-
Notifications
You must be signed in to change notification settings - Fork 88
Installer One Liner
The article on installation lists four one-liners for the different installation configurations for TFC.
An example of such one-liner is the local test configuration:
c='local'; f='4a0a8bac2001e629889e56bc7b12f20122e83101504e24f5dcf125675c9fb4ec6cd35cdd20418bccee8d739d613a07236a455a82476f5a2729d7395ebea325dc'; p='pubkey.asc'; i='install.sh'; s=$i.asc; while sudo fuser /var/lib/dpkg/lock >/dev/null 2>&1; do sleep .5; echo -ne "\rAPT is busy"; done && sudo apt update && sudo apt install apt-transport-https -y && sudo apt install tor wget -y && sudo systemctl start tor && cd $HOME && echo -e '\nLaunching Torsocks. Please wait...\n' && until torsocks wget -T 10 https://raw.githubusercontent.com/maqp/tfc/master/{$p,$i,$s} -q; do sleep 1; done && sudo mv -f {$p,$i,$s} /opt/ && cd /opt/ && sudo chmod 644 {$p,$i,$s} && sudo chown root {$p,$i,$s} && if b2sum $p | grep -Eo '^\w+' | cmp -s <(echo $f); then gpg --import $p && gpg --verify $s $i && bash $i $c; else echo "ERROR: $p has invalid BLAKE2b fingerprint"; fi;
One-liner is meant to be quick to copy-and-paste, but in itself, it is quite unreadable. Here is the one-liner in formatted form:
c='local'
f='4a0a8bac2001e629889e56bc7b12f20122e83101504e24f5dcf125675c9fb4ec6cd35cdd20418bccee8d739d613a07236a455a82476f5a2729d7395ebea325dc'
p='pubkey.asc'
i='install.sh'
s=$i.asc
while sudo fuser /var/lib/dpkg/lock >/dev/null 2>&1; do
sleep .5
echo -ne "\rAPT is busy"
done &&
sudo apt update &&
sudo apt install tor wget -y &&
sudo systemctl start tor &&
sudo torsocks apt install wget -y &&
cd $HOME &&
echo -e '\nLaunching Torsocks. Please wait...\n' &&
until torsocks wget -T 10 https://raw.githubusercontent.com/maqp/tfc/master/{$p,$i,$s} -q; do
sleep 1
done &&
sudo mv {$p,$i,$s} /opt/ &&
cd /opt/ &&
sudo chmod 644 {$p,$i,$s} &&
sudo chown root {$p,$i,$s} &&
if b2sum $p | grep -Eo '^\w+' | cmp -s <(echo $f); then
gpg --import $p &&
gpg --verify $s $i &&
bash $i $c
else
echo "ERROR: $p has invalid BLAKE2b fingerprint"
fi
And finally, here is thorough explanation of what each line does:
c='local' sets the installation configuration to variable c. This is the main difference between the one-liners.
f='4a0a8bac2001e629889e56bc7b12f20122e83101504e24f5dcf125675c9fb4ec6cd35cdd20418bccee8d739d613a07236a455a82476f5a2729d7395ebea325dc' sets the BLAKE2b fingerprint of TFC signature verification key to variable f. The fingerprint is the BLAKE2b hash of the ASCII armored public key. The reason the fingerprint is non-standard, is the stagnation of OpenPGP standardization for v5 fingerprints that was to fix the weak collision resistance of SHA-1 that is still used in normal PGP fingerprints, and that has recently been broken in practice.
p='pubkey.asc' sets the TFC public signature verification key's file name pubkey.asc to variable p.
i='install.sh' sets the TFC installer's file name install.sh to variable i.
s=$i.asc uses the variable i to set the TFC installer's digital signature file name install.sh.asc to variables.
while sudo fuser /var/lib/dpkg/lock >/dev/null 2>&1; do sleep .5; echo -ne "\rAPT is busy"; done allows the user to
enter the sudo password and wait until background installation processes of APT (the system's package manager) have completed before proceeding.
&& between each command means that the next command is only executed if the previous one did not encounter errors.
sudo apt update updates the list of software available via APT package manager.
sudo apt install tor wget -y installs Tor that allows anonymous installation of TFC and ensures the file download utility wget is installed.
sudo systemctl start tor launches the Tor service on the OS.
sudo torsocks apt install wget -y installs wget (that's not installed on Debian by default) over Tor. Wget is used to download the installer, the signature and the public key.
cd $HOME changes working directory to the home directory of the user.
echo -e '\nLaunching Torsocks. Please wait...\n' && explains to the user that the process of launching Torsocks (for anonymous file download may take some time).
until torsocks wget -T 10 https://raw.githubusercontent.com/maqp/tfc/master/{$p,$i,$s} -q; do sleep 1; done Downloads the 4096-bit RSA public key p, TFC installer i and the installer's digital signature s from GitHub using the wget program. wget downloads files anonymously as all of its traffic is tunneled through the Tor utility torsocks. (These downloads start the race condition against Source Computer compromise). -q means wget doesn't output anything. -T 10 sets a 10-second timeout. The until-do-done logic repeats the action until it succeeds.
sudo mv {$p,$i,$s} /opt/ moves the public key, installer, and the installer's digital signature file to /opt/ directory, where the files' permissions can be controlled.
cd /opt/ changes the working directory to the directory /opt/.
sudo chmod 644 {$p,$i,$s} sets each file's permissions to read only for non-root users. This prevents malware from editing the files
before they are verified.
sudo chown root sets each file's owner to root. This prevents malware from editing the files before they are verified.
if b2sum $p | grep -Eo '^\w+' | cmp -s <(echo $f) computes the BLAKE2b hash of the signature verification key
p, and compares it to the fingerprint f pinned to the one-liner. The error about invalid BLAKE2b fingerprint under
else is raised if the hash of the public key did not match the fingerprint.
gpg --import $p imports the TFC public key from the file p.
gpg --verify $s $i verifies the installer i using the signature s and the imported public key p. An error is
raised if the installer is not authentic, i.e. if it has been tampered with.
bash $i $c executes the authenticated installer i with the desired installation configuration c defined at the beginning of the one-liner. An error is raised if the
installation fails for some reason.