ut enim ad minim veniam, quis nostrud exercitation ullamco ;
- Laboris nisi ut aliquip ex ea commodo consequat ;
- Duis aute irure dolor in reprehenderit in voluptate ;
- Velit esse cillum dolore eu fugiat nulla pariatur ;
- Excepteur sint occaecat cupidatat non proident, sunt in culpa."
TrustyHash homepage: https://github.com/sprin/TrustyHash
[Use it here](https://sprin.github.io/TrustyHash/)
## How is this useful?
Integrity: "We have in hand the same set of sequences of bits that came into
existence when the object was created" - [Lynch](http://www.clir.org/pubs/reports/pub92/lynch.html)
"Friends don't let friends use unverified downloads."
This fills a need for a verifiable, web-based hash calculator written in free
JavaScript. If you already use the command-line hash utilities on your
system, you should continue to use those. This is targeted towards users who do
not have or are unable to use the hash utilities on their local systems. While
universal command-line-literacy is a good goal, the concepts of file integrity and
authenticity and the ability to use tools for verification are perhaps more
fundamental.
Integrity is the first link in secure systems, and key to determining
authenticity. If we trust the association between an author and the hash value
of a file they created, perhaps because we trust them and they gave us the
hash in person, we can authenticate whether a file we believe to be the same
really did come from them. We can achieve the same result if the author had
used a signing key, and signed and distributed a hash value along with the
file, and we could trust the association between a particular key and the
author - albeit with somewhat more complexity and caveats (eg, has the signing
key been kept private?).
In a few words, this tool aims to enable verification of integrity and
authenticity claims in an accessible way that depends only on a trusted hash
value and the correctness and integrity of the TrustyHash app and the browser
it executes in. See the section "Trust" below for recommendations on
how to verify integrity of this application.
## Usage
Local files can be opened from a file select dialog, or dragged into the "drop
area". Remote URLs can be entered, and if the remote server allows cross-origin
GET requests via
[CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS),
the file will be downloaded to the browser, with the option of saving locally.
It's recommended to save the application, verify the integrity, and use the
saved copy from then on. To save from the browser, use "Save Page" > "Web Page,
HTML Only", and use a filename of `TrustyHash.html`. To verify, read the
section on "Trust" below.
**Version incluse :** 1.0~ynh1
**Démo :** https://demo.example.com
**Démo :** https://sprin.github.io/TrustyHash/
## Captures d'écran
@ -32,37 +77,310 @@ Some long and extensive description of what the app is and does, lorem ipsum dol
## Avertissements / informations importantes
* Any known limitations, constrains or stuff not working, such as (but not limited to):
* requiring a full dedicated domain ?
* architectures not supported ?
* not-working single-sign on or LDAP integration ?
* the app requires an important amount of RAM / disk / .. to install or to work properly
* etc...
## Trust
* Other infos that people should be aware of, such as:
* any specific step to perform after installing (such as manually finishing the install, specific admin credentials, ...)
* how to configure / administrate the application if it ain't obvious
* upgrade process / specificities / things to be aware of ?
* security considerations ?
This app does the hash calculation in the browser using the
[WebCryptoAPI](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest).
This means we can trust the hash calculation under the following assumptions:
- The integrity of the application has been preserved when it executes in the
browser.
- The browser and any extensions can be trusted.
### Integrity of the TrustyHash itself
Because the application itself is a single HTML file which can be saved locally,
there are various means for verifying integrity.
#### Trusted Hash Utility
The most reliable way to verify is to compute the hash of the HTML file with a
trusted hash utility on the local system, and compare against the values
published below.
#### Code Audit
Someone familiar with JavaScript can spend a few minutes reading the concise
source to be assured that the program does what it claims to.
#### No Hash Utility, Can't Audit Code?
Hmm, no trusted hash utility, can't audit the code... you just can't give up
and use your copy of TrustyHash without trusting it! While you could try some
half-measure like getting some kind of consensus on the hash value of
TrustyHash from untrusted hash utilities on the web, maybe other copies of
TrustyHash found elsewhere... ultimately if you really need to trust
TrustyHash, you've got to be a bit more rigorous.
Without knowing a thing about JavaScript until this moment, you can create a
very small, simple program in about 5 minutes, that while not as nice as
TrustyHash perhaps, will get the job of hashing a local file done. As long as
you can follow along as the following code is explained, and you can be pretty
confident the code is not doing anything fishy, you can use this to verify
TrustyHash itself. I'll show you the whole program up-front before I explain
it - see, 5 minutes, no more!
```
<!doctype html>
<html>
<body>
<script>
var fileinput = document.createElement('input')
fileinput.type = 'file'
fileinput.onchange = function(){
var reader = new FileReader()
reader.readAsArrayBuffer(this.files[0]);
reader.onload = function(){
crypto.subtle.digest("SHA-256", this.result)
.then(function(buffer) {
var hexCodes = []
var view = new DataView(buffer)
for (var i = 0; i < view.byteLength; i += 1) {
var stringValue = view.getUint8(i).toString(16)
var paddedValue = ('0' + stringValue).slice(-2)
hexCodes.push(paddedValue)}
alert(hexCodes.join(""))})}}
document.body.appendChild(fileinput)
</script>
</body>
</html>
```
JavaScript programmers may take offense with the lack of conventional
formatting above, but I'm trying to making this easy to re-type for someone who
shouldn't need to be concerned with formatting conventions.
Now a more-or-less line-by-line explanation:
```
<!doctype html>
<html>
<body>
<input type="file">
<script>
```
These lines declare an HTML document with a file input and a script. HTML
technically requires a `<head>` element, but I'm trying to save you a bit of
typing. Now let's get into the JavaScript itself:
```
document.querySelector('input').onchange = function(){
```
This says, when a file is selected via the file input...
```
var reader = new FileReader()
```
...create a reader to read the file.
```
reader.readAsArrayBuffer(this.files[0])
```
Read the file into memory.
```
reader.onload = function(){
```
When the reader finishes...
```
crypto.subtle.digest("SHA-256", this.result)
```
Hash the buffer with SHA-256.
```
.then(function(buffer) {
```
When hashing finishes, we have an unprintable object, called a buffer...
```
var hexCodes = []
```
...that we want to turn in to printable hex codes, which is just a way to
represent a number using only the characters 0 to 9 and 'a' to 'f'. Hex codes
are the standard representation of SHA-256 hash values.
```
var view = new DataView(buffer)
```
We create a view so we can read the buffer in chunks.
```
for (var i = 0; i < view.byteLength; i += 1) {
```
With each byte-size chunk...
```
var stringValue = view.getUint8(i).toString(16)
```
...convert each chunk to a number and get a string, which is just something we
can print. The string will be one or two hex digits.
```
var paddedValue = ('0' + stringValue).slice(-2)
```
To correctly print the string as a hex code, we need to add a zero to the front
in case the number is less than two hex digits, keeping the last two digits.
```
hexCodes.push(paddedValue)}
```
Keep the string we just created before moving on to the next chunk.
```
alert(hexCodes.join(""))})}}
```
Join all the strings created from each chunk together and pop it up on the
screen. That's it!
```
</script>
</body>
</html>
```
Oh, and we need these lines to formally close the HTML document.
If you followed all that, put this code into a file called
`TrustyHashLite.html` and open it up in your browser. I recommend re-typing,
rather than copy-pasting, since there are a bunch of sneaky ways someone could
trick you into copy-pasting something besides what you see on a web page. If
creating HTML files by hand is a bit confusing, you can save [the file I
created for
you](https://raw.githubusercontent.com/sprin/TrustyHash/master/TrustyHashLite.html)
as long as you promise you will make sure the code matches the above after you
have saved it. One way to do this is to open the file in a browser, right-click
and select "View Page Source".
Open the `TrustyHashLite.html` file in your browser, click the file input
button, select the `TrustyHash.html` you saved earlier. If the printed hex code
matches the published hash values, congratulations, you just wrote a program
that computes SHA-256 hashes *and* used it to validate TrustyHash!
### Hash Values
TODO: Publish hash value for 1.0.0
### Integrity of the Browser
In order to trust the results of TrustyHash, we need to trust the browser that
it runs in. Is the implementation of WebCryptoAPI to be trusted? Are extensions
able to modify the result the user sees?
If one is able to see the source of the browser and deterministic, reproducible
builds are possible, then we can start to form a strong basis of trust. Closed
source browsers must be excluded - the vendor is not able to assert a strong
claim of *what* they are distributing. At best, they may be able to publish
complete specifications for all functionality, but users still must trust the
vendor ultimately to actually implement the specifications as claimed. The
point is moot since no closed-source browser vendor publishes complete
specifications anyway.
Currently, open-source browsers are little better off. Deterministic builds are
still a work-in-progress for all popular open-source browsers
([Tor Browser](https://blog.torproject.org/category/tags/deterministic-builds),
[Firefox](https://bugzilla.mozilla.org/show_bug.cgi?id=885777),
[Chromium](https://bugs.chromium.org/p/chromium/issues/detail?id=314403).
Without deterministic builds, we must still trust the vendor ultimately to
build and distribute what they say they are building. If we trust the vendor
when they say, "deterministic builds are hard, we are working on it", and we
can trust them to secure their build environment, then we can take the signed
hash values they publish to represent the objects built from the published
sources.
So then there are three realistic ways we might have a trusted browser on our
systems:
- A verified open-source browser was bundled with our trusted operating system
distro.
- We installed an open-source browser from a trusted package manager that
handled checking verification for us.
- We downloaded the open-source browser directly from the vendor and checked
the signatures/hashes ourselves.
The third possible way, which is only feasible for a tiny fraction of extremely
diligent users, is to build the browser from source, rebuilding whenever
security updates are pushed to users.
Since the majority of browser users do not use an operating system that bundles
a verified open-source browser nor supplies a package manager which can
download and verify an open-source browser for them, this leaves manually
verifying. Because no operating system makes it easy or obvious to verify
signed downloads and awareness of the importance of verification is very low,
we have to conclude that the majority of browser users have very little basis
for trusting their browser. Similar arguments can be made for the operating
system as a whole.
So where does that leave us? Is running any program inside a browser with any
degre of trust hopeless for the vast majority of users? I would say that we may
be forced to accept some uncertainty that a program such as TrustyHash will
produce the correct results in an untrusted browser. If we accept this
uncertainty, we can use TrustyHash to bootstrap trust for a new browser or even
operating system. This, I think, is the real value of TrustyHash - to bootstrap
trust on a system by providing the best possible effort at producing trusted
hash values in an accessible way.
## Deployment
The entire application is packaged in a single, brief HTML file. Simply deploy
the file under the web server root directory.
## Why only SHA-256?
SHA-256 remains the de facto standard for verifying files via hash in 2016.
Here are some popular projects have standardized on SHA-256 for verifying
release materials:
- [Tor Browser](https://www.torproject.org/docs/verifying-signatures.html#BuildVerification)
- [OpenBSD](http://man.openbsd.org/signify)
- [FreeBSD](https://www.freebsd.org/releases/10.2R/signatures.html)
- [Centos](http://mirror.centos.org/centos/7/isos/x86_64/sha256sum.txt)
- [Fedora](https://getfedora.org/verify)
In the interests of standardization and keeping things simple, only SHA-256
will be shown. A possible addition to this project is to allow the user to
select other hash algorithms, with SHA-256 remaining the default.
## Limitations
When the application is retrieved on an HTTPS connection, the application
cannot fetch HTTP URLs due to restrictions against [mixed active
content](https://developer.mozilla.org/en-US/docs/Security/Mixed_content#Mixed_active_content]).
A workaround for this is to save the page locally and open the local copy in
the browser, as recommended anyway.
## Documentations et ressources
* Site officiel de l'app : https://example.com
* Documentation officielle utilisateur : https://yunohost.org/apps
* Documentation officielle de l'admin : https://yunohost.org/packaging_apps
* Dépôt de code officiel de l'app : https://some.forge.com/example/example
* Documentation YunoHost pour cette app : https://yunohost.org/app_example
* Signaler un bug : https://github.com/YunoHost-Apps/example_ynh/issues
* Site officiel de l'app : https://github.com/sprin/TrustyHash
* Documentation officielle utilisateur : https://github.com/sprin/TrustyHash
* Dépôt de code officiel de l'app : https://github.com/sprin/TrustyHash
* Documentation YunoHost pour cette app : https://yunohost.org/app_trustyhash
* Signaler un bug : https://github.com/YunoHost-Apps/trustyhash_ynh/issues
## Informations pour les développeurs
Merci de faire vos pull request sur la [branche testing](https://github.com/YunoHost-Apps/example_ynh/tree/testing).
Merci de faire vos pull request sur la [branche testing](https://github.com/YunoHost-Apps/trustyhash_ynh/tree/testing).
Pour essayer la branche testing, procédez comme suit.
```
sudo yunohost app install https://github.com/YunoHost-Apps/example_ynh/tree/testing --debug
sudo yunohost app install https://github.com/YunoHost-Apps/trustyhash_ynh/tree/testing --debug
ou
sudo yunohost app upgrade example -u https://github.com/YunoHost-Apps/example_ynh/tree/testing --debug
sudo yunohost app upgrade trustyhash -u https://github.com/YunoHost-Apps/trustyhash_ynh/tree/testing --debug
```
**Plus d'infos sur le packaging d'applications :** https://yunohost.org/packaging_apps

12
check_process
View file

@ -8,10 +8,6 @@
domain="domain.tld"
path="/path"
is_public=1
language="fr"
admin="john"
password="1Strong-Password"
port="666"
; Checks
pkg_linter=1
setup_sub_dir=1
@ -20,15 +16,13 @@
setup_private=1
setup_public=1
upgrade=1
upgrade=1 from_commit=CommitHash
backup_restore=1
multi_instance=1
port_already_use=0
change_url=1
;;; Options
Email=
;Email=
Notification=none
;;; Upgrade options
; commit=CommitHash
name=Name and date of the commit.
manifest_arg=domain=DOMAIN&path=PATH&is_public=1&language=fr&admin=USER&password=pass&port=666&
; name=Name and date of the commit.
; manifest_arg=domain=DOMAIN&path=PATH&is_public=1&language=fr&admin=USER&password=pass&port=666&

8
conf/app.src
View file

@ -1,7 +1,7 @@
SOURCE_URL=url of app's source
SOURCE_SUM=sha256 checksum
SOURCE_URL=https://github.com/sprin/TrustyHash/archive/refs/heads/master.zip
SOURCE_SUM=52b48d4f6e18144424d158ad01e4adf0609a2d475792929b41265c56f5fa2d51
SOURCE_SUM_PRG=sha256sum
SOURCE_FORMAT=tar.gz
SOURCE_FORMAT=zip
SOURCE_IN_SUBDIR=true
SOURCE_FILENAME=
SOURCE_FILENAME=index.html
SOURCE_EXTRACT=true

18
conf/nginx.conf
View file

@ -5,23 +5,7 @@ location __PATH__/ {
alias __FINALPATH__/ ;
### Example PHP configuration (remove it if not used)
index index.php;
# Common parameter to increase upload size limit in conjunction with dedicated php-fpm file
#client_max_body_size 50M;
try_files $uri $uri/ index.php;
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_pass unix:/var/run/php/php__PHPVERSION__-fpm-__NAME__.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param REMOTE_USER $remote_user;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param SCRIPT_FILENAME $request_filename;
}
### End of PHP configuration part
index index.html;
# Include SSOWAT user panel.
include conf.d/yunohost_panel.conf.inc;

10
conf/php-fpm.conf
View file

@ -419,12 +419,12 @@ chdir = __FINALPATH__
;php_admin_value[memory_limit] = 32M
; Common values to change to increase file upload limit
; php_admin_value[upload_max_filesize] = 50M
; php_admin_value[post_max_size] = 50M
php_admin_value[upload_max_filesize] = 1G
php_admin_value[post_max_size] = 1G
; php_admin_flag[mail.add_x_header] = Off
; Other common parameters
; php_admin_value[max_execution_time] = 600
; php_admin_value[max_input_time] = 300
; php_admin_value[memory_limit] = 256M
php_admin_value[max_execution_time] = 600
php_admin_value[max_input_time] = 300
php_admin_value[memory_limit] = 256M
; php_admin_flag[short_open_tag] = On

45
conf/systemd.service
View file

@ -1,45 +0,0 @@
[Unit]
Description=Small description of the service
After=network.target
[Service]
Type=simple
User=__APP__
Group=__APP__
WorkingDirectory=__FINALPATH__/
ExecStart=__FINALPATH__/script
StandardOutput=append:/var/log/__APP__/__APP__.log
StandardError=inherit
# Sandboxing options to harden security
# Depending on specificities of your service/app, you may need to tweak these
# .. but this should be a good baseline
# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
DevicePolicy=closed
ProtectSystem=full
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
LockPersonality=yes
SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
# Denying access to capabilities that should not be relevant for webapps
# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
[Install]
WantedBy=multi-user.target

59
doc/DESCRIPTION.md
View file

@ -1,9 +1,54 @@
Some long and extensive description of what the app is and does, lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.
# TrustyHash - A Trustable Hash Calculator
### Features
TrustyHash is a small [client-side](https://unhosted.org/) web application that
computes SHA-256 hash values on both local files and on remote URLs, with a
strong emphasis on a process that will allow you to trust the results. Works
offline!
- Ut enim ad minim veniam, quis nostrud exercitation ullamco ;
- Laboris nisi ut aliquip ex ea commodo consequat ;
- Duis aute irure dolor in reprehenderit in voluptate ;
- Velit esse cillum dolore eu fugiat nulla pariatur ;
- Excepteur sint occaecat cupidatat non proident, sunt in culpa."
TrustyHash homepage: https://github.com/sprin/TrustyHash
[Use it here](https://sprin.github.io/TrustyHash/)
## How is this useful?
Integrity: "We have in hand the same set of sequences of bits that came into
existence when the object was created" - [Lynch](http://www.clir.org/pubs/reports/pub92/lynch.html)
"Friends don't let friends use unverified downloads."
This fills a need for a verifiable, web-based hash calculator written in free
JavaScript. If you already use the command-line hash utilities on your
system, you should continue to use those. This is targeted towards users who do
not have or are unable to use the hash utilities on their local systems. While
universal command-line-literacy is a good goal, the concepts of file integrity and
authenticity and the ability to use tools for verification are perhaps more
fundamental.
Integrity is the first link in secure systems, and key to determining
authenticity. If we trust the association between an author and the hash value
of a file they created, perhaps because we trust them and they gave us the
hash in person, we can authenticate whether a file we believe to be the same
really did come from them. We can achieve the same result if the author had
used a signing key, and signed and distributed a hash value along with the
file, and we could trust the association between a particular key and the
author - albeit with somewhat more complexity and caveats (eg, has the signing
key been kept private?).
In a few words, this tool aims to enable verification of integrity and
authenticity claims in an accessible way that depends only on a trusted hash
value and the correctness and integrity of the TrustyHash app and the browser
it executes in. See the section "Trust" below for recommendations on
how to verify integrity of this application.
## Usage
Local files can be opened from a file select dialog, or dragged into the "drop
area". Remote URLs can be entered, and if the remote server allows cross-origin
GET requests via
[CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS),
the file will be downloaded to the browser, with the option of saving locally.
It's recommended to save the application, verify the integrity, and use the
saved copy from then on. To save from the browser, use "Save Page" > "Web Page,
HTML Only", and use a filename of `TrustyHash.html`. To verify, read the
section on "Trust" below.

296
doc/DISCLAIMER.md
View file

@ -1,12 +1,286 @@
* Any known limitations, constrains or stuff not working, such as (but not limited to):
* requiring a full dedicated domain ?
* architectures not supported ?
* not-working single-sign on or LDAP integration ?
* the app requires an important amount of RAM / disk / .. to install or to work properly
* etc...
## Trust
* Other infos that people should be aware of, such as:
* any specific step to perform after installing (such as manually finishing the install, specific admin credentials, ...)
* how to configure / administrate the application if it ain't obvious
* upgrade process / specificities / things to be aware of ?
* security considerations ?
This app does the hash calculation in the browser using the
[WebCryptoAPI](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest).
This means we can trust the hash calculation under the following assumptions:
- The integrity of the application has been preserved when it executes in the
browser.
- The browser and any extensions can be trusted.
### Integrity of the TrustyHash itself
Because the application itself is a single HTML file which can be saved locally,
there are various means for verifying integrity.
#### Trusted Hash Utility
The most reliable way to verify is to compute the hash of the HTML file with a
trusted hash utility on the local system, and compare against the values
published below.
#### Code Audit
Someone familiar with JavaScript can spend a few minutes reading the concise
source to be assured that the program does what it claims to.
#### No Hash Utility, Can't Audit Code?
Hmm, no trusted hash utility, can't audit the code... you just can't give up
and use your copy of TrustyHash without trusting it! While you could try some
half-measure like getting some kind of consensus on the hash value of
TrustyHash from untrusted hash utilities on the web, maybe other copies of
TrustyHash found elsewhere... ultimately if you really need to trust
TrustyHash, you've got to be a bit more rigorous.
Without knowing a thing about JavaScript until this moment, you can create a
very small, simple program in about 5 minutes, that while not as nice as
TrustyHash perhaps, will get the job of hashing a local file done. As long as
you can follow along as the following code is explained, and you can be pretty
confident the code is not doing anything fishy, you can use this to verify
TrustyHash itself. I'll show you the whole program up-front before I explain
it - see, 5 minutes, no more!
```
<!doctype html>
<html>
<body>
<script>
var fileinput = document.createElement('input')
fileinput.type = 'file'
fileinput.onchange = function(){
var reader = new FileReader()
reader.readAsArrayBuffer(this.files[0]);
reader.onload = function(){
crypto.subtle.digest("SHA-256", this.result)
.then(function(buffer) {
var hexCodes = []
var view = new DataView(buffer)
for (var i = 0; i < view.byteLength; i += 1) {
var stringValue = view.getUint8(i).toString(16)
var paddedValue = ('0' + stringValue).slice(-2)
hexCodes.push(paddedValue)}
alert(hexCodes.join(""))})}}
document.body.appendChild(fileinput)
</script>
</body>
</html>
```
JavaScript programmers may take offense with the lack of conventional
formatting above, but I'm trying to making this easy to re-type for someone who
shouldn't need to be concerned with formatting conventions.
Now a more-or-less line-by-line explanation:
```
<!doctype html>
<html>
<body>
<input type="file">
<script>
```
These lines declare an HTML document with a file input and a script. HTML
technically requires a `<head>` element, but I'm trying to save you a bit of
typing. Now let's get into the JavaScript itself:
```
document.querySelector('input').onchange = function(){
```
This says, when a file is selected via the file input...
```
var reader = new FileReader()
```
...create a reader to read the file.
```
reader.readAsArrayBuffer(this.files[0])
```
Read the file into memory.
```
reader.onload = function(){
```
When the reader finishes...
```
crypto.subtle.digest("SHA-256", this.result)
```
Hash the buffer with SHA-256.
```
.then(function(buffer) {
```
When hashing finishes, we have an unprintable object, called a buffer...
```
var hexCodes = []
```
...that we want to turn in to printable hex codes, which is just a way to
represent a number using only the characters 0 to 9 and 'a' to 'f'. Hex codes
are the standard representation of SHA-256 hash values.
```
var view = new DataView(buffer)
```
We create a view so we can read the buffer in chunks.
```
for (var i = 0; i < view.byteLength; i += 1) {
```
With each byte-size chunk...
```
var stringValue = view.getUint8(i).toString(16)
```
...convert each chunk to a number and get a string, which is just something we
can print. The string will be one or two hex digits.
```
var paddedValue = ('0' + stringValue).slice(-2)
```
To correctly print the string as a hex code, we need to add a zero to the front
in case the number is less than two hex digits, keeping the last two digits.
```
hexCodes.push(paddedValue)}
```
Keep the string we just created before moving on to the next chunk.
```
alert(hexCodes.join(""))})}}
```
Join all the strings created from each chunk together and pop it up on the
screen. That's it!
```
</script>
</body>
</html>
```
Oh, and we need these lines to formally close the HTML document.
If you followed all that, put this code into a file called
`TrustyHashLite.html` and open it up in your browser. I recommend re-typing,
rather than copy-pasting, since there are a bunch of sneaky ways someone could
trick you into copy-pasting something besides what you see on a web page. If
creating HTML files by hand is a bit confusing, you can save [the file I
created for
you](https://raw.githubusercontent.com/sprin/TrustyHash/master/TrustyHashLite.html)
as long as you promise you will make sure the code matches the above after you
have saved it. One way to do this is to open the file in a browser, right-click
and select "View Page Source".
Open the `TrustyHashLite.html` file in your browser, click the file input
button, select the `TrustyHash.html` you saved earlier. If the printed hex code
matches the published hash values, congratulations, you just wrote a program
that computes SHA-256 hashes *and* used it to validate TrustyHash!
### Hash Values
TODO: Publish hash value for 1.0.0
### Integrity of the Browser
In order to trust the results of TrustyHash, we need to trust the browser that
it runs in. Is the implementation of WebCryptoAPI to be trusted? Are extensions
able to modify the result the user sees?
If one is able to see the source of the browser and deterministic, reproducible
builds are possible, then we can start to form a strong basis of trust. Closed
source browsers must be excluded - the vendor is not able to assert a strong
claim of *what* they are distributing. At best, they may be able to publish
complete specifications for all functionality, but users still must trust the
vendor ultimately to actually implement the specifications as claimed. The
point is moot since no closed-source browser vendor publishes complete
specifications anyway.
Currently, open-source browsers are little better off. Deterministic builds are
still a work-in-progress for all popular open-source browsers
([Tor Browser](https://blog.torproject.org/category/tags/deterministic-builds),
[Firefox](https://bugzilla.mozilla.org/show_bug.cgi?id=885777),
[Chromium](https://bugs.chromium.org/p/chromium/issues/detail?id=314403).
Without deterministic builds, we must still trust the vendor ultimately to
build and distribute what they say they are building. If we trust the vendor
when they say, "deterministic builds are hard, we are working on it", and we
can trust them to secure their build environment, then we can take the signed
hash values they publish to represent the objects built from the published
sources.
So then there are three realistic ways we might have a trusted browser on our
systems:
- A verified open-source browser was bundled with our trusted operating system
distro.
- We installed an open-source browser from a trusted package manager that
handled checking verification for us.
- We downloaded the open-source browser directly from the vendor and checked
the signatures/hashes ourselves.
The third possible way, which is only feasible for a tiny fraction of extremely
diligent users, is to build the browser from source, rebuilding whenever
security updates are pushed to users.
Since the majority of browser users do not use an operating system that bundles
a verified open-source browser nor supplies a package manager which can
download and verify an open-source browser for them, this leaves manually
verifying. Because no operating system makes it easy or obvious to verify
signed downloads and awareness of the importance of verification is very low,
we have to conclude that the majority of browser users have very little basis
for trusting their browser. Similar arguments can be made for the operating
system as a whole.
So where does that leave us? Is running any program inside a browser with any
degre of trust hopeless for the vast majority of users? I would say that we may
be forced to accept some uncertainty that a program such as TrustyHash will
produce the correct results in an untrusted browser. If we accept this
uncertainty, we can use TrustyHash to bootstrap trust for a new browser or even
operating system. This, I think, is the real value of TrustyHash - to bootstrap
trust on a system by providing the best possible effort at producing trusted
hash values in an accessible way.
## Deployment
The entire application is packaged in a single, brief HTML file. Simply deploy
the file under the web server root directory.
## Why only SHA-256?
SHA-256 remains the de facto standard for verifying files via hash in 2016.
Here are some popular projects have standardized on SHA-256 for verifying
release materials:
- [Tor Browser](https://www.torproject.org/docs/verifying-signatures.html#BuildVerification)
- [OpenBSD](http://man.openbsd.org/signify)
- [FreeBSD](https://www.freebsd.org/releases/10.2R/signatures.html)
- [Centos](http://mirror.centos.org/centos/7/isos/x86_64/sha256sum.txt)
- [Fedora](https://getfedora.org/verify)
In the interests of standardization and keeping things simple, only SHA-256
will be shown. A possible addition to this project is to allow the user to
select other hash algorithms, with SHA-256 remaining the default.
## Limitations
When the application is retrieved on an HTTPS connection, the application
cannot fetch HTTP URLs due to restrictions against [mixed active
content](https://developer.mozilla.org/en-US/docs/Security/Mixed_content#Mixed_active_content]).
A workaround for this is to save the page locally and open the local copy in
the browser, as recommended anyway.

61
manifest.json
View file

@ -1,25 +1,24 @@
{
"name": "Example app",
"id": "example",
"name": "TrustyHash",
"id": "trustyhash",
"packaging_format": 1,
"description": {
"en": "Explain in *a few (10~15) words* the purpose of the app or what it actually does (it is meant to give a rough idea to users browsing a catalog of 100+ apps)",
"fr": "Expliquez en *quelques* (10~15) mots l'utilité de l'app ou ce qu'elle fait (l'objectif est de donner une idée grossière pour des utilisateurs qui naviguent dans un catalogue de 100+ apps)"
"en": "a small client-side web application that computes SHA-256 hash values on both local files and on remote URLs. Works offline!",
"fr": "une petite application Web côté client qui calcule les valeurs de hachage SHA-256 sur les fichiers locaux et sur les URL distantes. Fonctionne hors ligne !"
},
"version": "1.0~ynh1",
"url": "https://example.com",
"url": "https://github.com/sprin/TrustyHash",
"upstream": {
"license": "free",
"website": "https://example.com",
"demo": "https://demo.example.com",
"admindoc": "https://yunohost.org/packaging_apps",
"userdoc": "https://yunohost.org/apps",
"code": "https://some.forge.com/example/example"
"license": "MIT",
"website": "https://github.com/sprin/TrustyHash",
"demo": "https://sprin.github.io/TrustyHash/",
"userdoc": "https://github.com/sprin/TrustyHash",
"code": "https://github.com/sprin/TrustyHash"
},
"license": "free",
"license": "MIT",
"maintainer": {
"name": "John doe",
"email": "john.doe@example.com"
"name": "jarod5001",
"email": ""
},
"requirements": {
"yunohost": ">= 4.3.0"
@ -27,8 +26,7 @@
"multi_instance": true,
"services": [
"nginx",
"php7.3-fpm",
"mysql"
"php7.3-fpm"
],
"arguments": {
"install" : [
@ -39,35 +37,8 @@
{
"name": "path",
"type": "path",
"example": "/example",
"default": "/example"
},
{
"name": "is_public",
"type": "boolean",
"default": true
},
{
"name": "language",
"type": "string",
"ask": {
"en": "Choose the application language",
"fr": "Choisissez la langue de l'application"
},
"choices": ["fr", "en"],
"default": "fr"
},
{
"name": "admin",
"type": "user"
},
{
"name": "password",
"type": "password",
"help": {
"en": "Use the help field to add an information for the admin about this question.",
"fr": "Utilisez le champ aide pour ajouter une information à l'intention de l'administrateur à propos de cette question."
}
"example": "/trustyhash",
"default": "/trustyhash"
}
]
}

2
scripts/_common.sh
View file

@ -5,7 +5,7 @@
#=================================================
# dependencies used by the app
pkg_dependencies="deb1 deb2 php$YNH_DEFAULT_PHP_VERSION-deb1 php$YNH_DEFAULT_PHP_VERSION-deb2"
YNH_PHP_VERSION="7.3"
#=================================================
# PERSONAL HELPERS

22
scripts/backup
View file

@ -30,9 +30,9 @@ app=$YNH_APP_INSTANCE_NAME
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
domain=$(ynh_app_setting_get --app=$app --key=domain)
db_name=$(ynh_app_setting_get --app=$app --key=db_name)
# db_name=$(ynh_app_setting_get --app=$app --key=db_name)
phpversion=$(ynh_app_setting_get --app=$app --key=phpversion)
datadir=$(ynh_app_setting_get --app=$app --key=datadir)
# datadir=$(ynh_app_setting_get --app=$app --key=datadir)
#=================================================
# DECLARE DATA AND CONF FILES TO BACKUP
@ -54,7 +54,7 @@ ynh_backup --src_path="$final_path"
# BACKUP THE DATA DIR
#=================================================
ynh_backup --src_path="$datadir" --is_big
# ynh_backup --src_path="$datadir" --is_big
#=================================================
# BACKUP THE NGINX CONFIGURATION
@ -72,8 +72,8 @@ ynh_backup --src_path="/etc/php/$phpversion/fpm/pool.d/$app.conf"
# BACKUP FAIL2BAN CONFIGURATION
#=================================================
ynh_backup --src_path="/etc/fail2ban/jail.d/$app.conf"
ynh_backup --src_path="/etc/fail2ban/filter.d/$app.conf"
# ynh_backup --src_path="/etc/fail2ban/jail.d/$app.conf"
# ynh_backup --src_path="/etc/fail2ban/filter.d/$app.conf"
#=================================================
# SPECIFIC BACKUP
@ -81,31 +81,31 @@ ynh_backup --src_path="/etc/fail2ban/filter.d/$app.conf"
# BACKUP LOGROTATE
#=================================================
ynh_backup --src_path="/etc/logrotate.d/$app"
# ynh_backup --src_path="/etc/logrotate.d/$app"
#=================================================
# BACKUP SYSTEMD
#=================================================
ynh_backup --src_path="/etc/systemd/system/$app.service"
# ynh_backup --src_path="/etc/systemd/system/$app.service"
#=================================================
# BACKUP VARIOUS FILES
#=================================================
ynh_backup --src_path="/etc/cron.d/$app"
# ynh_backup --src_path="/etc/cron.d/$app"
ynh_backup --src_path="/etc/$app/"
# ynh_backup --src_path="/etc/$app/"
#=================================================
# BACKUP THE MYSQL DATABASE
#=================================================
ynh_print_info --message="Backing up the MySQL database..."
# ynh_print_info --message="Backing up the MySQL database..."
### (However, things like MySQL dumps *do* take some time to run, though the
### copy of the generated dump to the archive still happens later)
ynh_mysql_dump_db --database="$db_name" > db.sql
# ynh_mysql_dump_db --database="$db_name" > db.sql
#=================================================
# END OF SCRIPT

16
scripts/change_url
View file

@ -24,7 +24,7 @@ app=$YNH_APP_INSTANCE_NAME
#=================================================
# LOAD SETTINGS
#=================================================
ynh_script_progression --message="Loading installation settings..." --time --weight=1
ynh_script_progression --message="Loading installation settings..." --weight=1
# Needed for helper "ynh_add_nginx_config"
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
@ -37,7 +37,7 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path)
#=================================================
# BACKUP BEFORE CHANGE URL THEN ACTIVE TRAP
#=================================================
ynh_script_progression --message="Backing up the app before changing its URL (may take a while)..." --time --weight=1
ynh_script_progression --message="Backing up the app before changing its URL (may take a while)..." --weight=1
# Backup the current version of the app
ynh_backup_before_upgrade
@ -72,14 +72,14 @@ fi
#=================================================
# STOP SYSTEMD SERVICE
#=================================================
ynh_script_progression --message="Stopping a systemd service..." --time --weight=1
ynh_script_progression --message="Stopping a systemd service..." --weight=1
ynh_systemd_action --service_name=$app --action="stop" --log_path="/var/log/$app/$app.log"
#=================================================
# MODIFY URL IN NGINX CONF
#=================================================
ynh_script_progression --message="Updating NGINX web server configuration..." --time --weight=1
ynh_script_progression --message="Updating NGINX web server configuration..." --weight=1
nginx_conf_path=/etc/nginx/conf.d/$old_domain.d/$app.conf
@ -116,14 +116,14 @@ fi
#=================================================
# START SYSTEMD SERVICE
#=================================================
ynh_script_progression --message="Starting a systemd service..." --time --weight=1
# ynh_script_progression --message="Starting a systemd service..." --weight=1
ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log"
# ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log"
#=================================================
# RELOAD NGINX
#=================================================
ynh_script_progression --message="Reloading NGINX web server..." --time --weight=1
ynh_script_progression --message="Reloading NGINX web server..." --weight=1
ynh_systemd_action --service_name=nginx --action=reload
@ -131,4 +131,4 @@ ynh_systemd_action --service_name=nginx --action=reload
# END OF SCRIPT
#=================================================
ynh_script_progression --message="Change of URL completed for $app" --time --last
ynh_script_progression --message="Change of URL completed for $app" --last

127
scripts/install
View file

@ -26,10 +26,12 @@ ynh_abort_if_errors
domain=$YNH_APP_ARG_DOMAIN
path_url=$YNH_APP_ARG_PATH
is_public=$YNH_APP_ARG_IS_PUBLIC
language=$YNH_APP_ARG_LANGUAGE
admin=$YNH_APP_ARG_ADMIN
password=$YNH_APP_ARG_PASSWORD
phpversion=$YNH_PHP_VERSION
# is_public=$YNH_APP_ARG_IS_PUBLIC
# language=$YNH_APP_ARG_LANGUAGE
# admin=$YNH_APP_ARG_ADMIN
# password=$YNH_APP_ARG_PASSWORD
### If it's a multi-instance app, meaning it can be installed several times independently
### The id of the app as stated in the manifest is available as $YNH_APP_ID
@ -46,15 +48,15 @@ app=$YNH_APP_INSTANCE_NAME
#=================================================
# CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS
#=================================================
### About --weight and --time
### About --weight and
### ynh_script_progression will show to your final users the progression of each scripts.
### In order to do that, --weight will represent the relative time of execution compared to the other steps in the script.
### --time is a packager option, it will show you the execution time since the previous call.
### is a packager option, it will show you the execution time since the previous call.
### This option should be removed before releasing your app.
### Use the execution time, given by --time, to estimate the weight of a step.
### Use the execution time, given by , to estimate the weight of a step.
### A common way to do it is to set a weight equal to the execution time in second +1.
### The execution time is given for the duration since the previous call. So the weight should be applied to this previous call.
ynh_script_progression --message="Validating installation parameters..." --time --weight=1
ynh_script_progression --message="Validating installation parameters..." --weight=1
### If the app uses NGINX as web server (written in HTML/PHP in most cases), the final path should be "/var/www/$app".
### If the app provides an internal web server (or uses another application server such as uWSGI), the final path should be "/opt/yunohost/$app"
@ -67,19 +69,22 @@ ynh_webpath_register --app=$app --domain=$domain --path_url=$path_url
#=================================================
# STORE SETTINGS FROM MANIFEST
#=================================================
ynh_script_progression --message="Storing installation settings..." --time --weight=1
ynh_script_progression --message="Storing installation settings..." --weight=1
ynh_app_setting_set --app=$app --key=domain --value=$domain
ynh_app_setting_set --app=$app --key=path --value=$path_url
ynh_app_setting_set --app=$app --key=language --value=$language
ynh_app_setting_set --app=$app --key=admin --value=$admin
ynh_app_setting_set --app=$app --key=phpversion --value=$phpversion
ynh_app_setting_set --app=$app --key=final_path --value=$final_path
# ynh_app_setting_set --app=$app --key=language --value=$language
# ynh_app_setting_set --app=$app --key=admin --value=$admin
#=================================================
# STANDARD MODIFICATIONS
#=================================================
# FIND AND OPEN A PORT
#=================================================
ynh_script_progression --message="Finding an available port..." --time --weight=1
# ynh_script_progression --message="Finding an available port..." --weight=1
### Use these lines if you have to open a port for the application
### `ynh_find_port` will find the first available port starting from the given port.
@ -87,21 +92,21 @@ ynh_script_progression --message="Finding an available port..." --time --weight=
### - Remove the section "CLOSE A PORT" in the remove script
# Find an available port
port=$(ynh_find_port --port=8095)
ynh_app_setting_set --app=$app --key=port --value=$port
# port=$(ynh_find_port --port=8095)
# ynh_app_setting_set --app=$app --key=port --value=$port
# Optional: Expose this port publicly
# (N.B.: you only need to do this if the app actually needs to expose the port publicly.
# If you do this and the app doesn't actually need you are CREATING SECURITY HOLES IN THE SERVER !)
# Open the port
# ynh_script_progression --message="Configuring firewall..." --time --weight=1
# ynh_script_progression --message="Configuring firewall..." --weight=1
# ynh_exec_warn_less yunohost firewall allow --no-upnp TCP $port
#=================================================
# INSTALL DEPENDENCIES
#=================================================
ynh_script_progression --message="Installing dependencies..." --time --weight=1
# ynh_script_progression --message="Installing dependencies..." --weight=1
### `ynh_install_app_dependencies` allows you to add any "apt" dependencies to the package.
### Those deb packages will be installed as dependencies of this package.
@ -111,12 +116,12 @@ ynh_script_progression --message="Installing dependencies..." --time --weight=1
### - As well as the section "REINSTALL DEPENDENCIES" in the restore script
### - And the section "UPGRADE DEPENDENCIES" in the upgrade script
ynh_install_app_dependencies $pkg_dependencies
# ynh_install_app_dependencies $pkg_dependencies
#=================================================
# CREATE DEDICATED USER
#=================================================
ynh_script_progression --message="Configuring system user..." --time --weight=1
ynh_script_progression --message="Configuring system user..." --weight=1
# Create a system user
ynh_system_user_create --username=$app --home_dir="$final_path"
@ -124,7 +129,7 @@ ynh_system_user_create --username=$app --home_dir="$final_path"
#=================================================
# CREATE A MYSQL DATABASE
#=================================================
ynh_script_progression --message="Creating a MySQL database..." --time --weight=1
# ynh_script_progression --message="Creating a MySQL database..." --weight=1
### Use these lines if you need a database for the application.
### `ynh_mysql_setup_db` will create a database, an associated user and a ramdom password.
@ -135,15 +140,15 @@ ynh_script_progression --message="Creating a MySQL database..." --time --weight=
### - Remove also the section "REMOVE THE MYSQL DATABASE" in the remove script
### - As well as the section "RESTORE THE MYSQL DATABASE" in the restore script
db_name=$(ynh_sanitize_dbid --db_name=$app)
db_user=$db_name
ynh_app_setting_set --app=$app --key=db_name --value=$db_name
ynh_mysql_setup_db --db_user=$db_user --db_name=$db_name
# db_name=$(ynh_sanitize_dbid --db_name=$app)
# db_user=$db_name
# ynh_app_setting_set --app=$app --key=db_name --value=$db_name
# ynh_mysql_setup_db --db_user=$db_user --db_name=$db_name
#=================================================
# DOWNLOAD, CHECK AND UNPACK SOURCE
#=================================================
ynh_script_progression --message="Setting up source files..." --time --weight=1
ynh_script_progression --message="Setting up source files..." --weight=1
### `ynh_setup_source` is used to install an app from a zip or tar.gz file,
### downloaded from an upstream source, like a git repository.
@ -166,7 +171,7 @@ chown -R $app:www-data "$final_path"
#=================================================
# NGINX CONFIGURATION
#=================================================
ynh_script_progression --message="Configuring NGINX web server..." --time --weight=1
ynh_script_progression --message="Configuring NGINX web server..." --weight=1
### `ynh_add_nginx_config` will use the file conf/nginx.conf
@ -176,7 +181,7 @@ ynh_add_nginx_config
#=================================================
# PHP-FPM CONFIGURATION
#=================================================
ynh_script_progression --message="Configuring PHP-FPM..." --time --weight=1
ynh_script_progression --message="Configuring PHP-FPM..." --weight=1
### `ynh_add_fpm_config` is used to set up a PHP config.
### You can remove it if your app doesn't use PHP.
@ -201,7 +206,7 @@ ynh_add_fpm_config
#=================================================
# CREATE DATA DIRECTORY
#=================================================
ynh_script_progression --message="Creating a data directory..." --time --weight=1
# ynh_script_progression --message="Creating a data directory..." --weight=1
### Use these lines if you need to create a directory to store "persistent files" for the application.
### Usually this directory is used to store uploaded files or any file that won't be updated during
@ -211,10 +216,10 @@ ynh_script_progression --message="Creating a data directory..." --time --weight=
### - Remove the section "RESTORE THE DATA DIRECTORY" in the restore script
### - As well as the section "REMOVE DATA DIR" in the remove script
datadir=/home/yunohost.app/$app
ynh_app_setting_set --app=$app --key=datadir --value=$datadir
# datadir=/home/yunohost.app/$app
# ynh_app_setting_set --app=$app --key=datadir --value=$datadir
mkdir -p $datadir
# mkdir -p $datadir
# FIXME: this should be managed by the core in the future
# Here, as a packager, you may have to tweak the ownerhsip/permissions
@ -222,14 +227,14 @@ mkdir -p $datadir
# files in some cases.
# But FOR THE LOVE OF GOD, do not allow r/x for "others" on the entire folder -
# this will be treated as a security issue.
chmod 750 "$datadir"
chmod -R o-rwx "$datadir"
chown -R $app:www-data "$datadir"
# chmod 750 "$datadir"
# chmod -R o-rwx "$datadir"
# chown -R $app:www-data "$datadir"
#=================================================
# ADD A CONFIGURATION
#=================================================
ynh_script_progression --message="Adding a configuration file..." --time --weight=1
# ynh_script_progression --message="Adding a configuration file..." --weight=1
### You can add specific configuration files.
###
@ -243,13 +248,13 @@ ynh_script_progression --message="Adding a configuration file..." --time --weigh
###
### Check the documentation of `ynh_add_config` for more info.
ynh_add_config --template="some_config_file" --destination="$final_path/some_config_file"
# ynh_add_config --template="some_config_file" --destination="$final_path/some_config_file"
# FIXME: this should be handled by the core in the future
# You may need to use chmod 600 instead of 400,
# for example if the app is expected to be able to modify its own config
chmod 400 "$final_path/some_config_file"
chown $app:$app "$final_path/some_config_file"
# chmod 400 "$final_path/some_config_file"
# chown $app:$app "$final_path/some_config_file"
### For more complex cases where you want to replace stuff using regexes,
### you shoud rely on ynh_replace_string (which is basically a wrapper for sed)
@ -261,7 +266,7 @@ chown $app:$app "$final_path/some_config_file"
#=================================================
# SETUP SYSTEMD
#=================================================
ynh_script_progression --message="Configuring a systemd service..." --time --weight=1
# ynh_script_progression --message="Configuring a systemd service..." --weight=1
### `ynh_systemd_config` is used to configure a systemd script for an app.
### It can be used for apps that use sysvinit (with adaptation) or systemd.
@ -275,7 +280,7 @@ ynh_script_progression --message="Configuring a systemd service..." --time --wei
### - And the section "SETUP SYSTEMD" in the upgrade script
# Create a dedicated systemd config
ynh_add_systemd_config
# ynh_add_systemd_config
#=================================================
# SETUP APPLICATION WITH CURL
@ -287,23 +292,23 @@ ynh_add_systemd_config
### forms.
# Set the app as temporarily public for curl call
ynh_script_progression --message="Configuring SSOwat..." --time --weight=1
# ynh_script_progression --message="Configuring SSOwat..." --weight=1
# Making the app public for curl
ynh_permission_update --permission="main" --add="visitors"
# ynh_permission_update --permission="main" --add="visitors"
# Installation with curl
ynh_script_progression --message="Finalizing installation..." --time --weight=1
ynh_local_curl "/INSTALL_PATH" "key1=value1" "key2=value2" "key3=value3"
# ynh_script_progression --message="Finalizing installation..." --weight=1
# ynh_local_curl "/INSTALL_PATH" "key1=value1" "key2=value2" "key3=value3"
# Remove the public access
ynh_permission_update --permission="main" --remove="visitors"
# ynh_permission_update --permission="main" --remove="visitors"
#=================================================
# GENERIC FINALIZATION
#=================================================
# SETUP LOGROTATE
#=================================================
ynh_script_progression --message="Configuring log rotation..." --time --weight=1
# ynh_script_progression --message="Configuring log rotation..." --weight=1
### `ynh_use_logrotate` is used to configure a logrotate configuration for the logs of this app.
### Use this helper only if there is effectively a log file for this app.
@ -314,12 +319,12 @@ ynh_script_progression --message="Configuring log rotation..." --time --weight=1
### - And the section "SETUP LOGROTATE" in the upgrade script
# Use logrotate to manage application logfile(s)
ynh_use_logrotate
# ynh_use_logrotate
#=================================================
# INTEGRATE SERVICE IN YUNOHOST
#=================================================
ynh_script_progression --message="Integrating service in YunoHost..." --time --weight=1
# ynh_script_progression --message="Integrating service in YunoHost..." --weight=1
### `yunohost service add` integrates a service in YunoHost. It then gets
### displayed in the admin interface and through the others `yunohost service` commands.
@ -330,7 +335,7 @@ ynh_script_progression --message="Integrating service in YunoHost..." --time --w
### - As well as the section "INTEGRATE SERVICE IN YUNOHOST" in the restore script
### - And the section "INTEGRATE SERVICE IN YUNOHOST" in the upgrade script
yunohost service add $app --description="A short description of the app" --log="/var/log/$app/$app.log"
# yunohost service add $app --description="A short description of the app" --log="/var/log/$app/$app.log"
### Additional options starting with 3.8:
###
@ -351,7 +356,7 @@ yunohost service add $app --description="A short description of the app" --log="
#=================================================
# START SYSTEMD SERVICE
#=================================================
ynh_script_progression --message="Starting a systemd service..." --time --weight=1
# ynh_script_progression --message="Starting a systemd service..." --weight=1
### `ynh_systemd_action` is used to start a systemd service for an app.
### Only needed if you have configure a systemd service
@ -362,44 +367,44 @@ ynh_script_progression --message="Starting a systemd service..." --time --weight
### - And the section "STOP SYSTEMD SERVICE" and "START SYSTEMD SERVICE" in the change_url script
# Start a systemd service
ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log"
# ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log"
#=================================================
# SETUP FAIL2BAN
#=================================================
ynh_script_progression --message="Configuring Fail2Ban..." --time --weight=1
# ynh_script_progression --message="Configuring Fail2Ban..." --weight=1
# Create a dedicated Fail2Ban config
ynh_add_fail2ban_config --logpath="/var/log/nginx/${domain}-error.log" --failregex="Regex to match into the log for a failed login"
# ynh_add_fail2ban_config --logpath="/var/log/nginx/${domain}-error.log" --failregex="Regex to match into the log for a failed login"
#=================================================
# SETUP SSOWAT
#=================================================
ynh_script_progression --message="Configuring permissions..." --time --weight=1
# ynh_script_progression --message="Configuring permissions..." --weight=1
# Make app public if necessary
if [ $is_public -eq 1 ]
then
# if [ $is_public -eq 1 ]
# then
# Everyone can access the app.
# The "main" permission is automatically created before the install script.
ynh_permission_update --permission="main" --add="visitors"
fi
# ynh_permission_update --permission="main" --add="visitors"
# fi
### N.B. : the following extra permissions only make sense if your app
### does have for example an admin interface or an API.
# Only the admin can access the admin panel of the app (if the app has an admin panel)
ynh_permission_create --permission="admin" --url="/admin" --allowed=$admin
# ynh_permission_create --permission="admin" --url="/admin" --allowed=$admin
# Everyone can access the API part
# We don't want to display the tile in the SSO so we put --show_tile="false"
# And we don't want the YunoHost admin to be able to remove visitors group to this permission, so we put --protected="true"
ynh_permission_create --permission="api" --url="/api" --allowed="visitors" --show_tile="false" --protected="true"
# ynh_permission_create --permission="api" --url="/api" --allowed="visitors" --show_tile="false" --protected="true"
#=================================================
# RELOAD NGINX
#=================================================
ynh_script_progression --message="Reloading NGINX web server..." --time --weight=1
ynh_script_progression --message="Reloading NGINX web server..." --weight=1
ynh_systemd_action --service_name=nginx --action=reload
@ -407,4 +412,4 @@ ynh_systemd_action --service_name=nginx --action=reload
# END OF SCRIPT
#=================================================
ynh_script_progression --message="Installation of $app completed" --time --last
ynh_script_progression --message="Installation of $app completed" --last

78
scripts/remove
View file

@ -12,16 +12,16 @@ source /usr/share/yunohost/helpers
#=================================================
# LOAD SETTINGS
#=================================================
ynh_script_progression --message="Loading installation settings..." --time --weight=1
ynh_script_progression --message="Loading installation settings..." --weight=1
app=$YNH_APP_INSTANCE_NAME
domain=$(ynh_app_setting_get --app=$app --key=domain)
port=$(ynh_app_setting_get --app=$app --key=port)
db_name=$(ynh_app_setting_get --app=$app --key=db_name)
db_user=$db_name
# port=$(ynh_app_setting_get --app=$app --key=port)
# db_name=$(ynh_app_setting_get --app=$app --key=db_name)
# db_user=$db_name
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
datadir=$(ynh_app_setting_get --app=$app --key=datadir)
# datadir=$(ynh_app_setting_get --app=$app --key=datadir)
#=================================================
# STANDARD REMOVE
@ -30,40 +30,40 @@ datadir=$(ynh_app_setting_get --app=$app --key=datadir)
#=================================================
# Remove the service from the list of services known by YunoHost (added from `yunohost service add`)
if ynh_exec_warn_less yunohost service status $app >/dev/null
then
ynh_script_progression --message="Removing $app service integration..." --time --weight=1
yunohost service remove $app
fi
# if ynh_exec_warn_less yunohost service status $app >/dev/null
# then
# ynh_script_progression --message="Removing $app service integration..." --weight=1
# yunohost service remove $app
# fi
#=================================================
# STOP AND REMOVE SERVICE
#=================================================
ynh_script_progression --message="Stopping and removing the systemd service..." --time --weight=1
# ynh_script_progression --message="Stopping and removing the systemd service..." --weight=1
# Remove the dedicated systemd config
ynh_remove_systemd_config
# ynh_remove_systemd_config
#=================================================
# REMOVE LOGROTATE CONFIGURATION
#=================================================
ynh_script_progression --message="Removing logrotate configuration..." --time --weight=1
# ynh_script_progression --message="Removing logrotate configuration..." --weight=1
# Remove the app-specific logrotate config
ynh_remove_logrotate
# ynh_remove_logrotate
#=================================================
# REMOVE THE MYSQL DATABASE
#=================================================
ynh_script_progression --message="Removing the MySQL database..." --time --weight=1
# ynh_script_progression --message="Removing the MySQL database..." --weight=1
# Remove a database if it exists, along with the associated user
ynh_mysql_remove_db --db_user=$db_user --db_name=$db_name
# ynh_mysql_remove_db --db_user=$db_user --db_name=$db_name
#=================================================
# REMOVE APP MAIN DIR
#=================================================
ynh_script_progression --message="Removing app main directory..." --time --weight=1
ynh_script_progression --message="Removing app main directory..." --weight=1
# Remove the app directory securely
ynh_secure_remove --file="$final_path"
@ -73,16 +73,16 @@ ynh_secure_remove --file="$final_path"
#=================================================
# Remove the data directory if --purge option is used
if [ "${YNH_APP_PURGE:-0}" -eq 1 ]
then
ynh_script_progression --message="Removing app data directory..." --time --weight=1
ynh_secure_remove --file="$datadir"
fi
# if [ "${YNH_APP_PURGE:-0}" -eq 1 ]
# then
# ynh_script_progression --message="Removing app data directory..." --weight=1
# ynh_secure_remove --file="$datadir"
# fi
#=================================================
# REMOVE NGINX CONFIGURATION
#=================================================
ynh_script_progression --message="Removing NGINX web server configuration..." --time --weight=1
ynh_script_progression --message="Removing NGINX web server configuration..." --weight=1
# Remove the dedicated NGINX config
ynh_remove_nginx_config
@ -90,7 +90,7 @@ ynh_remove_nginx_config
#=================================================
# REMOVE PHP-FPM CONFIGURATION
#=================================================
ynh_script_progression --message="Removing PHP-FPM configuration..." --time --weight=1
ynh_script_progression --message="Removing PHP-FPM configuration..." --weight=1
# Remove the dedicated PHP-FPM config
ynh_remove_fpm_config
@ -98,51 +98,51 @@ ynh_remove_fpm_config
#=================================================
# REMOVE DEPENDENCIES
#=================================================
ynh_script_progression --message="Removing dependencies..." --time --weight=1
# ynh_script_progression --message="Removing dependencies..." --weight=1
# Remove metapackage and its dependencies
ynh_remove_app_dependencies
# ynh_remove_app_dependencies
#=================================================
# CLOSE A PORT
#=================================================
if yunohost firewall list | grep -q "\- $port$"
then
ynh_script_progression --message="Closing port $port..." --time --weight=1
ynh_exec_warn_less yunohost firewall disallow TCP $port
fi
# if yunohost firewall list | grep -q "\- $port$"
# then
# ynh_script_progression --message="Closing port $port..." --weight=1
# ynh_exec_warn_less yunohost firewall disallow TCP $port
# fi
#=================================================
# REMOVE FAIL2BAN CONFIGURATION
#=================================================
ynh_script_progression --message="Removing Fail2Ban configuration..." --time --weight=1
# ynh_script_progression --message="Removing Fail2Ban configuration..." --weight=1
# Remove the dedicated Fail2Ban config
ynh_remove_fail2ban_config
# ynh_remove_fail2ban_config
#=================================================
# SPECIFIC REMOVE
#=================================================
# REMOVE VARIOUS FILES
#=================================================
ynh_script_progression --message="Removing various files..." --time --weight=1
# ynh_script_progression --message="Removing various files..." --weight=1
# Remove a cron file
ynh_secure_remove --file="/etc/cron.d/$app"
# ynh_secure_remove --file="/etc/cron.d/$app"
# Remove a directory securely
ynh_secure_remove --file="/etc/$app"
# ynh_secure_remove --file="/etc/$app"
# Remove the log files
ynh_secure_remove --file="/var/log/$app"
# ynh_secure_remove --file="/var/log/$app"
#=================================================
# GENERIC FINALIZATION
#=================================================
# REMOVE DEDICATED USER
#=================================================
ynh_script_progression --message="Removing the dedicated system user..." --time --weight=1
ynh_script_progression --message="Removing the dedicated system user..." --weight=1
# Delete a system user
ynh_system_user_delete --username=$app
@ -151,4 +151,4 @@ ynh_system_user_delete --username=$app
# END OF SCRIPT
#=================================================
ynh_script_progression --message="Removal of $app completed" --time --last
ynh_script_progression --message="Removal of $app completed" --last

78
scripts/restore
View file

@ -24,22 +24,22 @@ ynh_abort_if_errors
#=================================================
# LOAD SETTINGS
#=================================================
ynh_script_progression --message="Loading installation settings..." --time --weight=1
ynh_script_progression --message="Loading installation settings..." --weight=1
app=$YNH_APP_INSTANCE_NAME
domain=$(ynh_app_setting_get --app=$app --key=domain)
path_url=$(ynh_app_setting_get --app=$app --key=path)
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
db_name=$(ynh_app_setting_get --app=$app --key=db_name)
db_user=$db_name
# db_name=$(ynh_app_setting_get --app=$app --key=db_name)
# db_user=$db_name
phpversion=$(ynh_app_setting_get --app=$app --key=phpversion)
datadir=$(ynh_app_setting_get --app=$app --key=datadir)
# datadir=$(ynh_app_setting_get --app=$app --key=datadir)
#=================================================
# CHECK IF THE APP CAN BE RESTORED
#=================================================
ynh_script_progression --message="Validating restoration parameters..." --time --weight=1
ynh_script_progression --message="Validating restoration parameters..." --weight=1
test ! -d $final_path \
|| ynh_die --message="There is already a directory: $final_path "
@ -49,14 +49,14 @@ test ! -d $final_path \
#=================================================
# RESTORE THE NGINX CONFIGURATION
#=================================================
ynh_script_progression --message="Restoring the NGINX web server configuration..." --time --weight=1
ynh_script_progression --message="Restoring the NGINX web server configuration..." --weight=1
ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf"
#=================================================
# RECREATE THE DEDICATED USER
#=================================================
ynh_script_progression --message="Recreating the dedicated system user..." --time --weight=1
ynh_script_progression --message="Recreating the dedicated system user..." --weight=1
# Create the dedicated user (if not existing)
ynh_system_user_create --username=$app --home_dir="$final_path"
@ -64,7 +64,7 @@ ynh_system_user_create --username=$app --home_dir="$final_path"
#=================================================
# RESTORE THE APP MAIN DIR
#=================================================
ynh_script_progression --message="Restoring the app main directory..." --time --weight=1
ynh_script_progression --message="Restoring the app main directory..." --weight=1
ynh_restore_file --origin_path="$final_path"
@ -81,11 +81,11 @@ chown -R $app:www-data "$final_path"
#=================================================
# RESTORE THE DATA DIRECTORY
#=================================================
ynh_script_progression --message="Restoring the data directory..." --time --weight=1
# ynh_script_progression --message="Restoring the data directory..." --weight=1
ynh_restore_file --origin_path="$datadir" --not_mandatory
# ynh_restore_file --origin_path="$datadir" --not_mandatory
mkdir -p $datadir
# mkdir -p $datadir
# FIXME: this should be managed by the core in the future
# Here, as a packager, you may have to tweak the ownerhsip/permissions
@ -93,89 +93,89 @@ mkdir -p $datadir
# files in some cases.
# But FOR THE LOVE OF GOD, do not allow r/x for "others" on the entire folder -
# this will be treated as a security issue.
chmod 750 "$datadir"
chmod -R o-rwx "$datadir"
chown -R $app:www-data "$datadir"
# chmod 750 "$datadir"
# chmod -R o-rwx "$datadir"
# chown -R $app:www-data "$datadir"
#=================================================
# RESTORE THE PHP-FPM CONFIGURATION
#=================================================
ynh_script_progression --message="Restoring the PHP-FPM configuration..." --time --weight=1
ynh_script_progression --message="Restoring the PHP-FPM configuration..." --weight=1
ynh_restore_file --origin_path="/etc/php/$phpversion/fpm/pool.d/$app.conf"
#=================================================
# RESTORE FAIL2BAN CONFIGURATION
#=================================================
ynh_script_progression --message="Restoring the Fail2Ban configuration..." --time --weight=1
# ynh_script_progression --message="Restoring the Fail2Ban configuration..." --weight=1
ynh_restore_file --origin_path="/etc/fail2ban/jail.d/$app.conf"
ynh_restore_file --origin_path="/etc/fail2ban/filter.d/$app.conf"
ynh_systemd_action --action=restart --service_name=fail2ban
# ynh_restore_file --origin_path="/etc/fail2ban/jail.d/$app.conf"
# ynh_restore_file --origin_path="/etc/fail2ban/filter.d/$app.conf"
# ynh_systemd_action --action=restart --service_name=fail2ban
#=================================================
# SPECIFIC RESTORATION
#=================================================
# REINSTALL DEPENDENCIES
#=================================================
ynh_script_progression --message="Reinstalling dependencies..." --time --weight=1
# ynh_script_progression --message="Reinstalling dependencies..." --weight=1
# Define and install dependencies
ynh_install_app_dependencies $pkg_dependencies
# ynh_install_app_dependencies $pkg_dependencies
#=================================================
# RESTORE THE MYSQL DATABASE
#=================================================
ynh_script_progression --message="Restoring the MySQL database..." --time --weight=1
# ynh_script_progression --message="Restoring the MySQL database..." --weight=1
db_pwd=$(ynh_app_setting_get --app=$app --key=mysqlpwd)
ynh_mysql_setup_db --db_user=$db_user --db_name=$db_name --db_pwd=$db_pwd
ynh_mysql_connect_as --user=$db_user --password=$db_pwd --database=$db_name < ./db.sql
# db_pwd=$(ynh_app_setting_get --app=$app --key=mysqlpwd)
# ynh_mysql_setup_db --db_user=$db_user --db_name=$db_name --db_pwd=$db_pwd
# ynh_mysql_connect_as --user=$db_user --password=$db_pwd --database=$db_name < ./db.sql
#=================================================
# RESTORE VARIOUS FILES
#=================================================
ynh_script_progression --message="Restoring various files..." --time --weight=1
# ynh_script_progression --message="Restoring various files..." --weight=1
ynh_restore_file --origin_path="/etc/cron.d/$app"
# ynh_restore_file --origin_path="/etc/cron.d/$app"
ynh_restore_file --origin_path="/etc/$app/"
# ynh_restore_file --origin_path="/etc/$app/"
#=================================================
# RESTORE SYSTEMD
#=================================================
ynh_script_progression --message="Restoring the systemd configuration..." --time --weight=1
# ynh_script_progression --message="Restoring the systemd configuration..." --weight=1
ynh_restore_file --origin_path="/etc/systemd/system/$app.service"
systemctl enable $app.service --quiet
# ynh_restore_file --origin_path="/etc/systemd/system/$app.service"
# systemctl enable $app.service --quiet
#=================================================
# RESTORE THE LOGROTATE CONFIGURATION
#=================================================
ynh_script_progression --message="Restoring the logrotate configuration..." --time --weight=1
# ynh_script_progression --message="Restoring the logrotate configuration..." --weight=1
ynh_restore_file --origin_path="/etc/logrotate.d/$app"
# ynh_restore_file --origin_path="/etc/logrotate.d/$app"
#=================================================
# INTEGRATE SERVICE IN YUNOHOST
#=================================================
ynh_script_progression --message="Integrating service in YunoHost..." --time --weight=1
# ynh_script_progression --message="Integrating service in YunoHost..." --weight=1
yunohost service add $app --description="A short description of the app" --log="/var/log/$app/$app.log"
# yunohost service add $app --description="A short description of the app" --log="/var/log/$app/$app.log"
#=================================================
# START SYSTEMD SERVICE
#=================================================
ynh_script_progression --message="Starting a systemd service..." --time --weight=1
# ynh_script_progression --message="Starting a systemd service..." --weight=1
ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log"
# ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log"
#=================================================
# GENERIC FINALIZATION
#=================================================
# RELOAD NGINX AND PHP-FPM
#=================================================
ynh_script_progression --message="Reloading NGINX web server and PHP-FPM..." --time --weight=1
ynh_script_progression --message="Reloading NGINX web server and PHP-FPM..." --weight=1
ynh_systemd_action --service_name=php$phpversion-fpm --action=reload
ynh_systemd_action --service_name=nginx --action=reload
@ -184,4 +184,4 @@ ynh_systemd_action --service_name=nginx --action=reload
# END OF SCRIPT
#=================================================
ynh_script_progression --message="Restoration completed for $app" --time --last
ynh_script_progression --message="Restoration completed for $app" --last

72
scripts/upgrade
View file

@ -12,16 +12,16 @@ source /usr/share/yunohost/helpers
#=================================================
# LOAD SETTINGS
#=================================================
ynh_script_progression --message="Loading installation settings..." --time --weight=1
ynh_script_progression --message="Loading installation settings..." --weight=1
app=$YNH_APP_INSTANCE_NAME
domain=$(ynh_app_setting_get --app=$app --key=domain)
path_url=$(ynh_app_setting_get --app=$app --key=path)
language=$(ynh_app_setting_get --app=$app --key=language)
admin=$(ynh_app_setting_get --app=$app --key=admin)
# language=$(ynh_app_setting_get --app=$app --key=language)
# admin=$(ynh_app_setting_get --app=$app --key=admin)
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
db_name=$(ynh_app_setting_get --app=$app --key=db_name)
# db_name=$(ynh_app_setting_get --app=$app --key=db_name)
#=================================================
# CHECK VERSION
@ -38,7 +38,7 @@ upgrade_type=$(ynh_check_app_version_changed)
#=================================================
# BACKUP BEFORE UPGRADE THEN ACTIVE TRAP
#=================================================
ynh_script_progression --message="Backing up the app before upgrading (may take a while)..." --time --weight=1
ynh_script_progression --message="Backing up the app before upgrading (may take a while)..." --weight=1
# Backup the current version of the app
ynh_backup_before_upgrade
@ -54,14 +54,14 @@ ynh_abort_if_errors
#=================================================
# STOP SYSTEMD SERVICE
#=================================================
ynh_script_progression --message="Stopping a systemd service..." --time --weight=1
# ynh_script_progression --message="Stopping a systemd service..." --weight=1
ynh_systemd_action --service_name=$app --action="stop" --log_path="/var/log/$app/$app.log"
# ynh_systemd_action --service_name=$app --action="stop" --log_path="/var/log/$app/$app.log"
#=================================================
# ENSURE DOWNWARD COMPATIBILITY
#=================================================
ynh_script_progression --message="Ensuring downward compatibility..." --time --weight=1
ynh_script_progression --message="Ensuring downward compatibility..." --weight=1
#
# N.B. : the followings setting migrations snippets are provided as *EXAMPLES*
@ -91,20 +91,20 @@ if ynh_legacy_permissions_exists; then
ynh_app_setting_delete --app=$app --key=is_public
fi
if ! ynh_permission_exists --permission="admin"; then
# if ! ynh_permission_exists --permission="admin"; then
# Create the required permissions
ynh_permission_create --permission="admin" --url="/admin" --allowed=$admin
fi
# ynh_permission_create --permission="admin" --url="/admin" --allowed=$admin
# fi
# Create a permission if needed
if ! ynh_permission_exists --permission="api"; then
ynh_permission_create --permission="api" --url="/api" --allowed="visitors" --show_tile="false" --protected="true"
fi
# if ! ynh_permission_exists --permission="api"; then
# ynh_permission_create --permission="api" --url="/api" --allowed="visitors" --show_tile="false" --protected="true"
# fi
#=================================================
# CREATE DEDICATED USER
#=================================================
ynh_script_progression --message="Making sure dedicated system user exists..." --time --weight=1
ynh_script_progression --message="Making sure dedicated system user exists..." --weight=1
# Create a dedicated user (if not existing)
ynh_system_user_create --username=$app --home_dir="$final_path"
@ -115,7 +115,7 @@ ynh_system_user_create --username=$app --home_dir="$final_path"
if [ "$upgrade_type" == "UPGRADE_APP" ]
then
ynh_script_progression --message="Upgrading source files..." --time --weight=1
ynh_script_progression --message="Upgrading source files..." --weight=1
# Download, check integrity, uncompress and patch the source from app.src
ynh_setup_source --dest_dir="$final_path"
@ -134,7 +134,7 @@ chown -R $app:www-data "$final_path"
#=================================================
# NGINX CONFIGURATION
#=================================================
ynh_script_progression --message="Upgrading NGINX web server configuration..." --time --weight=1
ynh_script_progression --message="Upgrading NGINX web server configuration..." --weight=1
# Create a dedicated NGINX config
ynh_add_nginx_config
@ -142,14 +142,14 @@ ynh_add_nginx_config
#=================================================
# UPGRADE DEPENDENCIES
#=================================================
ynh_script_progression --message="Upgrading dependencies..." --time --weight=1
# ynh_script_progression --message="Upgrading dependencies..." --weight=1
ynh_install_app_dependencies $pkg_dependencies
# ynh_install_app_dependencies $pkg_dependencies
#=================================================
# PHP-FPM CONFIGURATION
#=================================================
ynh_script_progression --message="Upgrading PHP-FPM configuration..." --time --weight=1
ynh_script_progression --message="Upgrading PHP-FPM configuration..." --weight=1
# Create a dedicated PHP-FPM config
ynh_add_fpm_config
@ -163,20 +163,20 @@ ynh_add_fpm_config
#=================================================
# UPDATE A CONFIG FILE
#=================================================
ynh_script_progression --message="Updating a configuration file..." --time --weight=1
# ynh_script_progression --message="Updating a configuration file..." --weight=1
### Same as during install
###
### The file will automatically be backed-up if it's found to be manually modified (because
### ynh_add_config keeps track of the file's checksum)
ynh_add_config --template="some_config_file" --destination="$final_path/some_config_file"
# ynh_add_config --template="some_config_file" --destination="$final_path/some_config_file"
# FIXME: this should be handled by the core in the future
# You may need to use chmod 600 instead of 400,
# for example if the app is expected to be able to modify its own config
chmod 400 "$final_path/some_config_file"
chown $app:$app "$final_path/some_config_file"
# chmod 400 "$final_path/some_config_file"
# chown $app:$app "$final_path/some_config_file"
### For more complex cases where you want to replace stuff using regexes,
### you shoud rely on ynh_replace_string (which is basically a wrapper for sed)
@ -188,47 +188,47 @@ chown $app:$app "$final_path/some_config_file"
#=================================================
# SETUP SYSTEMD
#=================================================
ynh_script_progression --message="Upgrading systemd configuration..." --time --weight=1
# ynh_script_progression --message="Upgrading systemd configuration..." --weight=1
# Create a dedicated systemd config
ynh_add_systemd_config
# ynh_add_systemd_config
#=================================================
# GENERIC FINALIZATION
#=================================================
# SETUP LOGROTATE
#=================================================
ynh_script_progression --message="Upgrading logrotate configuration..." --time --weight=1
# ynh_script_progression --message="Upgrading logrotate configuration..." --weight=1
# Use logrotate to manage app-specific logfile(s)
ynh_use_logrotate --non-append
# ynh_use_logrotate --non-append
#=================================================
# INTEGRATE SERVICE IN YUNOHOST
#=================================================
ynh_script_progression --message="Integrating service in YunoHost..." --time --weight=1
# ynh_script_progression --message="Integrating service in YunoHost..." --weight=1
yunohost service add $app --description="A short description of the app" --log="/var/log/$app/$app.log"
# yunohost service add $app --description="A short description of the app" --log="/var/log/$app/$app.log"
#=================================================
# START SYSTEMD SERVICE
#=================================================
ynh_script_progression --message="Starting a systemd service..." --time --weight=1
# ynh_script_progression --message="Starting a systemd service..." --weight=1
ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log"
# ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log"
#=================================================
# UPGRADE FAIL2BAN
#=================================================
ynh_script_progression --message="Reconfiguring Fail2Ban..." --time --weight=1
# ynh_script_progression --message="Reconfiguring Fail2Ban..." --weight=1
# Create a dedicated Fail2Ban config
ynh_add_fail2ban_config --logpath="/var/log/nginx/${domain}-error.log" --failregex="Regex to match into the log for a failed login"
# ynh_add_fail2ban_config --logpath="/var/log/nginx/${domain}-error.log" --failregex="Regex to match into the log for a failed login"
#=================================================
# RELOAD NGINX
#=================================================
ynh_script_progression --message="Reloading NGINX web server..." --time --weight=1
ynh_script_progression --message="Reloading NGINX web server..." --weight=1
ynh_systemd_action --service_name=nginx --action=reload
@ -236,4 +236,4 @@ ynh_systemd_action --service_name=nginx --action=reload
# END OF SCRIPT
#=================================================
ynh_script_progression --message="Upgrade of $app completed" --time --last
ynh_script_progression --message="Upgrade of $app completed" --last