commit 319efece5f538b4da1ddee758c5d13da235b19b2 Author: rpriven Date: Wed Dec 31 19:44:07 2025 -0700 Initial commit diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..dfeb64f --- /dev/null +++ b/.gitignore @@ -0,0 +1,25 @@ +# Temp files +*.tmp +*.log +*.swp +*~ + +# OS files +.DS_Store +Thumbs.db + +# Editor files +.vscode/ +.idea/ +*.sublime-* + +# Test downloads +downloads/ +*.deb +*.rpm +*.tar.gz +*.zip + +# Local testing +test-* +scratch/ diff --git a/APT-TOOLS-VERSIONS.md b/APT-TOOLS-VERSIONS.md new file mode 100644 index 0000000..9689ab1 --- /dev/null +++ b/APT-TOOLS-VERSIONS.md @@ -0,0 +1,127 @@ +# APT-Based Privacy Tools - Version Info + +## ✅ Current Versions (Debian Trixie) + +Based on check: 2025-11-12 + +### OnionShare +- **Debian Version**: 2.6.3-1 ✅ +- **Latest Upstream**: v2.6.3 (2025-02-25) +- **Status**: **UP TO DATE** 🎉 +- **Recommendation**: Use apt version + +### Tor +- **Debian Version**: 0.4.8.16-1 +- **Latest Stable**: 0.4.8.x series +- **Status**: Current stable release +- **Recommendation**: Debian apt is fine for most users +- **Advanced**: Use Tor Project's repo for absolute latest + +### torsocks +- **Debian Version**: 2.5.0-1 +- **Status**: Stable, mature project (slow release cycle) +- **Recommendation**: apt version is fine + +### Other Tools + +| Tool | Debian Version | Notes | +|------|---------------|-------| +| keepassxc | Latest in Trixie | Well-maintained in Debian | +| mat2 | Current | Part of Tails, actively maintained | +| exiftool | Latest | Perl module, stable | +| bleachbit | Current | Regular Debian updates | +| firejail | Latest stable | Security-focused, backported updates | +| age | Current | Simple tool, infrequent updates needed | +| sherlock | Packaged | Python tool | + +## 🎯 Recommendations + +### Use APT for: +✅ OnionShare (currently up to date!) +✅ tor (unless you need bleeding edge) +✅ torsocks +✅ All other privacy tools listed +✅ Automatic security updates via apt + +### Consider Upstream for: +⚠️ Tor Browser - Use Tor Project's official package +⚠️ Signal Desktop - Use official Signal .deb repo +⚠️ Tools requiring latest features + +## 📦 Installation + +**Simple one-liner for all APT tools:** +```bash +cd ~/github/privacy-toolkit +./install-apt-tools.sh +``` + +**Or manual:** +```bash +sudo apt install \ + keepassxc age mat2 exiftool shred bleachbit \ + tor torsocks onionshare onionshare-cli \ + firejail sherlock +``` + +## 🔄 Update Strategy + +**For APT-managed tools:** +```bash +# Regular updates +sudo apt update && sudo apt upgrade + +# Check for security updates +sudo apt update && sudo apt list --upgradable +``` + +**Checking versions:** +```bash +# OnionShare +onionshare-cli --version + +# Tor +tor --version + +# mat2 +mat2 --version + +# KeePassXC +keepassxc --version +``` + +## 🌐 Tor Project Repository (Optional) + +If you want the absolute latest Tor (usually not necessary): + +```bash +# Add Tor Project repository +sudo apt install -y apt-transport-https + +# Add GPG key +wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | sudo tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null + +# Add repo +echo "deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/tor.list + +# Install +sudo apt update +sudo apt install tor torbrowser-launcher +``` + +## 📊 Summary + +**12+ privacy tools available via apt** +- **Encryption**: keepassxc, age +- **Metadata**: mat2, exiftool +- **Anonymity**: tor, torsocks, onionshare +- **Security**: firejail, bleachbit +- **OSINT**: sherlock + +**Benefit**: Single update command, dependency management, security patches + +--- + +**Last Updated**: 2025-11-12 +**Debian Version**: Trixie (testing) +**OnionShare**: ✅ Up to date! diff --git a/README.md b/README.md new file mode 100644 index 0000000..756607f --- /dev/null +++ b/README.md @@ -0,0 +1,134 @@ +# 🛡️ Privacy Toolkit + +**A curated collection of privacy-focused tools with automated installation scripts** + +## 🎯 Mission + +Provide easy-to-install, well-documented privacy tools that protect against common threats: +- Surveillance and tracking +- Data breaches and leaks +- Malicious documents and files +- Metadata exposure +- Network monitoring + +## 🚀 Quick Start + +```bash +# Clone the repository +git clone https://github.com/YOUR_USERNAME/privacy-toolkit.git +cd privacy-toolkit + +# Install a specific tool +./tools/dangerzone/install.sh + +# Or use the master installer (coming soon) +./install.sh +``` + +## 📦 Available Tools + +### 🎯 Priority Tools (Install First) +1. **[Dangerzone](tools/dangerzone/)** - Document sanitization ✅ +2. **[LibreWolf](tools/librewolf/)** - Privacy-focused Firefox fork ✅ +3. **mat2** - Metadata removal (via apt-tools) +4. **Signal Desktop** - Secure messaging (coming soon) +5. **Tor Browser** - Anonymous browsing (coming soon) +6. **BleachBit** - Secure deletion (via apt-tools) +7. **firejail** - App sandboxing (via apt-tools) + +See [TOOLS-LIST.md](TOOLS-LIST.md) for the complete list of planned tools. + +## 🗂️ Categories + +- **Document Sanitization**: Remove malware and tracking from files +- **Encryption & Storage**: Protect data at rest +- **Secure Communication**: Private messaging and calls +- **Anonymity & Network**: Browse and communicate anonymously +- **Metadata Removal**: Strip identifying information +- **Secure Deletion**: Permanently erase sensitive data +- **Password Management**: Secure credential storage +- **Email Privacy**: Encrypted email communication +- **System Hardening**: Lock down your system +- **DNS Privacy**: Prevent DNS surveillance + +## 🔧 Installation Script Features + +Each tool installation script includes: +- ✅ Distro detection (Debian/Ubuntu/Fedora/Arch) +- ✅ GPG key verification +- ✅ Dependency checking +- ✅ Post-install verification +- ✅ Usage examples +- ✅ Security best practices + +## 📖 Documentation + +Each tool includes: +- **README.md**: What it does and why you need it +- **install.sh**: Automated installation +- **Threat model**: What attacks it protects against +- **Usage examples**: How to use it effectively + +## 🤝 Contributing + +Privacy tools to suggest? Found a bug? Contributions welcome! + +1. Fork the repository +2. Create a feature branch +3. Follow the tool template structure +4. Submit a pull request + +## 🔒 Security Principles + +- **FOSS First**: Open source tools are auditable +- **Official Sources**: Install from official repositories when possible +- **Signature Verification**: Always verify GPG signatures +- **Minimal Trust**: Reduce trust in third parties +- **Defense in Depth**: Layer multiple tools for comprehensive protection + +## 📚 Learning Resources + +- [Threat Modeling Guide](docs/threat-modeling.md) (coming soon) +- [Privacy Best Practices](docs/best-practices.md) (coming soon) +- [Tool Verification Guide](docs/verification.md) (coming soon) + +## ⚖️ License + +MIT License - See [LICENSE](LICENSE) for details + +## 🙏 Acknowledgments + +- Freedom of the Press Foundation (Dangerzone) +- The Tor Project +- Signal Foundation +- All FOSS privacy tool developers + +--- + +**Status**: 🚧 Work in Progress +**Tools Completed**: 8/30+ +**Last Updated**: 2025-12-21 + +💡 **Remember**: Privacy is a process, not a product. These tools help, but conscious behavior matters more. + +## 🔐 Security Best Practices + +### Always Verify Signatures and Checksums! + +Before installing ANY security software: + +1. **Download signature files** (.asc, .sig) +2. **Import developer's GPG key** +3. **Verify fingerprint** against official website +4. **Check SHA256 checksum** +5. **Verify GPG signature** + +Example verification workflow documented in tool directories (see `tools/cryptomator/VERIFICATION.md`). + +**Red flags - DO NOT INSTALL:** +- ❌ No signature file available +- ❌ Fingerprint mismatch +- ❌ "BAD signature" from GPG +- ❌ Checksum mismatch +- ❌ Download from unofficial source + diff --git a/SESSION-NOTES.md b/SESSION-NOTES.md new file mode 100644 index 0000000..7162494 --- /dev/null +++ b/SESSION-NOTES.md @@ -0,0 +1,135 @@ +# Privacy Toolkit - Session Notes + +## 2025-11-12 - Initial Repository Setup + +### 🎯 What We Built + +Created a modular privacy toolkit with automated installation scripts for security-focused tools. + +### ✅ Completed Tools (5) + +1. **Dangerzone** - Document sanitization (Freedom of Press Foundation) + - Container-based PDF/Office sanitization + - Includes GPG keyring permission fix + - Full threat model documentation + +2. **croc** - Secure P2P file transfer + - PAKE-based encryption + - Simple curl | bash installation + +3. **age** - Modern file encryption + - Simpler than GPG + - Installed via apt + +4. **VeraCrypt** - Full disk encryption + - Encrypted containers and full disk encryption + - Launchpad .deb download + - Version 1.26.7 + +5. **Cryptomator** - Cloud storage encryption + - Client-side encryption for cloud files + - Interactive .deb vs AppImage choice + - **Includes full verification guide** (GPG + SHA256) + +### 📁 Repository Structure + +``` +privacy-toolkit/ +├── README.md # Main documentation +├── TOOLS-LIST.md # Progress checklist +├── TOOLS-REFERENCE.md # Detailed tool descriptions +├── SESSION-NOTES.md # This file +└── tools/ + ├── age/ + │ └── install.sh + ├── croc/ + │ └── install.sh + ├── cryptomator/ + │ ├── install.sh + │ └── VERIFICATION.md # GPG verification guide + ├── dangerzone/ + │ ├── install.sh + │ └── README.md + └── veracrypt/ + └── install.sh +``` + +### 🔐 Key Features + +- **Modular Design**: Each tool is self-contained +- **Security-First**: GPG verification, checksums, official sources +- **Educational**: Threat models explain WHY you need each tool +- **Consistent**: Same script structure across all tools +- **Practical**: Real-world verification example for Cryptomator + +### 🎓 Security Practices Documented + +Example verification workflow (Cryptomator): +1. Download .deb + .asc signature +2. Import GPG key +3. Verify fingerprint: `5811 7AFA 1F85 B3EE C154 677D 615D 449F E6E6 A235` +4. Check SHA256 checksum +5. Verify GPG signature +6. Install if all checks pass + +### 📊 Status + +- **Tools Completed**: 5/30+ +- **Priority Tools**: 1/6 (Dangerzone) +- **Documentation**: Comprehensive for completed tools +- **Git**: Not yet initialized (ready to be) + +### 🎯 Next Steps + +Potential additions: +- mat2 (metadata removal) +- Signal Desktop +- Tor Browser +- BleachBit +- firejail +- OnionShare +- ExifTool + +### 💡 Design Decisions + +1. **Cryptomator: .deb vs AppImage** + - Script offers choice + - Recommendation: .deb for better system integration + - AppImage for portability + +2. **VeraCrypt: Version locking** + - Hardcoded 1.26.7 for stability + - Manual update recommended over auto-latest + +3. **Dangerzone: GPG keyring fix** + - Includes chmod 644 fix for /etc/apt/keyrings/ + - Solves permission denied error + +### 🔗 Resources + +- Official Cryptomator releases: https://github.com/cryptomator/cryptomator/releases +- Dangerzone: https://dangerzone.rocks/ +- VeraCrypt: https://veracrypt.fr/ +- Age: https://github.com/FiloSottile/age +- Croc: https://github.com/schollz/croc + +--- + +**Created**: 2025-11-12 +**Tools**: 5 complete, 25+ planned +**Focus**: Security, privacy, encryption, sanitization + +## SimpleX Installation Discovery + +**Issue**: SimpleX .deb packages have library compatibility issues across multiple distros. + +**Confirmed broken:** +- Debian Trixie: Crashes with `SIGSEGV in libHSzstd` +- Pop!_OS: Required AppImage + +**Solution**: Always use AppImage for SimpleX +- Script: `tools/simplex/install-appimage.sh` +- Location: `~/.local/bin/SimpleX.AppImage` +- Works universally across distros + +**Lesson**: For complex cross-platform apps with many dependencies, prefer AppImage over distro-specific packages. diff --git a/TOOLS-LIST.md b/TOOLS-LIST.md new file mode 100644 index 0000000..0c2b436 --- /dev/null +++ b/TOOLS-LIST.md @@ -0,0 +1,92 @@ +# Privacy Toolkit - Tool Candidates + +This is our working list of privacy tools to include in the toolkit. + +## 🎯 Priority 1 (Core Privacy Tools) +- [x] **Dangerzone** - Document sanitization ✅ +- [ ] **mat2** - Metadata removal +- [ ] **Signal Desktop** - Secure messaging +- [ ] **Tor Browser** - Anonymous browsing +- [ ] **BleachBit** - Secure deletion +- [ ] **firejail** - App sandboxing + +## 🛡️ Document Sanitization +- [x] **Dangerzone** - PDF/Office document sanitizer using container isolation ✅ +- [ ] **ExifCleaner** - Metadata removal from images/PDFs/videos +- [ ] **mat2** - Metadata Anonymization Toolkit + +## 🔐 Encryption & Secure Storage +- [x] **VeraCrypt** - Full disk encryption and encrypted containers ✅ +- [x] **age** - Modern file encryption ✅ +- [x] **Cryptomator** - Client-side cloud storage encryption ✅ + +## 📂 Secure File Transfer +- [x] **croc** - Secure, fast P2P file transfer ✅ + +## 📡 Secure Communication +- [ ] **Signal Desktop** - E2E encrypted messaging +- [ ] **SimpleX** - E2E encrypted messaging without identifiers (documented in PAI) +- [ ] **Jami** - P2P encrypted video/audio calls + +## 🌐 Anonymity & Network Privacy +- [ ] **Tor Browser** - Anonymous web browsing +- [ ] **ProtonVPN** - Privacy-focused VPN (already installed) +- [ ] **OnionShare** - Anonymous file sharing over Tor + +## 🔍 Metadata & Privacy Analysis +- [ ] **ExifTool** - View/edit metadata in files +- [ ] **Sherlock** - Username enumeration across platforms + +## 🗑️ Secure Deletion +- [ ] **BleachBit** - Secure file deletion and system cleaning +- [ ] **shred** - Overwrite files securely (already installed) + +## 🔒 Password & Secret Management +- [ ] **KeePassXC** - Offline password manager (already in use) +- [ ] **Bitwarden** - Open source password manager (self-hostable) + +## 📧 Email Privacy +- [ ] **Thunderbird + Enigmail** - PGP email encryption +- [ ] **ProtonMail Bridge** - Use ProtonMail with desktop clients + +## 🛡️ System Hardening +- [ ] **firejail** - Application sandboxing +- [ ] **AppArmor** - Mandatory Access Control (built into Debian) + +## 🌐 DNS Privacy +- [ ] **dnscrypt-proxy** - Encrypted DNS queries +- [ ] **Unbound** - Validating DNS resolver + +## 📱 Mobile Companion Tools +- [ ] **scrcpy** - Control Android via ADB + +--- + +**Last Updated:** 2025-11-12 +**Tools Completed:** 5/30+ (Dangerzone, croc, age, VeraCrypt, Cryptomator) +**Priority Tools:** 1/6 + +--- + +## 📦 APT-Based Tools (Quick Install) + +Many privacy tools are available directly via apt! Run: +```bash +./install-apt-tools.sh +``` + +**APT Tools Included:** +- [x] **keepassxc** - Password manager ✅ +- [x] **age** - File encryption ✅ +- [x] **mat2** - Metadata removal ✅ +- [x] **exiftool** - EXIF metadata viewer/editor ✅ +- [x] **bleachbit** - Secure deletion ✅ +- [x] **firejail** - App sandboxing ✅ +- [x] **tor** - Anonymity network ✅ +- [x] **torsocks** - Torify applications ✅ +- [x] **onionshare** - Anonymous file sharing ✅ +- [x] **sherlock** - Username enumeration ✅ + +**Note**: OnionShare 2.6.3 in Debian is **up to date** with latest release! 🎉 + +See [APT-TOOLS-VERSIONS.md](APT-TOOLS-VERSIONS.md) for version details. diff --git a/TOOLS-REFERENCE.md b/TOOLS-REFERENCE.md new file mode 100644 index 0000000..12ba761 --- /dev/null +++ b/TOOLS-REFERENCE.md @@ -0,0 +1,189 @@ +# Privacy Toolkit - Tool Candidates + +## 🛡️ Document Sanitization +- **Dangerzone** - PDF/Office document sanitizer using container isolation + - Threat: Malicious documents with embedded exploits + - Status: Installation script ready (needs chmod fix for GPG key) + - Source: Freedom of the Press Foundation + - Platform: Linux (Debian/Ubuntu/Fedora) + +- **ExifCleaner** - Metadata removal from images/PDFs/videos + - Threat: EXIF data leaking location, camera info, timestamps + - Source: https://github.com/szTheory/exifcleaner + - Platform: Cross-platform (AppImage for Linux) + +- **mat2** (Metadata Anonymization Toolkit) + - Threat: Document metadata revealing identity/system info + - Source: apt package, part of Tails + - Platform: Linux + +## 🔐 Encryption & Secure Storage +- **VeraCrypt** - Full disk encryption and encrypted containers + - Threat: Physical device seizure, data theft + - Status: Already in use + - Source: https://veracrypt.fr + - Platform: Cross-platform + +- **age** - Modern file encryption (simpler than GPG) + - Threat: Sensitive files at rest + - Source: https://github.com/FiloSottile/age + - Platform: Cross-platform, Go binary + +- **Cryptomator** - Client-side cloud storage encryption + - Threat: Cloud provider access to files + - Source: https://cryptomator.org + - Platform: Cross-platform + +## 📡 Secure Communication +- **Signal Desktop** - E2E encrypted messaging + - Threat: Message interception, surveillance + - Source: https://signal.org + - Platform: Linux (official .deb) + +- **SimpleX** - E2E encrypted messaging without identifiers + - Threat: Metadata correlation, phone number linking + - Status: Already documented in PAI + - Source: https://simplex.chat + - Platform: Cross-platform + +- **Jami** - P2P encrypted video/audio calls + - Threat: Centralized communication surveillance + - Source: https://jami.net + - Platform: Cross-platform + +## 🌐 Anonymity & Network Privacy +- **Tor Browser** - Anonymous web browsing + - Threat: IP tracking, browser fingerprinting + - Source: https://torproject.org + - Platform: Cross-platform + +- **ProtonVPN** - Privacy-focused VPN + - Status: Already installed + - Source: https://protonvpn.com + - Platform: Cross-platform + +- **OnionShare** - Anonymous file sharing over Tor + - Threat: File transfer metadata, IP exposure + - Source: https://onionshare.org + - Platform: Cross-platform + +## 🔍 Metadata & Privacy Analysis +- **ExifTool** - View/edit metadata in files + - Threat: Understanding what metadata you're leaking + - Source: apt package + - Platform: Cross-platform + +- **Sherlock** - Username enumeration across platforms + - Threat: Understanding your digital footprint + - Source: https://github.com/sherlock-project/sherlock + - Platform: Python tool + +## 🗑️ Secure Deletion +- **BleachBit** - Secure file deletion and system cleaning + - Threat: Forensic recovery of deleted files + - Source: apt package + - Platform: Linux/Windows + +- **shred** - Overwrite files securely + - Threat: File recovery after deletion + - Source: GNU coreutils (already installed) + - Platform: Linux + +## 🔒 Password & Secret Management +- **KeePassXC** - Offline password manager + - Status: Already in use + - Source: https://keepassxc.org + - Platform: Cross-platform + +- **Bitwarden** - Open source password manager (self-hostable) + - Threat: Password reuse, weak passwords + - Source: https://bitwarden.com + - Platform: Cross-platform + self-hosted + +## 📧 Email Privacy +- **Thunderbird + Enigmail** - PGP email encryption + - Threat: Email content surveillance + - Source: apt package + - Platform: Cross-platform + +- **ProtonMail Bridge** - Use ProtonMail with desktop clients + - Threat: Email metadata, provider access + - Source: https://proton.me + - Platform: Cross-platform + +## 🛡️ System Hardening +- **firejail** - Application sandboxing + - Threat: Application exploits compromising system + - Source: apt package + - Platform: Linux + +- **AppArmor** - Mandatory Access Control + - Threat: Privilege escalation + - Source: Built into Debian + - Platform: Linux + +## 🌐 DNS Privacy +- **dnscrypt-proxy** - Encrypted DNS queries + - Threat: DNS surveillance, ISP tracking + - Source: https://github.com/DNSCrypt/dnscrypt-proxy + - Platform: Cross-platform + +- **Unbound** - Validating DNS resolver + - Threat: DNS spoofing, MITM + - Source: apt package + - Platform: Linux + +## 📱 Mobile Companion Tools +- **scrcpy** - Control Android via ADB (for testing privacy apps) + - Source: apt package + - Platform: Linux/Windows/macOS + +## 🎯 Priority Tools (Install First) +1. Dangerzone - Document sanitization +2. mat2 - Metadata removal +3. Signal Desktop - Secure messaging +4. Tor Browser - Anonymous browsing +5. BleachBit - Secure deletion +6. firejail - App sandboxing + +## 📁 Repository Structure Proposal +``` +privacy-toolkit/ +├── README.md # Overview, threat model intro +├── install.sh # Master handler script +├── tools/ +│ ├── dangerzone/ +│ │ ├── install.sh # Individual install script +│ │ ├── README.md # What it does, why you need it +│ │ └── verify.sh # Post-install verification +│ ├── mat2/ +│ │ ├── install.sh +│ │ ├── README.md +│ │ └── examples/ # Usage examples +│ ├── signal-desktop/ +│ └── tor-browser/ +├── categories.md # Tools organized by threat model +├── threat-models.md # Common threat scenarios +└── docs/ + ├── installation-guide.md + ├── verification-guide.md # How to verify tools work + └── threat-modeling.md # Help users choose tools +``` + +## 🔧 Installation Script Template +Each tool should have: +- Distro detection (Debian/Ubuntu/Fedora/Arch) +- GPG key verification (with chmod fix for keyrings!) +- Dependency checking +- Version verification +- Post-install testing +- Cleanup on failure +- Usage examples + +## 📝 Notes +- Focus on FOSS tools (auditability) +- Prefer official repositories +- Include threat model for each tool +- Provide usage examples +- Link to official documentation +- Security-focused: verify signatures, check hashes diff --git a/install-apt-tools.sh b/install-apt-tools.sh new file mode 100755 index 0000000..0112d3e --- /dev/null +++ b/install-apt-tools.sh @@ -0,0 +1,201 @@ +#!/bin/bash +set -euo pipefail + +# ============================================================================== +# Privacy Toolkit - APT-based Tools Installation +# ============================================================================== +# Installs all privacy tools available via apt repositories +# ============================================================================== + +# Colors +readonly GREEN='\033[0;32m' +readonly YELLOW='\033[1;33m' +readonly BLUE='\033[0;34m' +readonly NC='\033[0m' + +log() { echo -e "${GREEN}[INFO]${NC} $*"; } +warn() { echo -e "${YELLOW}[WARN]${NC} $*"; } +section() { echo -e "${BLUE}=== $* ===${NC}"; } + +# APT-based privacy tools organized by category +declare -A TOOLS=( + # Encryption & Password Management + ["keepassxc"]="Offline password manager" + ["age"]="Modern file encryption" + + # Metadata & Privacy + ["mat2"]="Metadata Anonymization Toolkit" + ["exiftool"]="EXIF metadata editor" + + # Secure Deletion + ["shred"]="Secure file overwriting (from coreutils)" + ["bleachbit"]="System cleaning and secure deletion" + + # Network Privacy & Anonymity + ["tor"]="Tor anonymity network daemon" + ["torsocks"]="Torify applications" + ["onionshare"]="Anonymous file sharing over Tor (GUI)" + ["onionshare-cli"]="Anonymous file sharing over Tor (CLI)" + + # System Hardening + ["firejail"]="Application sandboxing" + + # OSINT & Privacy Analysis + ["sherlock"]="Username enumeration tool" +) + +section "Privacy Toolkit - APT Tools Installation" +echo "" + +log "Updating package lists..." +sudo apt update + +echo "" +section "Available Privacy Tools" +echo "" + +# Show tools +for tool in "${!TOOLS[@]}"; do + echo " • $tool - ${TOOLS[$tool]}" +done + +echo "" +read -p "Install all tools? [Y/n] " -n 1 -r +echo +if [[ ! $REPLY =~ ^[Yy]$ ]] && [[ -n $REPLY ]]; then + log "Installation cancelled" + exit 0 +fi + +echo "" +section "Installing Tools" +echo "" + +# Track installation results +installed=() +already_installed=() +failed=() + +for tool in "${!TOOLS[@]}"; do + if dpkg -l | grep -q "^ii $tool "; then + log "✓ $tool already installed" + already_installed+=("$tool") + else + log "Installing $tool..." + if sudo apt install -y "$tool" 2>&1 | grep -q "Unable to locate package"; then + warn "⚠ $tool not available in repositories" + failed+=("$tool") + else + log "✅ $tool installed" + installed+=("$tool") + fi + fi +done + +echo "" +section "Installation Summary" +echo "" + +if [ ${#installed[@]} -gt 0 ]; then + echo "✅ Newly installed (${#installed[@]}):" + for tool in "${installed[@]}"; do + echo " • $tool" + done + echo "" +fi + +if [ ${#already_installed[@]} -gt 0 ]; then + echo "✓ Already installed (${#already_installed[@]}):" + for tool in "${already_installed[@]}"; do + echo " • $tool" + done + echo "" +fi + +if [ ${#failed[@]} -gt 0 ]; then + echo "⚠ Failed/Not available (${#failed[@]}):" + for tool in "${failed[@]}"; do + echo " • $tool" + done + echo "" +fi + +section "Versions" +echo "" + +# Show versions for key tools +echo "OnionShare: $(apt-cache policy onionshare | grep Candidate | awk '{print $2}')" +echo "Tor: $(apt-cache policy tor | grep Candidate | awk '{print $2}')" +echo "mat2: $(dpkg -l | grep "^ii mat2 " | awk '{print $3}' || echo 'not installed')" +echo "KeePassXC: $(dpkg -l | grep "^ii keepassxc " | awk '{print $3}' || echo 'not installed')" + +echo "" +section "Quick Usage Examples" +echo "" + +cat << 'USAGE' +OnionShare: + # Share a file anonymously + onionshare-cli /path/to/file + + # Receive files anonymously + onionshare-cli --receive + +mat2: + # Remove metadata from file + mat2 document.pdf + + # Clean entire directory + mat2 --inplace *.jpg + +Tor + torsocks: + # Run command through Tor + torsocks curl https://check.torproject.org/ + + # Torify an application + torsocks firefox + +firejail: + # Sandbox an application + firejail firefox + + # Sandbox with no network + firejail --net=none risky-app + +ExifTool: + # View metadata + exiftool image.jpg + + # Strip all metadata + exiftool -all= image.jpg + +KeePassXC: + # Launch GUI + keepassxc + + # CLI (if available) + keepassxc-cli + +age: + # Generate key + age-keygen -o key.txt + + # Encrypt file + age -e -r file.txt > file.txt.age + + # Decrypt file + age -d -i key.txt file.txt.age > file.txt + +USAGE + +echo "" +section "Installation Complete!" +echo "" + +log "📚 For detailed usage, see:" +log " - OnionShare: https://docs.onionshare.org/" +log " - Tor: https://tb-manual.torproject.org/" +log " - mat2: https://0xacab.org/jvoisin/mat2" +log " - KeePassXC: https://keepassxc.org/docs/" + +echo "" diff --git a/tools/age/install.sh b/tools/age/install.sh new file mode 100755 index 0000000..ce9f8c5 --- /dev/null +++ b/tools/age/install.sh @@ -0,0 +1,62 @@ +#!/bin/bash +set -euo pipefail + +# ============================================================================== +# Age Installation Script +# ============================================================================== +# Installs age - Modern, simple file encryption +# +# Threat Model: +# - Files at rest without encryption (laptop theft, cloud breaches) +# - GPG complexity leading to misconfiguration +# - Key management nightmares +# +# Why Age over GPG: +# - Simple: One algorithm, no configuration options +# - Modern: ChaCha20-Poly1305 encryption +# - Small: Tiny keys and ciphertext overhead +# - Fast: Optimized for modern processors +# +# Source: https://github.com/FiloSottile/age +# ============================================================================== + +# Colors +readonly GREEN='\033[0;32m' +readonly NC='\033[0m' + +log() { echo -e "${GREEN}[INFO]${NC} $*"; } + +echo "=== Age Installation ===" +echo "" + +log "Installing age from Debian repository..." +sudo apt update +sudo apt install -y age + +echo "" +log "Verifying installation..." +age --version + +echo "" +echo "=== Installation Complete ===" +echo "" +echo "Quick Start:" +echo "" +echo " Generate a key pair:" +echo " age-keygen -o key.txt" +echo " # Save this file securely! It's your private key" +echo "" +echo " Encrypt a file:" +echo " age -e -r \$(cat key.txt | grep 'public key' | cut -d: -f2) file.txt > file.txt.age" +echo "" +echo " Or use recipient's public key:" +echo " age -e -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p file.txt > file.txt.age" +echo "" +echo " Decrypt a file:" +echo " age -d -i key.txt file.txt.age > file.txt" +echo "" +echo " Password-based encryption (no keys needed):" +echo " age -p file.txt > file.txt.age" +echo " age -d file.txt.age > file.txt" +echo "" +echo "📖 Documentation: https://github.com/FiloSottile/age" diff --git a/tools/cloudflare-warp/install.sh b/tools/cloudflare-warp/install.sh new file mode 100755 index 0000000..6f250b2 --- /dev/null +++ b/tools/cloudflare-warp/install.sh @@ -0,0 +1,103 @@ +#!/usr/bin/env bash + +################################################################################# +# Cloudflare WARP Installation Script +# +# Installs Cloudflare WARP client for encrypted DNS and private routing +# +# Features: +# - Encrypted DNS (1.1.1.1 with WARP) +# - Optional VPN-like routing through Cloudflare network +# - Prevents ISP DNS snooping +# +# Usage modes: +# - warp-cli connect # Connect to WARP +# - warp-cli disconnect # Disconnect +# - warp-cli status # Check status +# - warp-cli set-mode warp # Full WARP (VPN-like) +# - warp-cli set-mode doh # DNS-over-HTTPS only +# +# Note: Free tier available, paid WARP+ for faster speeds +################################################################################# + +set -euo pipefail + +# Colors +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +CYAN='\033[0;36m' +NC='\033[0m' + +echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}" +echo -e "${CYAN} Cloudflare WARP Installation${NC}" +echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}" +echo "" + +# Check if already installed +if command -v warp-cli &>/dev/null; then + echo -e "${YELLOW}Cloudflare WARP is already installed${NC}" + warp-cli --version + echo "" + read -p "Reinstall? [y/N] " -n 1 -r + echo + if [[ ! $REPLY =~ ^[Yy]$ ]]; then + echo -e "${GREEN}Skipping installation${NC}" + exit 0 + fi +fi + +# Detect distro +if [[ -f /etc/os-release ]]; then + . /etc/os-release + DISTRO_ID="${ID:-unknown}" + DISTRO_CODENAME="${VERSION_CODENAME:-$(lsb_release -cs 2>/dev/null || echo 'unknown')}" +else + echo -e "${RED}Cannot detect distribution${NC}" + exit 1 +fi + +echo -e "${GREEN}Detected:${NC} $DISTRO_ID ($DISTRO_CODENAME)" +echo "" + +# Handle Debian trixie/sid -> use bookworm packages +case "$DISTRO_CODENAME" in + trixie|sid|testing) + echo -e "${YELLOW}Note: Using bookworm packages for $DISTRO_CODENAME${NC}" + DISTRO_CODENAME="bookworm" + ;; +esac + +# Add Cloudflare GPG key +echo -e "${GREEN}[1/4]${NC} Adding Cloudflare GPG key..." +curl -fsSL https://pkg.cloudflareclient.com/pubkey.gpg | sudo gpg --yes --dearmor --output /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg + +# Fix permissions (must be world-readable for apt) +sudo chmod 644 /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg + +# Add repository +echo -e "${GREEN}[2/4]${NC} Adding Cloudflare repository..." +echo "deb [signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ ${DISTRO_CODENAME} main" | sudo tee /etc/apt/sources.list.d/cloudflare-client.list > /dev/null + +# Update and install +echo -e "${GREEN}[3/4]${NC} Updating package lists..." +sudo apt-get update + +echo -e "${GREEN}[4/4]${NC} Installing cloudflare-warp..." +sudo apt-get install -y cloudflare-warp + +echo "" +echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}" +echo -e "${GREEN}✓${NC} Cloudflare WARP installed successfully" +echo -e "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}" +echo "" +echo -e "${YELLOW}First-time setup:${NC}" +echo -e " ${CYAN}warp-cli registration new${NC} # Register device (one-time)" +echo -e " ${CYAN}warp-cli connect${NC} # Connect to WARP" +echo "" +echo -e "${YELLOW}Common commands:${NC}" +echo -e " ${CYAN}warp-cli status${NC} # Check connection status" +echo -e " ${CYAN}warp-cli disconnect${NC} # Disconnect" +echo -e " ${CYAN}warp-cli set-mode doh${NC} # DNS-over-HTTPS only (no VPN)" +echo -e " ${CYAN}warp-cli set-mode warp${NC} # Full WARP routing" +echo "" diff --git a/tools/croc/install.sh b/tools/croc/install.sh new file mode 100755 index 0000000..5524c20 --- /dev/null +++ b/tools/croc/install.sh @@ -0,0 +1,67 @@ +#!/bin/bash +set -euo pipefail + +# ============================================================================== +# Croc Installation Script +# ============================================================================== +# Installs croc - Secure, fast file transfer tool +# +# Threat Model: +# - Insecure file transfer methods (email, Dropbox, USB drives) +# - Cloud storage snooping and data breaches +# - Man-in-the-middle attacks during file transfer +# - Metadata exposure in file sharing +# +# How Croc Protects: +# - End-to-end encryption using PAKE (Password Authenticated Key Exchange) +# - No account or login required +# - Direct peer-to-peer transfer (optional relay for NAT traversal) +# - Automatic compression +# - Resume capability for interrupted transfers +# +# Source: https://github.com/schollz/croc +# ============================================================================== + +# Colors +readonly GREEN='\033[0;32m' +readonly YELLOW='\033[1;33m' +readonly NC='\033[0m' + +log() { echo -e "${GREEN}[INFO]${NC} $*"; } +warn() { echo -e "${YELLOW}[WARN]${NC} $*"; } + +echo "=== Croc Installation ===" +echo "" + +log "Downloading and installing croc..." +curl https://getcroc.schollz.com | bash + +echo "" +log "Verifying installation..." +if command -v croc >/dev/null 2>&1; then + log "✅ Croc installed successfully!" + croc --version +else + warn "Croc not found in PATH - may need to add ~/.local/bin to PATH" + exit 1 +fi + +echo "" +echo "=== Installation Complete ===" +echo "" +echo "Usage Examples:" +echo "" +echo " Send a file:" +echo " croc send myfile.pdf" +echo " # Share the code phrase with recipient" +echo "" +echo " Receive a file:" +echo " croc 1234-code-word-phrase" +echo "" +echo " Send entire directory:" +echo " croc send /path/to/folder" +echo "" +echo " Custom code phrase:" +echo " croc send --code my-secret-phrase file.txt" +echo "" +echo "📖 Documentation: https://github.com/schollz/croc" diff --git a/tools/cryptomator/VERIFICATION.md b/tools/cryptomator/VERIFICATION.md new file mode 100644 index 0000000..9ea111b --- /dev/null +++ b/tools/cryptomator/VERIFICATION.md @@ -0,0 +1,112 @@ +# Cryptomator Installation Verification Guide + +## 🔐 Verify Before Installing + +**ALWAYS verify cryptographic signatures and checksums before installing security software!** + +### Step 1: Download Files + +Download both the .deb package AND the .asc signature file from: +https://github.com/cryptomator/cryptomator/releases + +Example for version 1.18.0: +```bash +wget https://github.com/cryptomator/cryptomator/releases/download/1.18.0/cryptomator_1.18.0-0ppa1_amd64.deb +wget https://github.com/cryptomator/cryptomator/releases/download/1.18.0/cryptomator_1.18.0-0ppa1_amd64.deb.asc +``` + +### Step 2: Import Cryptomator GPG Key + +```bash +# Import the official Cryptomator release key +gpg --keyserver keyserver.ubuntu.com --recv-keys 615D449FE6E6A235 + +# Verify the fingerprint matches official: +gpg --fingerprint 58117AFA1F85B3EEC154677D615D449FE6E6A235 +``` + +**Expected fingerprint:** +``` +5811 7AFA 1F85 B3EE C154 677D 615D 449F E6E6 A235 +``` + +**If the fingerprint doesn't match, DO NOT INSTALL!** + +### Step 3: Verify SHA256 Checksum + +Get the SHA256 from the GitHub release page, then verify: + +```bash +sha256sum -c <<< "9fcb87e21ef563820930fdc42daff6d0c9c1b1d7b8b6e8ab6d47c8d7fdee625d cryptomator_1.18.0-0ppa1_amd64.deb" +``` + +Expected output: +``` +cryptomator_1.18.0-0ppa1_amd64.deb: OK +``` + +### Step 4: Verify GPG Signature + +```bash +gpg --verify cryptomator_1.18.0-0ppa1_amd64.deb.asc cryptomator_1.18.0-0ppa1_amd64.deb +``` + +Expected output: +``` +gpg: Good signature from "Cryptobot " [unknown] +``` + +**The "unknown" trust is fine** - it just means you haven't personally signed their key. The important parts: +- ✅ "Good signature" +- ✅ Fingerprint matches official +- ✅ Signature date is reasonable (not from years ago) + +### Step 5: Install + +```bash +sudo dpkg -i cryptomator_1.18.0-0ppa1_amd64.deb +``` + +## 🚨 Red Flags (DO NOT INSTALL if you see these) + +- ❌ Fingerprint mismatch +- ❌ "BAD signature" +- ❌ "No public key" (key import failed) +- ❌ Checksum mismatch +- ❌ Can't download .asc file (unsigned package) + +## 📖 Official Resources + +- Release Downloads: https://github.com/cryptomator/cryptomator/releases +- GPG Key Info: https://github.com/cryptomator/cryptomator/blob/develop/GPG-KEY.md +- Security Advisory: https://cryptomator.org/security/ + +## ✅ Verification Example (Real Output) + +``` +❯ sha256sum -c <<< "9fcb87e21ef563820930fdc42daff6d0c9c1b1d7b8b6e8ab6d47c8d7fdee625d cryptomator_1.18.0-0ppa1_amd64.deb" +cryptomator_1.18.0-0ppa1_amd64.deb: OK + +❯ gpg --fingerprint 58117AFA1F85B3EEC154677D615D449FE6E6A235 +pub rsa4096 2020-08-18 [SC] [expires: 2031-01-01] + 5811 7AFA 1F85 B3EE C154 677D 615D 449F E6E6 A235 +uid [ unknown] Cryptobot + +❯ gpg --verify cryptomator_1.18.0-0ppa1_amd64.deb.asc cryptomator_1.18.0-0ppa1_amd64.deb +gpg: Signature made Wed 12 Nov 2025 09:29:25 AM MST +gpg: using RSA key 58117AFA1F85B3EEC154677D615D449FE6E6A235 +gpg: Good signature from "Cryptobot " [unknown] +gpg: WARNING: This key is not certified with a trusted signature! +gpg: There is no indication that the signature belongs to the owner. +Primary key fingerprint: 5811 7AFA 1F85 B3EE C154 677D 615D 449F E6E6 A235 +``` + +✅ All checks passed - safe to install! + +--- + +**Remember**: This verification process protects you from: +- Corrupted downloads +- Man-in-the-middle attacks +- Compromised mirrors +- Trojanized packages diff --git a/tools/cryptomator/install.sh b/tools/cryptomator/install.sh new file mode 100755 index 0000000..5c1177c --- /dev/null +++ b/tools/cryptomator/install.sh @@ -0,0 +1,125 @@ +#!/bin/bash +set -euo pipefail + +# ============================================================================== +# Cryptomator Installation Script +# ============================================================================== +# Installs Cryptomator - Client-side cloud storage encryption +# +# Threat Model: +# - Cloud provider snooping (Dropbox, Google Drive, etc.) +# - Data breaches exposing cloud files +# - Government data requests to cloud providers +# - Cloud employee access to files +# +# How Cryptomator Protects: +# - Client-side encryption before files leave your computer +# - Zero-knowledge: Cloud provider can't decrypt files +# - Encrypts filenames and directory structure +# - Works with any cloud provider (Dropbox, GDrive, OneDrive, etc.) +# +# Source: https://cryptomator.org/ +# ============================================================================== + +# Colors +readonly GREEN='\033[0;32m' +readonly YELLOW='\033[1;33m' +readonly RED='\033[0;31m' +readonly NC='\033[0m' + +log() { echo -e "${GREEN}[INFO]${NC} $*"; } +warn() { echo -e "${YELLOW}[WARN]${NC} $*"; } +error() { echo -e "${RED}[ERROR]${NC} $*"; exit 1; } + +echo "=== Cryptomator Installation ===" +echo "" +echo "Choose installation method:" +echo " 1) .deb package (recommended - better system integration)" +echo " 2) AppImage (portable, works across distros)" +echo "" +read -p "Enter choice [1-2]: " choice + +case $choice in + 1) + log "Installing Cryptomator .deb package..." + + # Get latest release + log "Fetching latest release..." + LATEST_URL=$(curl -s https://api.github.com/repos/cryptomator/cryptomator/releases/latest \ + | grep "browser_download_url.*amd64.deb" \ + | cut -d '"' -f 4) + + if [ -z "$LATEST_URL" ]; then + error "Could not find latest .deb package" + fi + + log "Downloading from: $LATEST_URL" + cd /tmp + wget -O cryptomator.deb "$LATEST_URL" + + log "Installing .deb package..." + sudo apt install -y ./cryptomator.deb + + rm cryptomator.deb + log "✅ Cryptomator .deb installed" + ;; + + 2) + log "Installing Cryptomator AppImage..." + + # Get latest AppImage + log "Fetching latest release..." + LATEST_URL=$(curl -s https://api.github.com/repos/cryptomator/cryptomator/releases/latest \ + | grep "browser_download_url.*x86_64.AppImage\"" \ + | cut -d '"' -f 4) + + if [ -z "$LATEST_URL" ]; then + error "Could not find latest AppImage" + fi + + log "Downloading from: $LATEST_URL" + mkdir -p ~/.local/bin + cd ~/.local/bin + wget -O Cryptomator.AppImage "$LATEST_URL" + chmod +x Cryptomator.AppImage + + # Create desktop entry + log "Creating desktop entry..." + mkdir -p ~/.local/share/applications + cat > ~/.local/share/applications/cryptomator.desktop << 'DESKTOP' +[Desktop Entry] +Name=Cryptomator +Exec=$HOME/.local/bin/Cryptomator.AppImage +Icon=cryptomator +Type=Application +Categories=Utility;Security; +DESKTOP + + log "✅ Cryptomator AppImage installed to ~/.local/bin/Cryptomator.AppImage" + ;; + + *) + error "Invalid choice" + ;; +esac + +echo "" +log "Verifying installation..." +if command -v cryptomator >/dev/null 2>&1 || [ -f ~/.local/bin/Cryptomator.AppImage ]; then + log "✅ Cryptomator installed successfully!" +else + warn "Installation verification failed" +fi + +echo "" +echo "=== Installation Complete ===" +echo "" +echo "Usage:" +echo " 1. Launch Cryptomator from application menu" +echo " 2. Create a new vault in your cloud storage folder" +echo " 3. Set a strong password" +echo " 4. Unlock vault and mount it" +echo " 5. Copy files into mounted vault" +echo " 6. Files are encrypted before sync to cloud!" +echo "" +echo "📖 Documentation: https://docs.cryptomator.org/" diff --git a/tools/dangerzone/README.md b/tools/dangerzone/README.md new file mode 100644 index 0000000..eca6875 --- /dev/null +++ b/tools/dangerzone/README.md @@ -0,0 +1,115 @@ +# Dangerzone - Document Sanitization + +**Convert potentially dangerous PDFs and Office documents into safe PDFs** + +## 🎯 Threat Model + +### What Problem Does This Solve? + +PDF and Office documents can contain: +- Embedded malware and exploits +- Tracking beacons that phone home when opened +- Active content (JavaScript, macros) that can compromise your system +- Hidden layers and metadata + +Opening untrusted documents is a **major attack vector**. + +### How Dangerzone Protects You + +1. **Container Isolation**: Opens document in a disposable container +2. **Pixel Conversion**: Renders each page to pixels (destroying any code) +3. **Safe Reconstruction**: Rebuilds a clean PDF from the pixels +4. **Metadata Stripping**: Removes all potentially identifying metadata + +Result: A safe, pixel-perfect copy of the document without any embedded threats. + +## 🚀 Installation + +```bash +cd ~/github/privacy-toolkit +./tools/dangerzone/install.sh +``` + +Or run directly: +```bash +bash <(curl -s https://raw.githubusercontent.com/YOUR_USERNAME/privacy-toolkit/main/tools/dangerzone/install.sh) +``` + +## 📖 Usage + +### GUI Method +1. Launch "Dangerzone" from your application menu +2. Drag and drop a PDF or Office document +3. Wait for sanitization (can take a few minutes for large docs) +4. Get your safe PDF + +### Right-Click Method +1. Right-click any PDF file +2. Select "Open with Dangerzone" +3. Sanitized PDF will be created in the same directory + +### Command Line +```bash +# Sanitize a PDF +dangerzone document.pdf + +# Sanitize multiple files +dangerzone file1.pdf file2.docx file3.xlsx + +# Specify output directory +dangerzone -o /safe/directory document.pdf +``` + +## 🔍 When to Use Dangerzone + +**Always sanitize:** +- ✅ Documents from email attachments +- ✅ Downloads from the internet +- ✅ Documents from USB drives +- ✅ Any document from untrusted sources +- ✅ Journalist source materials +- ✅ Legal documents from unknown parties + +**Less critical:** +- Documents you created yourself +- Documents from verified, trusted colleagues (but still good practice!) + +## ⚠️ Limitations + +- **File Size**: Dangerzone creates larger files (pixel-based PDFs) +- **Processing Time**: Can be slow for large documents (requires rendering) +- **Text Selection**: Text becomes images (not searchable/selectable) +- **Forms**: Interactive PDF forms become static + +**Trade-off**: Security vs. convenience. Dangerzone prioritizes security. + +## 🛠️ Technical Details + +**Architecture:** +- Uses Podman or Docker for containerization +- Runs untrusted code in isolated sandbox +- Converts to pixels using LibreOffice/GraphicsMagick +- Rebuilds PDF using safe rendering engine + +**Supported Formats:** +- PDF +- Microsoft Office: .docx, .xlsx, .pptx +- LibreOffice: .odt, .ods, .odp + +## 🔗 Resources + +- Official Website: https://dangerzone.rocks/ +- Source Code: https://github.com/freedomofpress/dangerzone +- Freedom of the Press Foundation: https://freedom.press/ + +## 🤝 Related Tools + +- **mat2**: Metadata removal (keeps documents editable) +- **ExifCleaner**: Quick metadata stripping +- **Qubes OS**: Full system isolation for maximum security + +--- + +**Maintained by**: Freedom of the Press Foundation +**License**: AGPL-3.0 +**Last Updated**: 2025-11-12 diff --git a/tools/dangerzone/install.sh b/tools/dangerzone/install.sh new file mode 100755 index 0000000..a13f4a6 --- /dev/null +++ b/tools/dangerzone/install.sh @@ -0,0 +1,138 @@ +#!/bin/bash +set -euo pipefail + +# ============================================================================== +# Dangerzone Installation Script +# ============================================================================== +# Installs Dangerzone - PDF/Office document sanitizer using container isolation +# +# Threat Model: +# - Malicious PDF/Office documents with embedded exploits +# - Opening untrusted documents can compromise your system +# - Dangerzone converts documents in isolated containers, then re-renders +# them safely, removing any potential malware +# +# Source: Freedom of the Press Foundation +# Official Docs: https://dangerzone.rocks/ +# ============================================================================== + +# Colors +readonly RED='\033[0;31m' +readonly GREEN='\033[0;32m' +readonly YELLOW='\033[1;33m' +readonly NC='\033[0m' + +log() { echo -e "${GREEN}[INFO]${NC} $*"; } +warn() { echo -e "${YELLOW}[WARN]${NC} $*"; } +error() { echo -e "${RED}[ERROR]${NC} $*"; exit 1; } + +# Detect distro +detect_distro() { + if [ -f /etc/os-release ]; then + . /etc/os-release + echo "$ID" + else + error "Cannot detect distribution" + fi +} + +# Install for Debian/Ubuntu +install_debian() { + log "Installing Dangerzone for Debian/Ubuntu..." + + # Install prerequisites + log "Installing prerequisites..." + sudo apt-get update + sudo apt-get install -y gpg ca-certificates + + # Create keyrings directory + sudo mkdir -p /etc/apt/keyrings + + # Download and add GPG key + log "Adding Freedom of the Press Foundation GPG key..." + sudo gpg --keyserver hkps://keys.openpgp.org \ + --no-default-keyring --no-permission-warning --homedir $(mktemp -d) \ + --keyring gnupg-ring:/etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg \ + --recv-keys DE28AB241FA48260FAC9B8BAA7C9B38522604281 + + # FIX: Make keyring world-readable so APT can verify signatures + log "Fixing keyring permissions..." + sudo chmod 644 /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg + + # Add repository + log "Adding Dangerzone repository..." + . /etc/os-release + echo "deb [signed-by=/etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg] \ + https://packages.freedom.press/apt-tools-prod ${VERSION_CODENAME?} main" \ + | sudo tee /etc/apt/sources.list.d/fpf-apt-tools.list + + # Install Dangerzone + log "Installing Dangerzone..." + sudo apt update + sudo apt install -y dangerzone + + log "✅ Dangerzone installed successfully!" +} + +# Install for Fedora +install_fedora() { + warn "Fedora installation not yet implemented" + error "Please install manually: https://dangerzone.rocks/" +} + +# Verify installation +verify_installation() { + log "Verifying installation..." + + if command -v dangerzone >/dev/null 2>&1; then + log "✅ Dangerzone command found" + dangerzone --version || true + else + error "Dangerzone not found in PATH" + fi + + # Check if container runtime is available + if command -v podman >/dev/null 2>&1; then + log "✅ Podman available (container runtime)" + elif command -v docker >/dev/null 2>&1; then + log "✅ Docker available (container runtime)" + else + warn "No container runtime found - Dangerzone may not work" + fi +} + +# Main +main() { + echo "=== Dangerzone Installation ===" + echo "" + + DISTRO=$(detect_distro) + log "Detected distribution: $DISTRO" + + case "$DISTRO" in + debian|ubuntu) + install_debian + ;; + fedora) + install_fedora + ;; + *) + error "Unsupported distribution: $DISTRO" + ;; + esac + + echo "" + verify_installation + + echo "" + echo "=== Installation Complete ===" + echo "" + echo "Usage:" + echo " 1. Launch from application menu: 'Dangerzone'" + echo " 2. Or right-click any PDF → 'Open with Dangerzone'" + echo " 3. Or from terminal: dangerzone /path/to/document.pdf" + echo "" + echo "📖 Documentation: https://dangerzone.rocks/" +} + +main "$@" diff --git a/tools/frame/README.md b/tools/frame/README.md new file mode 100644 index 0000000..f905912 --- /dev/null +++ b/tools/frame/README.md @@ -0,0 +1,85 @@ +# Frame Wallet + +Privacy-focused, system-wide web3 wallet for Linux. + +## What is Frame? + +Frame is a native OS-level wallet that provides: +- Hardware wallet support (Ledger, Trezor, GridPlus Lattice) +- Multi-chain support (Ethereum, Optimism, Arbitrum, Polygon, etc.) +- System tray integration +- No browser extension required +- Open source and auditable + +## Why Frame? + +**Privacy Benefits:** +- No tracking or analytics +- Open source (MIT license) +- No account required +- Works offline for signing + +**Security Benefits:** +- Hardware wallet isolation from browser +- Native OS process (not a browser extension) +- System-level permission model +- No extension attack surface + +## Installation + +```bash +./install.sh +``` + +This will: +1. Install Frame from official sources +2. Create X11-mode launcher at `~/bin/frame` +3. Create desktop entry with proper Electron flags + +## Display Compatibility + +Frame is an Electron app. The install script forces X11 mode for stability: + +```bash +--ozone-platform=x11 # Force X11 (Wayland has issues) +``` + +If you want to try Wayland, edit `~/bin/frame` and use: +- Auto-detect: `--ozone-platform-hint=auto` +- Pure Wayland: `--enable-features=UseOzonePlatform --ozone-platform=wayland` + +## Usage + +```bash +frame # Launch Frame +``` + +Then: +1. Click the Frame icon in system tray +2. Add accounts (hot wallet or hardware) +3. Connect to dapps via Frame's injected provider + +## Hardware Wallet Setup + +### Ledger +1. Install Ledger Live and update firmware +2. Install Ethereum app on Ledger +3. Enable "Blind signing" in Ethereum app settings +4. Connect Ledger and unlock +5. Frame will detect it automatically + +### Trezor +1. Update Trezor firmware via Trezor Suite +2. Connect Trezor +3. Frame will prompt for PIN + +### GridPlus Lattice +1. Pair Lattice via Frame settings +2. Frame connects over network + +## Resources + +- [Frame Website](https://frame.sh/) +- [Documentation](https://docs.frame.sh/) +- [GitHub](https://github.com/floating/frame) +- [Discord](https://discord.gg/frame) diff --git a/tools/frame/install.sh b/tools/frame/install.sh new file mode 100755 index 0000000..98f42d3 --- /dev/null +++ b/tools/frame/install.sh @@ -0,0 +1,176 @@ +#!/bin/bash +set -euo pipefail + +# ============================================================================== +# Frame Wallet Installation Script +# ============================================================================== +# Installs Frame - A privacy-focused, system-wide web3 wallet +# +# Features: +# - Hardware wallet support (Ledger, Trezor, GridPlus) +# - Multi-chain support (Ethereum, Optimism, Arbitrum, etc.) +# - Native OS integration (system tray, browser extension not required) +# - Privacy-focused (no tracking, open source) +# +# Threat Model: +# - Protects against browser extension attacks +# - Hardware wallet isolation from browser +# - No phone-home or analytics +# - Open source and auditable +# +# Source: https://frame.sh/ +# GitHub: https://github.com/floating/frame +# ============================================================================== + +# Colors +readonly GREEN='\033[0;32m' +readonly YELLOW='\033[1;33m' +readonly RED='\033[0;31m' +readonly BLUE='\033[0;34m' +readonly NC='\033[0m' + +log() { echo -e "${GREEN}[INFO]${NC} $*"; } +warn() { echo -e "${YELLOW}[WARN]${NC} $*"; } +error() { echo -e "${RED}[ERROR]${NC} $*"; exit 1; } +header() { echo -e "${BLUE}=== $* ===${NC}"; } + +header "Frame Wallet Installation" +echo "" +echo "Frame is a privacy-focused system-wide web3 wallet" +echo "" +echo "This script will:" +echo " 1. Install Frame from official .deb package" +echo " 2. Create launcher with Wayland compatibility" +echo " 3. Add desktop entry with proper Electron flags" +echo "" +read -p "Continue? [Y/n]: " confirm +[[ "${confirm:-Y}" =~ ^[Nn] ]] && exit 0 + +# ============================================================================== +# Check if already installed +# ============================================================================== +if command -v frame &>/dev/null; then + log "Frame is already installed at $(which frame)" + echo "" + read -p "Reinstall/update? [y/N]: " reinstall + [[ ! "${reinstall:-N}" =~ ^[Yy] ]] && exit 0 +fi + +# ============================================================================== +# Install Frame +# ============================================================================== +header "Installing Frame" + +# Method 1: Try apt repository first +log "Checking for Frame in apt..." +if apt-cache show frame &>/dev/null 2>&1; then + log "Installing from apt repository..." + sudo apt update + sudo apt install -y frame +else + # Method 2: Download .deb from GitHub releases + log "Downloading from GitHub releases..." + + LATEST_URL=$(curl -s https://api.github.com/repos/floating/frame/releases/latest \ + | grep "browser_download_url.*amd64.deb" \ + | cut -d '"' -f 4 \ + | head -1) + + if [ -z "$LATEST_URL" ]; then + error "Could not find latest Frame .deb release" + fi + + log "Downloading from: $LATEST_URL" + cd /tmp + curl -L -o frame.deb "$LATEST_URL" + + log "Installing .deb package..." + sudo apt install -y ./frame.deb + rm frame.deb +fi + +# ============================================================================== +# Create X11 Launcher (Wayland has issues with Electron) +# ============================================================================== +header "Creating X11 Launcher" + +mkdir -p ~/bin + +cat > ~/bin/frame << 'EOF' +#!/bin/bash +# Frame launcher - Force X11 for stability (Wayland has issues with Electron) +exec /opt/Frame/frame --ozone-platform=x11 "$@" +EOF +chmod +x ~/bin/frame + +log "Created ~/bin/frame launcher" + +# ============================================================================== +# Create desktop entry +# ============================================================================== +header "Creating Desktop Entry" + +mkdir -p ~/.local/share/applications + +cat > ~/.local/share/applications/frame.desktop << 'EOF' +[Desktop Entry] +Name=Frame +Comment=System-wide web3 wallet +Exec=/home/e/bin/frame %U +Terminal=false +Type=Application +Icon=frame +StartupWMClass=Frame +Categories=Utility;Finance; +EOF + +# Update icon path +sed -i "s|/home/e|$HOME|g" ~/.local/share/applications/frame.desktop + +log "Created desktop entry" + +# ============================================================================== +# Verify Installation +# ============================================================================== +header "Verifying Installation" + +echo "" +if [ -f /opt/Frame/frame ]; then + echo " ✅ Frame binary installed at /opt/Frame/frame" +else + echo " ❌ Frame binary not found" +fi + +if [ -f ~/bin/frame ]; then + echo " ✅ Wayland launcher created at ~/bin/frame" +else + echo " ❌ Launcher not created" +fi + +if [ -f ~/.local/share/applications/frame.desktop ]; then + echo " ✅ Desktop entry created" +else + echo " ❌ Desktop entry not created" +fi + +# ============================================================================== +# Usage Instructions +# ============================================================================== +echo "" +header "Installation Complete" +echo "" +echo "Usage:" +echo " frame - Launch Frame wallet" +echo "" +echo "Features:" +echo " - Connect hardware wallets (Ledger, Trezor, GridPlus)" +echo " - Multi-chain support (ETH, OP, ARB, MATIC, etc.)" +echo " - System tray integration" +echo " - Privacy-focused (no tracking)" +echo "" +echo "Wayland Notes:" +echo " - Launcher uses --ozone-platform-hint=auto for auto-detection" +echo " - Edit ~/bin/frame if you need to force X11 or Wayland mode" +echo "" +echo "📖 Documentation: https://docs.frame.sh/" +echo "🔗 GitHub: https://github.com/floating/frame" diff --git a/tools/librewolf/install.sh b/tools/librewolf/install.sh new file mode 100755 index 0000000..18621ef --- /dev/null +++ b/tools/librewolf/install.sh @@ -0,0 +1,155 @@ +#!/bin/bash +set -euo pipefail + +# ============================================================================== +# LibreWolf Browser Installation +# ============================================================================== +# Privacy-focused Firefox fork with enhanced security defaults +# - No telemetry +# - uBlock Origin pre-installed +# - Enhanced tracking protection +# - Privacy-respecting search defaults +# ============================================================================== + +# Colors +readonly GREEN='\033[0;32m' +readonly YELLOW='\033[1;33m' +readonly BLUE='\033[0;34m' +readonly RED='\033[0;31m' +readonly NC='\033[0m' + +log() { echo -e "${GREEN}[INFO]${NC} $*"; } +warn() { echo -e "${YELLOW}[WARN]${NC} $*"; } +error() { echo -e "${RED}[ERROR]${NC} $*"; } +section() { echo -e "${BLUE}=== $* ===${NC}"; } + +section "LibreWolf Browser Installation" +echo "" + +# Check if already installed +if command -v librewolf &>/dev/null; then + log "LibreWolf already installed: $(librewolf --version 2>/dev/null | head -1 || echo 'version check failed')" + read -p "Reinstall/upgrade? [y/N] " -n 1 -r + echo + if [[ ! $REPLY =~ ^[Yy]$ ]]; then + log "Skipping installation" + exit 0 + fi +fi + +# Detect distro +if [ -f /etc/os-release ]; then + . /etc/os-release + DISTRO="${ID:-unknown}" + DISTRO_VERSION="${VERSION_CODENAME:-${VERSION_ID:-unknown}}" +else + error "Cannot detect distribution" + exit 1 +fi + +log "Detected: $DISTRO $DISTRO_VERSION" + +case "$DISTRO" in + debian|ubuntu|linuxmint|pop) + section "Installing via LibreWolf APT Repository" + + # Install dependencies + log "Installing dependencies..." + sudo apt update + sudo apt install -y curl gnupg lsb-release apt-transport-https ca-certificates + + # Add LibreWolf repo + log "Adding LibreWolf repository..." + + # Get the distro codename (LibreWolf uses Debian/Ubuntu codenames) + if [[ "$DISTRO" == "debian" ]]; then + REPO_CODENAME="$DISTRO_VERSION" + elif [[ "$DISTRO" == "ubuntu" || "$DISTRO" == "linuxmint" || "$DISTRO" == "pop" ]]; then + # For Ubuntu derivatives, try to get the Ubuntu base codename + REPO_CODENAME="$DISTRO_VERSION" + else + REPO_CODENAME="bookworm" # Fallback to Debian stable + fi + + # Download and add the signing key + curl -fsSL https://deb.librewolf.net/keyring.gpg | sudo gpg --dearmor -o /usr/share/keyrings/librewolf.gpg + + # Add the repository + echo "deb [arch=amd64 signed-by=/usr/share/keyrings/librewolf.gpg] https://deb.librewolf.net $REPO_CODENAME main" | \ + sudo tee /etc/apt/sources.list.d/librewolf.list > /dev/null + + # Update and install + log "Installing LibreWolf..." + sudo apt update + sudo apt install -y librewolf + ;; + + fedora|rhel|centos) + section "Installing via LibreWolf RPM Repository" + + # Add LibreWolf repo + log "Adding LibreWolf repository..." + sudo dnf config-manager --add-repo https://rpm.librewolf.net/librewolf-repo.repo + + # Install + log "Installing LibreWolf..." + sudo dnf install -y librewolf + ;; + + arch|manjaro|endeavouros) + section "Installing via AUR" + + if command -v yay &>/dev/null; then + log "Installing via yay..." + yay -S --noconfirm librewolf-bin + elif command -v paru &>/dev/null; then + log "Installing via paru..." + paru -S --noconfirm librewolf-bin + else + warn "No AUR helper found (yay/paru)" + log "Installing librewolf-bin manually..." + + cd /tmp + git clone https://aur.archlinux.org/librewolf-bin.git + cd librewolf-bin + makepkg -si --noconfirm + cd .. + rm -rf librewolf-bin + fi + ;; + + *) + error "Unsupported distribution: $DISTRO" + log "Please install manually from: https://librewolf.net/installation/" + exit 1 + ;; +esac + +# Verify installation +echo "" +if command -v librewolf &>/dev/null; then + section "Installation Complete!" + log "LibreWolf installed successfully" + log "Version: $(librewolf --version 2>/dev/null | head -1 || echo 'check manually')" + echo "" + log "Launch with: librewolf" + log "Documentation: https://librewolf.net/" +else + error "Installation may have failed - librewolf command not found" + exit 1 +fi + +echo "" +section "Privacy Features Enabled by Default" +echo "" +cat << 'EOF' + - Telemetry completely disabled + - uBlock Origin pre-installed + - Enhanced Tracking Protection (Strict) + - First-party isolation enabled + - Fingerprinting protection enabled + - HTTPS-Only Mode enabled + - WebRTC leak prevention + - Privacy-respecting search (DuckDuckGo default) +EOF +echo "" diff --git a/tools/meeting-record/README.md b/tools/meeting-record/README.md new file mode 100644 index 0000000..3a35e49 --- /dev/null +++ b/tools/meeting-record/README.md @@ -0,0 +1,140 @@ +# Meeting Record - Private Voice Recording & Transcription + +Local voice recording with live Whisper transcription. **All processing happens on your machine - no cloud APIs, no data leaves your computer.** + +## Why This Exists + +Most "AI voice recorders" (Plaud Note knockoffs, etc.) are just microphones that send your audio to cloud servers for processing. You're paying for hardware that: +- Sends your private conversations to unknown servers +- Requires monthly subscriptions after free tier +- May store/analyze your data for training or other purposes +- Stops working if the company shuts down + +**Meeting Record** does the same thing, but locally. Your audio never leaves your machine. + +## Features + +- **Continuous recording** - Full audio backup of entire meeting +- **Live transcription** - See transcripts as you speak (10-second chunks) +- **Final transcription** - High-quality full transcription when you stop +- **100% local** - Uses whisper.cpp, no internet required +- **No subscriptions** - Free forever, you own it + +## Installation + +```bash +./install.sh +``` + +The installer will: +1. Install system dependencies (ffmpeg, pulseaudio-utils, build tools) +2. Clone and build whisper.cpp +3. Download the Whisper model (base.en by default - fast & good) +4. Install the `meeting-record` scripts to `~/bin/` + +### Custom Options + +```bash +# Use different model (tiny, base, small, medium, large) +WHISPER_MODEL=small.en ./install.sh + +# Custom install location +WHISPER_CPP_DIR=/opt/whisper.cpp ./install.sh + +# Custom bin directory +BIN_DIR=/usr/local/bin ./install.sh +``` + +## Usage + +```bash +# Start recording (auto-named with timestamp) +meeting-record + +# Named recording +meeting-record "client-call-acme-corp" + +# 30-second test to verify setup +meeting-record-test +``` + +Press **Ctrl+C** to stop recording. The script will: +1. Stop audio capture +2. Generate a high-quality final transcript +3. Show you where all files are saved + +## Output Files + +After recording a meeting named "client-call", you'll find: + +``` +~/Recordings/meetings/client-call/ +├── full-audio.wav # Complete recording (your backup) +├── live-transcript.txt # Real-time chunked transcription +├── final-transcript.txt # High-quality full transcription +├── chunks/ +│ ├── chunk-0000.wav +│ ├── chunk-0001.wav +│ └── ... +└── transcripts/ + ├── chunk-0000.txt + ├── chunk-0001.txt + └── ... +``` + +## Requirements + +- Linux (Debian/Ubuntu/Fedora/Arch) +- PulseAudio or PipeWire (for audio capture) +- ~500MB disk space for whisper.cpp + model + +## Model Options + +| Model | Size | Speed | Quality | Best For | +|-------|------|-------|---------|----------| +| tiny.en | 75MB | Fastest | Basic | Quick notes | +| base.en | 148MB | Fast | Good | **Recommended** | +| small.en | 488MB | Medium | Better | Important meetings | +| medium.en | 1.5GB | Slow | Great | Accuracy-critical | +| large | 3GB | Slowest | Best | Maximum accuracy | + +Change model with: `WHISPER_MODEL=small.en ./install.sh` + +## Troubleshooting + +**"parecord not found"** +```bash +sudo apt install pulseaudio-utils # Debian/Ubuntu +sudo dnf install pulseaudio-utils # Fedora +``` + +**"No audio being captured"** +- Check your default audio source: `pactl list sources` +- Make sure microphone is not muted + +**"whisper-cli not found"** +- The installer should build this. If it failed, check cmake output +- You can rebuild: `cd ~/opt/whisper.cpp/build && cmake --build .` + +**"meeting-record: command not found"** +- Add ~/bin to PATH: `export PATH="$HOME/bin:$PATH"` +- Add this to your `~/.bashrc` or `~/.zshrc` + +## Privacy Comparison + +| Feature | Cloud AI Recorders | Meeting Record | +|---------|-------------------|----------------| +| Audio processing | Remote servers | Local only | +| Data storage | Their servers | Your disk | +| Internet required | Yes | No | +| Monthly fees | Usually | Never | +| Works offline | No | Yes | +| You control data | No | Yes | + +## License + +MIT - Do whatever you want with it. + +--- + +*Part of the [Privacy Toolkit](../../README.md) - Tools for digital sovereignty.* diff --git a/tools/meeting-record/install.sh b/tools/meeting-record/install.sh new file mode 100755 index 0000000..138b30b --- /dev/null +++ b/tools/meeting-record/install.sh @@ -0,0 +1,485 @@ +#!/bin/bash +set -euo pipefail + +# ============================================================================== +# Meeting Record Installation Script +# ============================================================================== +# Installs meeting-record - Local voice recording with live Whisper transcription +# +# Privacy Model: +# - All audio processing happens locally on YOUR machine +# - Uses whisper.cpp for transcription - no cloud APIs +# - No data leaves your computer, ever +# - Alternative to cloud-based "AI recorders" that harvest your conversations +# +# Features: +# - Continuous audio recording (full backup) +# - Live chunked transcription every 10 seconds +# - Final high-quality transcription on stop +# - Simple CLI interface +# +# Source: PAI (Personal AI Infrastructure) +# ============================================================================== + +# Colors +readonly RED='\033[0;31m' +readonly GREEN='\033[0;32m' +readonly YELLOW='\033[1;33m' +readonly BLUE='\033[0;34m' +readonly NC='\033[0m' + +log() { echo -e "${GREEN}[INFO]${NC} $*"; } +warn() { echo -e "${YELLOW}[WARN]${NC} $*"; } +error() { echo -e "${RED}[ERROR]${NC} $*"; exit 1; } +step() { echo -e "${BLUE}[STEP]${NC} $*"; } + +# Configuration +WHISPER_CPP_DIR="${WHISPER_CPP_DIR:-$HOME/opt/whisper.cpp}" +WHISPER_MODEL="${WHISPER_MODEL:-base.en}" +BIN_DIR="${BIN_DIR:-$HOME/bin}" +RECORDINGS_DIR="${RECORDINGS_DIR:-$HOME/Recordings/meetings}" + +# Detect distro +detect_distro() { + if [ -f /etc/os-release ]; then + . /etc/os-release + echo "$ID" + else + error "Cannot detect distribution" + fi +} + +# Install system dependencies +install_dependencies() { + step "Installing system dependencies..." + + DISTRO=$(detect_distro) + + case "$DISTRO" in + debian|ubuntu|pop) + sudo apt-get update + sudo apt-get install -y \ + ffmpeg \ + pulseaudio-utils \ + build-essential \ + git \ + cmake + ;; + fedora) + sudo dnf install -y \ + ffmpeg \ + pulseaudio-utils \ + gcc-c++ \ + git \ + cmake + ;; + arch|manjaro) + sudo pacman -S --noconfirm \ + ffmpeg \ + pulseaudio \ + base-devel \ + git \ + cmake + ;; + *) + warn "Unknown distro: $DISTRO" + warn "Please manually install: ffmpeg, pulseaudio-utils, build-essential, git, cmake" + ;; + esac + + log "System dependencies installed" +} + +# Build whisper.cpp +install_whisper_cpp() { + step "Installing whisper.cpp..." + + if [ -f "$WHISPER_CPP_DIR/build/bin/whisper-cli" ]; then + log "whisper.cpp already installed at $WHISPER_CPP_DIR" + return 0 + fi + + # Clone if not exists + if [ ! -d "$WHISPER_CPP_DIR" ]; then + log "Cloning whisper.cpp..." + mkdir -p "$(dirname "$WHISPER_CPP_DIR")" + git clone https://github.com/ggerganov/whisper.cpp.git "$WHISPER_CPP_DIR" + fi + + cd "$WHISPER_CPP_DIR" + + # Build + log "Building whisper.cpp..." + mkdir -p build + cd build + cmake .. + cmake --build . --config Release -j$(nproc) + + if [ ! -f "$WHISPER_CPP_DIR/build/bin/whisper-cli" ]; then + error "whisper.cpp build failed - whisper-cli not found" + fi + + log "whisper.cpp built successfully" +} + +# Download Whisper model +download_model() { + step "Downloading Whisper model ($WHISPER_MODEL)..." + + MODEL_FILE="$WHISPER_CPP_DIR/models/ggml-${WHISPER_MODEL}.bin" + + if [ -f "$MODEL_FILE" ]; then + log "Model already exists: $MODEL_FILE" + return 0 + fi + + cd "$WHISPER_CPP_DIR" + + # Use the download script + log "Downloading ggml-${WHISPER_MODEL}.bin..." + bash models/download-ggml-model.sh "$WHISPER_MODEL" + + if [ ! -f "$MODEL_FILE" ]; then + error "Model download failed" + fi + + log "Model downloaded: $MODEL_FILE" +} + +# Install meeting-record scripts +install_scripts() { + step "Installing meeting-record scripts..." + + mkdir -p "$BIN_DIR" + mkdir -p "$RECORDINGS_DIR" + + # Get the directory where this install script lives + SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" + + # Install meeting-record + cat > "$BIN_DIR/meeting-record" << 'SCRIPT' +#!/usr/bin/env bash +# +# meeting-record - Live meeting recorder with chunked transcription +# +# Usage: +# meeting-record [meeting-name] +# meeting-record "client-call-acme" +# +# Features: +# - Continuous audio recording (full backup) +# - Live chunked transcription every 10 seconds +# - Uses local Whisper models (privacy-respecting) +# - Separates recording from transcription (robust) +# +# Controls: +# - Ctrl+C to stop recording +# + +set -euo pipefail + +# Configuration - adjust paths as needed +WHISPER_BIN="${WHISPER_BIN:-$HOME/opt/whisper.cpp/build/bin/whisper-cli}" +WHISPER_MODEL="${WHISPER_MODEL:-$HOME/opt/whisper.cpp/models/ggml-base.en.bin}" +CHUNK_DURATION=10 # seconds +RECORDINGS_DIR="${RECORDINGS_DIR:-$HOME/Recordings/meetings}" + +# Validate dependencies +command -v parecord >/dev/null 2>&1 || { echo "Error: parecord not found. Install pulseaudio-utils"; exit 1; } +command -v ffmpeg >/dev/null 2>&1 || { echo "Error: ffmpeg not found"; exit 1; } +[ -f "$WHISPER_BIN" ] || { echo "Error: whisper-cli not found at $WHISPER_BIN"; exit 1; } +[ -f "$WHISPER_MODEL" ] || { echo "Error: Whisper model not found at $WHISPER_MODEL"; exit 1; } + +# Meeting name from argument or auto-generate +MEETING_NAME="${1:-meeting-$(date +%Y%m%d-%H%M%S)}" +MEETING_DIR="$RECORDINGS_DIR/$MEETING_NAME" + +# Create directory structure +mkdir -p "$MEETING_DIR"/{chunks,transcripts} + +# File paths +FULL_AUDIO="$MEETING_DIR/full-audio.wav" +LIVE_TRANSCRIPT="$MEETING_DIR/live-transcript.txt" +FINAL_TRANSCRIPT="$MEETING_DIR/final-transcript.txt" +PID_FILE="$MEETING_DIR/.recording.pid" +CHUNK_INDEX_FILE="$MEETING_DIR/.chunk_index" + +# Initialize chunk index +echo "0" > "$CHUNK_INDEX_FILE" + +# Cleanup function +cleanup() { + echo "" + echo "Stopping recording..." + + # Kill all child processes + pkill -P $$ 2>/dev/null || true + + # Kill from PID file + if [ -f "$PID_FILE" ]; then + while read -r PID; do + kill "$PID" 2>/dev/null || true + done < "$PID_FILE" + rm -f "$PID_FILE" + fi + + echo "Generating final transcript..." + "$WHISPER_BIN" \ + -m "$WHISPER_MODEL" \ + -f "$FULL_AUDIO" \ + -otxt \ + -of "${FINAL_TRANSCRIPT%.txt}" \ + --language en \ + --threads 4 \ + 2>/dev/null || echo "Warning: Final transcription failed" + + echo "" + echo "Recording complete!" + echo "Location: $MEETING_DIR" + echo "Audio: $FULL_AUDIO" + echo "Live transcript: $LIVE_TRANSCRIPT" + echo "Final transcript: $FINAL_TRANSCRIPT" + + rm -f "$CHUNK_INDEX_FILE" + exit 0 +} + +trap cleanup INT TERM + +# Print header +echo "Meeting Recorder - Live Transcription" +echo "======================================" +echo "Meeting: $MEETING_NAME" +echo "Location: $MEETING_DIR" +echo "Model: $(basename "$WHISPER_MODEL")" +echo "Chunk size: ${CHUNK_DURATION}s" +echo "" +echo "Recording started - Press Ctrl+C to stop" +echo "======================================" +echo "" + +# Start continuous audio recording +parecord \ + --format=s16le \ + --rate=16000 \ + --channels=1 \ + "$FULL_AUDIO" & + +RECORD_PID=$! +echo "$RECORD_PID" > "$PID_FILE" + +# Give recording time to start +sleep 1 + +# Chunk recorder and transcriber loop +while kill -0 $RECORD_PID 2>/dev/null; do + sleep "$CHUNK_DURATION" + + CHUNK_NUM=$(cat "$CHUNK_INDEX_FILE") + CHUNK_FILE="$MEETING_DIR/chunks/chunk-$(printf '%04d' $CHUNK_NUM).wav" + TRANSCRIPT_FILE="$MEETING_DIR/transcripts/chunk-$(printf '%04d' $CHUNK_NUM).txt" + + # Get duration of current recording + DURATION=$(ffprobe -v error -show_entries format=duration -of default=noprint_wrappers=1:nokey=1 "$FULL_AUDIO" 2>/dev/null || echo "0") + + # Handle N/A or invalid duration + if [[ "$DURATION" == "N/A" ]] || [[ ! "$DURATION" =~ ^[0-9.]+$ ]]; then + DURATION="0" + fi + + DURATION_INT=${DURATION%.*} + + if [ "$DURATION_INT" -ge "$CHUNK_DURATION" ]; then + START_TIME=$((DURATION_INT - CHUNK_DURATION)) + + # Extract chunk + ffmpeg -ss $START_TIME -i "$FULL_AUDIO" -t $CHUNK_DURATION -c copy "$CHUNK_FILE" -y 2>/dev/null + + # Transcribe chunk in background + ( + "$WHISPER_BIN" \ + -m "$WHISPER_MODEL" \ + -f "$CHUNK_FILE" \ + -otxt \ + -of "$MEETING_DIR/transcripts/chunk-$(printf '%04d' $CHUNK_NUM)" \ + --language en \ + --threads 2 \ + --no-timestamps \ + 2>/dev/null + + if [ -f "$TRANSCRIPT_FILE" ]; then + TIMESTAMP=$(date '+%H:%M:%S') + echo "[$TIMESTAMP] $(cat "$TRANSCRIPT_FILE")" >> "$LIVE_TRANSCRIPT" + echo "[$(date '+%H:%M:%S')] Chunk $CHUNK_NUM transcribed" + fi + ) & + + echo $((CHUNK_NUM + 1)) > "$CHUNK_INDEX_FILE" + fi +done + +cleanup +SCRIPT + + chmod +x "$BIN_DIR/meeting-record" + log "Installed: $BIN_DIR/meeting-record" + + # Install meeting-record-test + cat > "$BIN_DIR/meeting-record-test" << 'SCRIPT' +#!/usr/bin/env bash +# +# meeting-record-test - Test the meeting recorder for 30 seconds +# + +echo "Testing meeting recorder for 30 seconds..." +echo "Please speak during this test so we can verify transcription." +echo "" + +# Start recording in background +meeting-record "test-$(date +%Y%m%d-%H%M%S)" & +TEST_PID=$! + +# Wait 30 seconds +sleep 30 + +# Stop recording +kill -INT $TEST_PID 2>/dev/null + +# Wait for cleanup +wait $TEST_PID 2>/dev/null + +echo "" +echo "Test complete! Check the output above for results." +SCRIPT + + chmod +x "$BIN_DIR/meeting-record-test" + log "Installed: $BIN_DIR/meeting-record-test" +} + +# Update script to use correct paths +update_paths() { + step "Configuring paths..." + + # Update the installed script with correct whisper.cpp path + sed -i "s|\$HOME/opt/whisper.cpp|$WHISPER_CPP_DIR|g" "$BIN_DIR/meeting-record" + + log "Paths configured" +} + +# Verify installation +verify_installation() { + step "Verifying installation..." + + local errors=0 + + # Check whisper-cli + if [ -f "$WHISPER_CPP_DIR/build/bin/whisper-cli" ]; then + log "whisper-cli: OK" + else + warn "whisper-cli: NOT FOUND" + ((errors++)) + fi + + # Check model + if [ -f "$WHISPER_CPP_DIR/models/ggml-${WHISPER_MODEL}.bin" ]; then + log "Whisper model: OK" + else + warn "Whisper model: NOT FOUND" + ((errors++)) + fi + + # Check ffmpeg + if command -v ffmpeg >/dev/null 2>&1; then + log "ffmpeg: OK" + else + warn "ffmpeg: NOT FOUND" + ((errors++)) + fi + + # Check parecord + if command -v parecord >/dev/null 2>&1; then + log "parecord: OK" + else + warn "parecord: NOT FOUND" + ((errors++)) + fi + + # Check scripts + if [ -x "$BIN_DIR/meeting-record" ]; then + log "meeting-record script: OK" + else + warn "meeting-record script: NOT FOUND" + ((errors++)) + fi + + # Check PATH + if echo "$PATH" | grep -q "$BIN_DIR"; then + log "$BIN_DIR in PATH: OK" + else + warn "$BIN_DIR not in PATH - add to your shell config:" + warn " export PATH=\"\$HOME/bin:\$PATH\"" + fi + + if [ $errors -eq 0 ]; then + log "All components verified!" + return 0 + else + warn "$errors component(s) need attention" + return 1 + fi +} + +# Print usage +print_usage() { + echo "" + echo "=== Installation Complete ===" + echo "" + echo "Usage:" + echo " meeting-record # Auto-named recording" + echo " meeting-record \"client-call\" # Named recording" + echo " meeting-record-test # 30-second test" + echo "" + echo "Output files are saved to: $RECORDINGS_DIR//" + echo " - full-audio.wav Complete recording" + echo " - live-transcript.txt Real-time transcription" + echo " - final-transcript.txt High-quality full transcription" + echo "" + echo "Privacy: All processing happens locally. No cloud APIs." + echo "" +} + +# Main +main() { + echo "=== Meeting Record Installation ===" + echo "" + echo "This will install:" + echo " - whisper.cpp (local speech recognition)" + echo " - Whisper model: $WHISPER_MODEL" + echo " - meeting-record scripts" + echo "" + echo "Install location: $WHISPER_CPP_DIR" + echo "Scripts location: $BIN_DIR" + echo "" + + read -p "Continue? [Y/n] " -n 1 -r + echo + if [[ ! $REPLY =~ ^[Yy]?$ ]]; then + echo "Aborted." + exit 0 + fi + + echo "" + + install_dependencies + install_whisper_cpp + download_model + install_scripts + update_paths + + echo "" + verify_installation || true + + print_usage +} + +main "$@" diff --git a/tools/simplex/INSTALL-NOTES.md b/tools/simplex/INSTALL-NOTES.md new file mode 100644 index 0000000..6b265dd --- /dev/null +++ b/tools/simplex/INSTALL-NOTES.md @@ -0,0 +1,70 @@ +# SimpleX Installation Notes + +## ⚠️ Known Issues + +### .deb Package Compatibility Problems + +The official .deb packages (both Ubuntu 22.04 and 24.04) have library compatibility issues: + +**Confirmed broken on:** +- ✗ Debian Trixie (crash: `SIGSEGV in libHSzstd`) +- ✗ Pop!_OS (various library issues) + +**Root cause:** +- Complex dependency chain (Java, Haskell runtime, zstd, VLC libraries) +- Ubuntu-specific library versions +- Native library linking issues + +## ✅ Recommended: AppImage + +**Use the AppImage for ALL installations:** + +```bash +cd ~/github/privacy-toolkit/tools/simplex +./install-appimage.sh +``` + +**Why AppImage works:** +- ✅ Bundles all dependencies +- ✅ No library conflicts +- ✅ Works on all distros +- ✅ Tested on Debian Trixie and Pop!_OS + +## 📦 File Locations + +After AppImage installation: +- **Binary**: `~/.local/bin/SimpleX.AppImage` +- **Desktop Entry**: `~/.local/share/applications/simplex.desktop` +- **Data** (unchanged): `~/.local/share/simplex/` +- **Config** (unchanged): `~/.config/simplex/` + +## 🔄 Migrating from .deb to AppImage + +If you tried the .deb first: + +```bash +# Remove broken .deb +sudo apt remove simplex +sudo rm -rf /opt/simplex + +# Install AppImage +./install-appimage.sh + +# Your data is preserved (lives in ~/.local/share/simplex/) +``` + +## 📝 Testing Notes + +| System | .deb Package | AppImage | +|--------|-------------|----------| +| Debian Trixie (glibc 2.41) | ✗ Crashes | ✅ Works | +| Pop!_OS 22.04 | ✗ Issues | ✅ Works | +| Ubuntu 24.04 native | ? Unknown | ✅ Works | + +**Conclusion**: Always use AppImage for SimpleX. + +--- + +**Last Updated**: 2025-11-12 +**Tested On**: Debian Trixie, Pop!_OS +**Recommendation**: AppImage only diff --git a/tools/simplex/README.md b/tools/simplex/README.md new file mode 100644 index 0000000..d98b49e --- /dev/null +++ b/tools/simplex/README.md @@ -0,0 +1,168 @@ +# SimpleX Chat - Private Messaging Without Identifiers + +**The most private messaging app - no phone number, email, or username required** + +## 🎯 Threat Model + +### What Problem Does This Solve? + +Most "encrypted" messaging apps still leak critical metadata: + +- **Phone/Email Linking**: Signal, WhatsApp, Telegram require phone numbers +- **Username Tracking**: Session, Threema use permanent usernames +- **Contact Graph**: Servers know who talks to whom +- **Central Compromise**: Single point of failure if servers are seized + +### How SimpleX is Different + +**No User Identifiers** +- No phone number +- No email address +- No username +- No blockchain address +- **Nothing** that identifies you across connections + +**Each Contact is Isolated** +- Every contact uses different message routing +- Server can't build a social graph +- Compromise of one contact doesn't expose others + +**Decentralized Infrastructure** +- Run your own server or use defaults +- Messages routed through different servers +- Ephemeral message queues (deleted after delivery) + +## 🔐 Privacy Features + +- ✅ End-to-end encryption (Signal Double Ratchet + post-quantum) +- ✅ Perfect forward secrecy +- ✅ No metadata leakage to servers +- ✅ Disappearing messages +- ✅ Incognito mode (temporary identities) +- ✅ Voice/video calls (also E2E encrypted) +- ✅ Group chats (fully decentralized) +- ✅ File sharing (encrypted) + +## 🚀 Installation + +### Debian Trixie (glibc 2.40+) +```bash +cd ~/github/privacy-toolkit +./tools/simplex/install.sh +``` + +The script automatically selects: +- **Ubuntu 24.04 package** for Debian Trixie +- **Ubuntu 22.04 package** for older systems + +### Manual Installation + +Check your glibc version: +```bash +ldd --version | head -1 +``` + +- If glibc ≥ 2.39: Download ubuntu-24-04 package +- If glibc < 2.39: Download ubuntu-22-04 package + +Download from: https://github.com/simplex-chat/simplex-chat/releases/latest + +## 📖 Usage + +### First Launch +1. Open SimpleX from application menu +2. Choose "Create new profile" +3. Set display name (not sent to servers!) +4. Optionally set profile image + +### Adding Contacts +1. Click "+" → "Add contact" +2. Share your connection link OR +3. Scan contact's QR code + +**Important**: Each contact gets a unique connection link. You can't be tracked across contacts. + +### Restoring from Backup + +If you have a backup (from `/tmp/restore-simplex.sh`): +1. Launch SimpleX +2. It will automatically detect restored data +3. Verify your contacts appear +4. Database files are at `~/.local/share/simplex/` + +## 🔒 Security Best Practices + +### Message Retention +- Enable disappearing messages for sensitive conversations +- Default: Messages stored locally forever +- Recommendation: 1 week retention for most chats + +### Connection Security +- **Delete old connection links** after contact accepts +- Use **incognito mode** for temporary conversations +- **Verify contact fingerprints** for high-security conversations + +### Server Trust +- Default servers are run by SimpleX team (good reputation) +- For maximum privacy: Run your own SimpleX server +- Or use community servers you trust + +### Backup Your Data +SimpleX stores everything locally: +```bash +~/.local/share/simplex/ # Databases +~/.config/simplex/ # Settings +``` + +**Backup regularly!** If you lose this data, you lose all messages. + +## 🆚 Comparison with Other Apps + +| Feature | SimpleX | Signal | Session | Matrix | +|---------|---------|--------|---------|--------| +| No phone/email | ✅ | ❌ | ✅ | ✅ | +| No username | ✅ | ❌ | ❌ | ❌ | +| No user ID at all | ✅ | ❌ | ❌ | ❌ | +| Decentralized routing | ✅ | ❌ | ✅ | ✅ | +| Contact graph hidden | ✅ | ❌ | ❌ | Partial | +| Post-quantum crypto | ✅ | Partial | ❌ | ❌ | +| Metadata resistance | Excellent | Good | Good | Moderate | + +## 🛠️ Advanced: Run Your Own Server + +For maximum privacy, run your own SimpleX SMP server: + +```bash +# Docker method +docker run -d \ + --name simplex-smp \ + -p 5223:5223 \ + simplexchat/smp-server + +# Configure SimpleX app to use your server +``` + +Instructions: https://github.com/simplex-chat/simplexmq#smp-server + +## 🔗 Resources + +- Official Website: https://simplex.chat/ +- Documentation: https://simplex.chat/docs/ +- GitHub: https://github.com/simplex-chat/simplex-chat +- Security Audit: https://simplex.chat/blog/simplex-chat-v5.8-private-message-routing-chat-themes/ +- Whitepaper: https://github.com/simplex-chat/simplexmq/blob/stable/protocol/overview-tjr.md + +## ⚠️ Limitations + +- **No cloud sync**: Messages are device-local only +- **Manual backups**: You must backup yourself +- **Contact management**: Need to share new links for each contact +- **Group limitations**: Decentralized groups have size limits + +**Trade-off**: Maximum privacy requires some inconvenience. SimpleX chooses privacy over convenience. + +--- + +**Maintained by**: SimpleX Chat team +**License**: AGPL-3.0 +**Last Updated**: 2025-11-12 diff --git a/tools/simplex/install-appimage.sh b/tools/simplex/install-appimage.sh new file mode 100755 index 0000000..34e82d2 --- /dev/null +++ b/tools/simplex/install-appimage.sh @@ -0,0 +1,107 @@ +#!/bin/bash +set -euo pipefail + +# ============================================================================== +# SimpleX AppImage Installation (Recommended for Debian Trixie) +# ============================================================================== + +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +RED='\033[0;31m' +NC='\033[0m' + +log() { echo -e "${GREEN}[INFO]${NC} $*"; } +warn() { echo -e "${YELLOW}[WARN]${NC} $*"; } +error() { echo -e "${RED}[ERROR]${NC} $*"; exit 1; } + +echo "=== SimpleX AppImage Installation ===" +echo "" + +log "Fetching latest release info..." +LATEST_RELEASE=$(curl -s https://api.github.com/repos/simplex-chat/simplex-chat/releases/latest) + +# Get AppImage URL +APPIMAGE_URL=$(echo "$LATEST_RELEASE" | jq -r '.assets[] | select(.name == "simplex-desktop-x86_64.AppImage") | .browser_download_url') + +# Get SHA256 checksum URL +CHECKSUM_URL=$(echo "$LATEST_RELEASE" | jq -r '.assets[] | select(.name == "simplex-desktop-x86_64.AppImage.sha256sum") | .browser_download_url') + +if [ -z "$APPIMAGE_URL" ]; then + error "Could not find AppImage in latest release" +fi + +VERSION=$(echo "$LATEST_RELEASE" | jq -r '.tag_name') +log "Latest version: $VERSION" +log "AppImage URL: $APPIMAGE_URL" + +# Download AppImage +log "Downloading SimpleX AppImage..." +mkdir -p ~/.local/bin +cd /tmp +wget --show-progress -O SimpleX.AppImage "$APPIMAGE_URL" + +# Download and verify checksum +if [ -n "$CHECKSUM_URL" ]; then + log "Downloading checksum..." + wget -q -O SimpleX.AppImage.sha256sum "$CHECKSUM_URL" + + log "Verifying checksum..." + if sha256sum -c SimpleX.AppImage.sha256sum 2>&1 | grep -q "OK"; then + log "✅ Checksum verified" + else + error "Checksum verification failed! Download may be corrupted or compromised." + fi + + rm SimpleX.AppImage.sha256sum +else + warn "⚠️ No checksum file found - skipping verification" + warn "This is less secure. Continue anyway? [y/N]" + read -n 1 -r + echo + if [[ ! $REPLY =~ ^[Yy]$ ]]; then + log "Installation cancelled" + rm SimpleX.AppImage + exit 0 + fi +fi + +# Install to ~/.local/bin +log "Installing to ~/.local/bin..." +mv SimpleX.AppImage ~/.local/bin/ +chmod +x ~/.local/bin/SimpleX.AppImage + +# Create simplex symlink for easier CLI access +log "Creating 'simplex' symlink..." +ln -sf ~/.local/bin/SimpleX.AppImage ~/.local/bin/simplex + +# Create desktop entry +log "Creating desktop entry..." +mkdir -p ~/.local/share/applications +cat > ~/.local/share/applications/simplex.desktop << DESKTOP +[Desktop Entry] +Name=SimpleX +Comment=Private messaging without identifiers +Exec=$HOME/.local/bin/SimpleX.AppImage +Icon=simplex +Type=Application +Categories=Network;Chat; +DESKTOP + +log "✅ SimpleX installed successfully!" +echo "" +echo "=== Installation Complete ===" +echo "" +echo "Launch from:" +echo " • Application menu: 'SimpleX'" +echo " • Terminal: simplex" +echo " • Or: ~/.local/bin/SimpleX.AppImage" +echo "" +echo "Your restored data:" +echo " ~/.local/share/simplex/ (messages, contacts)" +echo " ~/.config/simplex/ (settings)" +echo "" +echo "First launch:" +echo " SimpleX should automatically detect your restored data" +echo " Verify your contacts and messages appear" +echo "" +echo "📖 Documentation: https://simplex.chat/docs/" diff --git a/tools/simplex/install.sh b/tools/simplex/install.sh new file mode 100755 index 0000000..3f8daeb --- /dev/null +++ b/tools/simplex/install.sh @@ -0,0 +1,107 @@ +#!/bin/bash +set -euo pipefail + +# ============================================================================== +# SimpleX Installation Script +# ============================================================================== +# Installs SimpleX Chat - E2E encrypted messaging without identifiers +# +# Threat Model: +# - Phone number linking (Signal, WhatsApp require phone) +# - Metadata correlation (most messengers link messages to identities) +# - Central server compromise (centralized messengers) +# - Contact graph analysis (who talks to whom) +# +# How SimpleX Protects: +# - No user identifiers (no phone, email, username) +# - Decentralized message routing +# - Ephemeral message queues +# - Perfect forward secrecy +# - No contact graph (each contact uses different routing) +# +# Source: https://simplex.chat/ +# ============================================================================== + +# Colors +readonly GREEN='\033[0;32m' +readonly YELLOW='\033[1;33m' +readonly BLUE='\033[0;34m' +readonly RED='\033[0;31m' +readonly NC='\033[0m' + +log() { echo -e "${GREEN}[INFO]${NC} $*"; } +warn() { echo -e "${YELLOW}[WARN]${NC} $*"; } +error() { echo -e "${RED}[ERROR]${NC} $*"; exit 1; } + +echo "=== SimpleX Chat Installation ===" +echo "" + +# Detect system +log "Detecting system..." +GLIBC_VERSION=$(ldd --version | head -1 | awk '{print $NF}') +DEBIAN_VERSION=$(cat /etc/debian_version 2>/dev/null || echo "unknown") + +log "System info:" +log " Debian: $DEBIAN_VERSION" +log " glibc: $GLIBC_VERSION" +echo "" + +# Determine which package to use +if [[ "$DEBIAN_VERSION" == "13"* ]] || [[ "$GLIBC_VERSION" > "2.39" ]]; then + PACKAGE_VERSION="24-04" + log "✅ Debian Trixie detected - using Ubuntu 24.04 package" +else + PACKAGE_VERSION="22-04" + warn "Older Debian/Ubuntu detected - using Ubuntu 22.04 package" +fi + +echo "" +log "Fetching latest SimpleX release..." +LATEST_RELEASE=$(curl -s https://api.github.com/repos/simplex-chat/simplex-chat/releases/latest) +VERSION=$(echo "$LATEST_RELEASE" | jq -r '.tag_name') + +if [ -z "$VERSION" ] || [ "$VERSION" = "null" ]; then + error "Could not fetch latest version" +fi + +log "Latest version: $VERSION" + +# Construct download URL +PACKAGE_NAME="simplex-desktop-x86_64-ubuntu-${PACKAGE_VERSION}.deb" +DOWNLOAD_URL="https://github.com/simplex-chat/simplex-chat/releases/download/${VERSION}/${PACKAGE_NAME}" + +log "Download URL: $DOWNLOAD_URL" +echo "" + +# Download +log "Downloading SimpleX Desktop..." +cd /tmp +wget -O simplex-desktop.deb "$DOWNLOAD_URL" + +# Install +log "Installing SimpleX Desktop..." +sudo apt install -y ./simplex-desktop.deb + +# Cleanup +rm simplex-desktop.deb + +log "✅ SimpleX installed successfully!" + +echo "" +echo "=== Installation Complete ===" +echo "" +echo "Usage:" +echo " 1. Launch 'SimpleX' from application menu" +echo " 2. Create new profile OR restore from backup" +echo " 3. Share your connection link with contacts" +echo " 4. No phone number, email, or username required!" +echo "" +echo "Key Features:" +echo " • No user identifiers - truly anonymous" +echo " • Each contact uses different routing" +echo " • Decentralized message queues" +echo " • Perfect forward secrecy" +echo " • Disappearing messages" +echo "" +echo "📖 Documentation: https://simplex.chat/docs/" +echo "🔒 Security: https://simplex.chat/blog/simplex-chat-v5-6-quantum-resistance-signal-double-ratchet-algorithm/" diff --git a/tools/veracrypt/install.sh b/tools/veracrypt/install.sh new file mode 100755 index 0000000..b373ab4 --- /dev/null +++ b/tools/veracrypt/install.sh @@ -0,0 +1,109 @@ +#!/bin/bash +set -euo pipefail + +# ============================================================================== +# VeraCrypt Installation Script +# ============================================================================== +# Installs VeraCrypt - Full disk encryption and encrypted containers +# +# Threat Model: +# - Physical device theft (laptop, USB drive) +# - Data at rest without protection +# - Border crossing device searches +# - Forensic analysis of seized devices +# +# How VeraCrypt Protects: +# - Full disk encryption (entire drive encrypted) +# - Encrypted containers (virtual encrypted disks) +# - Plausible deniability (hidden volumes) +# - Multiple encryption algorithms +# - Pre-boot authentication +# +# Source: https://veracrypt.fr/ +# ============================================================================== + +# Colors +readonly GREEN='\033[0;32m' +readonly YELLOW='\033[1;33m' +readonly RED='\033[0;31m' +readonly NC='\033[0m' + +log() { echo -e "${GREEN}[INFO]${NC} $*"; } +warn() { echo -e "${YELLOW}[WARN]${NC} $*"; } +error() { echo -e "${RED}[ERROR]${NC} $*"; exit 1; } + +echo "=== VeraCrypt Installation ===" +echo "" + +# Detect architecture +ARCH=$(uname -m) +if [ "$ARCH" = "x86_64" ]; then + ARCH_SUFFIX="amd64" +else + error "Unsupported architecture: $ARCH (only x86_64 supported)" +fi + +log "Fetching latest VeraCrypt version..." + +# Get latest version from SourceForge (VeraCrypt's official host) +# Note: This is simplified - you may want to hardcode a version for stability +LATEST_VERSION="1.26.7" # Update this manually for stability +warn "Using VeraCrypt version $LATEST_VERSION" + +# Construct download URL +BASE_URL="https://launchpad.net/veracrypt/trunk/${LATEST_VERSION}/+download" +DEB_FILE="veracrypt-${LATEST_VERSION}-Debian-12-${ARCH_SUFFIX}.deb" +DOWNLOAD_URL="${BASE_URL}/${DEB_FILE}" + +log "Download URL: $DOWNLOAD_URL" +echo "" +warn "⚠️ IMPORTANT: You should verify the PGP signature!" +warn "Official instructions: https://veracrypt.fr/en/Digital%20Signatures.html" +echo "" +read -p "Continue with installation? [y/N] " -n 1 -r +echo +if [[ ! $REPLY =~ ^[Yy]$ ]]; then + log "Installation cancelled" + exit 0 +fi + +log "Downloading VeraCrypt..." +cd /tmp +wget -O veracrypt.deb "$DOWNLOAD_URL" + +log "Installing VeraCrypt..." +sudo apt install -y ./veracrypt.deb + +rm veracrypt.deb + +log "✅ VeraCrypt installed successfully!" + +echo "" +echo "=== Installation Complete ===" +echo "" +echo "Usage:" +echo "" +echo " GUI:" +echo " veracrypt" +echo "" +echo " Create encrypted container:" +echo " 1. Launch VeraCrypt" +echo " 2. Click 'Create Volume'" +echo " 3. Choose 'Create an encrypted file container'" +echo " 4. Follow wizard" +echo "" +echo " Mount existing container:" +echo " 1. Launch VeraCrypt" +echo " 2. Select slot (1-20)" +echo " 3. Click 'Select File'" +echo " 4. Choose your .vc file" +echo " 5. Click 'Mount'" +echo " 6. Enter password" +echo "" +echo "⚠️ Security Tips:" +echo " - Use strong passwords (20+ characters)" +echo " - Store backup of volume header" +echo " - Never forget your password (no recovery!)" +echo " - Unmount before shutdown/sleep" +echo "" +echo "📖 Documentation: https://veracrypt.fr/en/Documentation.html" diff --git a/tools/yubico/README.md b/tools/yubico/README.md new file mode 100644 index 0000000..fdcb261 --- /dev/null +++ b/tools/yubico/README.md @@ -0,0 +1,129 @@ +# Yubico Tools Suite + +Hardware security key management and authentication tools for YubiKey. + +## What's Included + +| Tool | Purpose | +|------|---------| +| **YubiKey Manager** | GUI to configure YubiKey settings, FIDO2 PIN, OTP slots, PIV | +| **Yubico Authenticator** | TOTP/HOTP authenticator using YubiKey hardware | +| **yubico-piv-tool** | Command-line PIV/Smart Card operations | + +## Threat Model + +**Protects Against:** +- Phishing attacks (FIDO2/WebAuthn is phishing-resistant) +- TOTP code theft from compromised phone +- Password-only authentication weaknesses +- Remote key extraction (keys never leave hardware) + +**Use Cases:** +- 2FA for online accounts (GitHub, Google, AWS, etc.) +- Password-less authentication via FIDO2 +- SSH authentication with hardware keys +- Code signing with PIV certificates + +## Installation + +```bash +./install.sh +``` + +This will: +1. Install system dependencies (pcscd, smart card libs) +2. Download and install YubiKey Manager AppImage +3. Download and extract Yubico Authenticator +4. Download and extract yubico-piv-tool +5. Create launch scripts in ~/bin/ +6. Create .desktop entries for app menu + +## Dependencies + +Installed automatically: +- `pcscd` - PC/SC smart card daemon +- `libpcsclite1` - Smart card library +- `libccid` - CCID driver for smart cards +- `libfuse2` - Required for AppImages +- `libu2f-udev` - udev rules for U2F devices + +## Usage + +### YubiKey Manager +```bash +yubikey-manager +# or +~/opt/yubico/yubikey-manager.AppImage +``` + +Configure: +- FIDO2 PIN +- OTP slots (Yubico OTP, static password, HOTP, Challenge-Response) +- PIV certificates and PINs +- Reset YubiKey to factory settings + +### Yubico Authenticator +```bash +yubico-auth +# or +~/opt/yubico/authenticator/authenticator +``` + +Features: +- Scan QR codes to add TOTP/HOTP accounts +- Codes stored on YubiKey (not on computer) +- Touch YubiKey to reveal codes +- Works across devices (codes travel with YubiKey) + +### yubico-piv-tool +```bash +~/opt/yubico/piv-tool/bin/yubico-piv-tool --help + +# Generate key in slot 9a +yubico-piv-tool -a generate -s 9a -A RSA2048 + +# Import certificate +yubico-piv-tool -a import-certificate -s 9a -i cert.pem +``` + +## Security Best Practices + +1. **Set a strong FIDO2 PIN** - Required for WebAuthn +2. **Set PIV PINs** - Default is 123456, change immediately +3. **Keep backup keys** - Have a second YubiKey registered +4. **Store recovery codes** - For accounts using YubiKey 2FA +5. **Use touch requirement** - Enable touch for TOTP generation + +## Troubleshooting + +### YubiKey not detected +```bash +# Check pcscd service +sudo systemctl status pcscd + +# Restart pcscd +sudo systemctl restart pcscd + +# Check USB +lsusb | grep -i yubico +``` + +### Permission issues +```bash +# Add user to plugdev group +sudo usermod -aG plugdev $USER +# Log out and back in +``` + +### AppImage won't run +```bash +# Ensure libfuse2 is installed +sudo apt install libfuse2 +``` + +## Resources + +- [YubiKey Manager docs](https://docs.yubico.com/software/yubikey/tools/ykman/) +- [Yubico Authenticator docs](https://docs.yubico.com/yesdk/users-manual/application-oath/authenticator.html) +- [PIV Tool docs](https://developers.yubico.com/yubico-piv-tool/) +- [YubiKey Setup Guide](https://support.yubico.com/hc/en-us/articles/360013714479) diff --git a/tools/yubico/install.sh b/tools/yubico/install.sh new file mode 100755 index 0000000..474d36a --- /dev/null +++ b/tools/yubico/install.sh @@ -0,0 +1,238 @@ +#!/bin/bash +set -euo pipefail + +# ============================================================================== +# Yubico Tools Installation Script +# ============================================================================== +# Installs the Yubico suite for YubiKey management and authentication +# +# Tools Installed: +# - YubiKey Manager (GUI) - Configure YubiKey settings, PINs, FIDO2, etc. +# - Yubico Authenticator - TOTP/HOTP authenticator using YubiKey +# - yubico-piv-tool - PIV (smart card) functionality +# +# Threat Model: +# - Phishing-resistant 2FA with hardware tokens +# - Password-less authentication via FIDO2/WebAuthn +# - Hardware-backed TOTP codes (can't be stolen from phone) +# - PIV/Smart card authentication for SSH, code signing +# +# Source: https://developers.yubico.com/ +# ============================================================================== + +# Colors +readonly GREEN='\033[0;32m' +readonly YELLOW='\033[1;33m' +readonly RED='\033[0;31m' +readonly BLUE='\033[0;34m' +readonly NC='\033[0m' + +log() { echo -e "${GREEN}[INFO]${NC} $*"; } +warn() { echo -e "${YELLOW}[WARN]${NC} $*"; } +error() { echo -e "${RED}[ERROR]${NC} $*"; exit 1; } +header() { echo -e "${BLUE}=== $* ===${NC}"; } + +INSTALL_DIR="${HOME}/opt/yubico" +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" + +header "Yubico Tools Installation" +echo "" +echo "This script will install:" +echo " 1. YubiKey Manager Qt (AppImage)" +echo " 2. Yubico Authenticator (for TOTP/HOTP)" +echo " 3. yubico-piv-tool (PIV/Smart Card support)" +echo "" +echo "Install location: $INSTALL_DIR" +echo "" +read -p "Continue? [Y/n]: " confirm +[[ "${confirm:-Y}" =~ ^[Nn] ]] && exit 0 + +# ============================================================================== +# Install Dependencies +# ============================================================================== +header "Installing Dependencies" + +log "Installing system packages for smart card and YubiKey support..." +sudo apt update +sudo apt install -y \ + pcscd \ + libpcsclite1 \ + libpcsclite-dev \ + swig \ + libccid \ + libfuse2 \ + libu2f-udev \ + yubikey-personalization \ + python3-pip \ + python3-venv \ + qtwayland5 \ + libqt5waylandclient5 + +# Start pcscd service +log "Enabling pcscd service..." +sudo systemctl enable pcscd +sudo systemctl start pcscd + +# ============================================================================== +# Create Install Directory +# ============================================================================== +mkdir -p "$INSTALL_DIR" +cd "$INSTALL_DIR" + +# ============================================================================== +# Install YubiKey Manager Qt (AppImage) +# ============================================================================== +header "Installing YubiKey Manager Qt" + +MANAGER_URL="https://developers.yubico.com/yubikey-manager-qt/Releases/yubikey-manager-qt-latest-linux.AppImage" +log "Downloading from: $MANAGER_URL" + +curl -L -o yubikey-manager.AppImage "$MANAGER_URL" +chmod +x yubikey-manager.AppImage + +# Create desktop entry +log "Creating desktop entry..." +mkdir -p ~/.local/share/applications +cat > ~/.local/share/applications/yubikey-manager.desktop << EOF +[Desktop Entry] +Name=YubiKey Manager +Comment=Configure your YubiKey +Exec=env QT_QPA_PLATFORM=xcb ${INSTALL_DIR}/yubikey-manager.AppImage +Icon=yubikey-manager +Type=Application +Categories=Utility;Security; +Terminal=false +EOF + +log "✅ YubiKey Manager installed" + +# ============================================================================== +# Install Yubico Authenticator +# ============================================================================== +header "Installing Yubico Authenticator" + +AUTH_URL="https://developers.yubico.com/yubioath-flutter/Releases/yubico-authenticator-latest-linux.tar.gz" +log "Downloading from: $AUTH_URL" + +curl -L -o yubico-authenticator.tar.gz "$AUTH_URL" +tar -xzf yubico-authenticator.tar.gz +rm yubico-authenticator.tar.gz + +# Find extracted directory (version varies) +AUTH_DIR=$(find . -maxdepth 1 -type d -name "yubico-authenticator*" | head -1) +if [ -n "$AUTH_DIR" ]; then + mv "$AUTH_DIR" authenticator + + # Create desktop entry + cat > ~/.local/share/applications/yubico-authenticator.desktop << EOF +[Desktop Entry] +Name=Yubico Authenticator +Comment=TOTP/HOTP authenticator for YubiKey +Exec=${INSTALL_DIR}/authenticator/authenticator +Icon=yubico-authenticator +Type=Application +Categories=Utility;Security; +Terminal=false +EOF + + log "✅ Yubico Authenticator installed" +else + warn "Could not find authenticator directory after extraction" +fi + +# ============================================================================== +# Install yubico-piv-tool +# ============================================================================== +header "Installing yubico-piv-tool" + +PIV_URL="https://developers.yubico.com/yubico-piv-tool/Releases/yubico-piv-tool-latest.tar.gz" +log "Downloading from: $PIV_URL" + +curl -L -o yubico-piv-tool.tar.gz "$PIV_URL" +tar -xzf yubico-piv-tool.tar.gz +rm yubico-piv-tool.tar.gz + +# Find extracted directory +PIV_DIR=$(find . -maxdepth 1 -type d -name "yubico-piv-tool*" | head -1) +if [ -n "$PIV_DIR" ]; then + mv "$PIV_DIR" piv-tool + + # Add to PATH hint + log "piv-tool binaries at: ${INSTALL_DIR}/piv-tool/bin/" + log "✅ yubico-piv-tool installed" +else + warn "Could not find piv-tool directory after extraction" +fi + +# ============================================================================== +# Create launch scripts +# ============================================================================== +header "Creating Launch Scripts" + +mkdir -p ~/bin + +# YubiKey Manager launcher (use xcb backend for Wayland compatibility) +cat > ~/bin/yubikey-manager << EOF +#!/bin/bash +# Use xcb (X11) backend - more reliable than Wayland for this AppImage +export QT_QPA_PLATFORM=xcb +exec ${INSTALL_DIR}/yubikey-manager.AppImage "\$@" +EOF +chmod +x ~/bin/yubikey-manager + +# Yubico Authenticator launcher +cat > ~/bin/yubico-auth << EOF +#!/bin/bash +exec ${INSTALL_DIR}/authenticator/authenticator "\$@" +EOF +chmod +x ~/bin/yubico-auth + +log "✅ Launch scripts created in ~/bin/" + +# ============================================================================== +# Verify Installation +# ============================================================================== +header "Verifying Installation" + +echo "" +echo "Installed components:" +[ -f "$INSTALL_DIR/yubikey-manager.AppImage" ] && echo " ✅ YubiKey Manager AppImage" || echo " ❌ YubiKey Manager" +[ -d "$INSTALL_DIR/authenticator" ] && echo " ✅ Yubico Authenticator" || echo " ❌ Yubico Authenticator" +[ -d "$INSTALL_DIR/piv-tool" ] && echo " ✅ yubico-piv-tool" || echo " ❌ yubico-piv-tool" +systemctl is-active --quiet pcscd && echo " ✅ pcscd service running" || echo " ⚠️ pcscd service not running" + +# Check for YubiKey +echo "" +log "Checking for connected YubiKey..." +if lsusb | grep -qi "yubico\|yubikey"; then + echo " ✅ YubiKey detected!" + lsusb | grep -i "yubico\|yubikey" +else + warn "No YubiKey detected. Plug one in to use the tools." +fi + +# ============================================================================== +# Usage Instructions +# ============================================================================== +echo "" +header "Installation Complete" +echo "" +echo "Usage:" +echo " yubikey-manager - Launch YubiKey Manager GUI" +echo " yubico-auth - Launch Yubico Authenticator" +echo "" +echo "YubiKey Manager can:" +echo " - Reset and configure YubiKey" +echo " - Manage FIDO2 PIN" +echo " - Configure OTP slots" +echo " - Manage PIV certificates" +echo "" +echo "Yubico Authenticator:" +echo " - Store TOTP/HOTP codes on YubiKey" +echo " - Codes stored in hardware (phishing-resistant)" +echo " - Scan QR codes to add accounts" +echo "" +echo "PIV Tool (command line):" +echo " ${INSTALL_DIR}/piv-tool/bin/yubico-piv-tool --help" +echo "" +echo "📖 Documentation: https://developers.yubico.com/"