initial commit

.github/workflows/release.yml

@@ -0,0 +1,72 @@
+name: Release
+
+on:
+  release:
+    types: [created]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+
+    - name: Setup Bun
+      uses: oven-sh/setup-bun@v1
+      with:
+        bun-version: latest
+
+    - name: Install dependencies
+      run: bun install
+
+    - name: Compile for all platforms
+      run: bun run compile:all
+
+    - name: Upload Windows Asset
+      uses: actions/upload-release-asset@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ github.event.release.upload_url }}
+        asset_path: ./dist/bridge-executable-win.exe
+        asset_name: bridge-executable-win.exe
+        asset_content_type: application/octet-stream
+
+    - name: Upload macOS Intel Asset
+      uses: actions/upload-release-asset@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ github.event.release.upload_url }}
+        asset_path: ./dist/bridge-executable-mac-intel
+        asset_name: bridge-executable-mac-intel
+        asset_content_type: application/octet-stream
+
+    - name: Upload macOS ARM Asset
+      uses: actions/upload-release-asset@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ github.event.release.upload_url }}
+        asset_path: ./dist/bridge-executable-mac-arm
+        asset_name: bridge-executable-mac-arm
+        asset_content_type: application/octet-stream
+
+    - name: Upload Linux x64 Asset
+      uses: actions/upload-release-asset@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ github.event.release.upload_url }}
+        asset_path: ./dist/bridge-executable-linux
+        asset_name: bridge-executable-linux
+        asset_content_type: application/octet-stream
+
+    - name: Upload Linux ARM Asset
+      uses: actions/upload-release-asset@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ github.event.release.upload_url }}
+        asset_path: ./dist/bridge-executable-linux-arm
+        asset_name: bridge-executable-linux-arm
+        asset_content_type: application/octet-stream

.gitignore

@@ -0,0 +1,4 @@
+node_modules
+bunfig_bak.toml
+dist
+.*.bun-build

.npmrc

@@ -0,0 +1 @@
+registry=https://registry.npmjs.org/

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Unchained
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,33 @@
+# GPG-BRIDGE
+
+A WebSocket server executing GPG commands via the GPG CLI based on incoming requests.
+
+# How to run
+
+- Install dependencies: `bun i`
+- If you have a custom npm registry configured, you might need to do
+
+```
+export NPM_CONFIG_REGISTRY=https://registry.npmjs.org/
+bun install
+```
+
+- Run the server `bun dev`
+
+Now you can curl it
+
+```bash
+echo '{"command": "sign", "message": "SGVsbG8sIHdvcmxkIQ==", "fingerprint": "YOUR_GPG_KEY_FINGERPRINT"}' | websocat ws://localhost:5151
+```
+
+# How to compile for "prod" into single-executable.
+
+`bun compile`
+
+This will create a single executable in the `dist` folder for the specific platform you're running on.
+
+## TODO
+
+- Should show itself in the system tray.
+- installable without hassble.
+- configure what key you're signing with.

bunfig.toml

@@ -0,0 +1,2 @@
+[install]
+registry = "https://registry.npmjs.org"

index.ts

@@ -0,0 +1,195 @@
+import { config } from "dotenv";
+config();
+import { serve, $, type ServerWebSocket } from "bun";
+import { z } from "zod";
+import kill from "kill-port";
+
+const GpgKeySchema = z.object({
+  fingerprint: z.string(),
+  uid: z.string(),
+  pubkey: z.string(),
+});
+
+const OutboundPayloadSchema = z.object({
+  message: z.string().optional(),
+  communication: z.string(),
+  signature: z.string().optional(),
+  error: z.string().optional(),
+  gpgkeys: z.array(GpgKeySchema).optional(),
+});
+
+type OutboundPayload = z.infer<typeof OutboundPayloadSchema>;
+
+const InboundPayloadSchema = z.object({
+  command: z.enum(["sign", "getkeys"]),
+  message: z.string().optional(),
+  fingerprint: z.string().optional(),
+});
+
+type InboundPayload = z.infer<typeof InboundPayloadSchema>;
+
+type GpgKey = z.infer<typeof GpgKeySchema>;
+
+// main
+async function main() {
+  // kill anything on port 5151 first
+  await kill(5151)
+    .then((dump: any) =>
+      console.log(
+        "Something was running on port 5151 - killed it, proceeding..."
+      )
+    )
+    .catch((e: Error) => {
+      console.log("Port 5151 was already free - proceeding...");
+    })
+    .finally(() => {
+      // Start server
+      serve({
+        port: 5151, // TODO: Use process.env.PORT to make configurable?
+        fetch(req: Request, server: any): Response | void {
+          // Upgrade the request to a WebSocket
+          if (server.upgrade(req)) {
+            return;
+          }
+          return new Response("Upgrade failed :(", { status: 500 });
+        },
+        websocket: {
+          open(ws: ServerWebSocket<unknown>) {
+            console.log("WebSocket connection opened.");
+          },
+          message(ws: ServerWebSocket<unknown>, payload: string) {
+            console.log("Received message from client:", payload);
+
+            try {
+              const parsedPayload: InboundPayload = InboundPayloadSchema.parse(
+                JSON.parse(payload)
+              );
+
+              if (parsedPayload.command === "sign") {
+                handleSignRequest(
+                  ws,
+                  parsedPayload.message,
+                  parsedPayload.fingerprint
+                );
+              } else if (parsedPayload.command === "getkeys") {
+                handleGetGpgPubKeys(ws);
+              } else {
+                sendMessage(ws, { communication: "Unknown command." });
+              }
+            } catch (error) {
+              sendMessage(ws, { communication: "Invalid payload." });
+            }
+          },
+          close(ws: ServerWebSocket<unknown>, code: number, message: string) {
+            console.log(
+              `WebSocket connection closed. Code: ${code}, Reason: ${message}`
+            );
+          },
+        },
+      });
+      console.log(`WebSocket server running at ws://localhost:5151`);
+    });
+}
+
+// ============== Helpers
+
+async function handleSignRequest(ws, messageToSign, fingerprint) {
+  try {
+    // Decode the message from base64 - we just assume all messages are base64 on arrival
+    const decodedMessage = Buffer.from(messageToSign, "base64");
+
+    // Example: Temporarily write message to a file for GPG to sign
+    const tempFilePath = `/tmp/message.txt`;
+    Bun.write(tempFilePath, decodedMessage);
+
+    // Notify the client about the signing process
+    sendMessage(ws, {
+      communication: "Signing process started. Please touch your YubiKey.",
+    });
+
+    // Execute the GPG command to sign the message
+    const signCommand = $`gpg --sign --detach-sign --armor --local-user ${fingerprint} --output - --no-tty ${tempFilePath}`;
+    const { stdout, stderr, exitCode } = await signCommand;
+
+    // Clean up the temporary file
+    await $`rm ${tempFilePath}`;
+
+    if (exitCode === 0) {
+      // Signing success, notify the client and send the signed message
+      sendMessage(ws, {
+        communication: "Message has been signed successfully.",
+        message: messageToSign,
+        signature: stdout.toString(),
+      });
+    } else {
+      // Notify the client if signing fails
+      sendMessage(ws, { communication: "Signing process failed." });
+      sendMessage(ws, {
+        communication: "Signing failed",
+        error: JSON.stringify(stderr),
+      });
+    }
+  } catch (error) {
+    console.error("Error:", error);
+    sendMessage(ws, {
+      communication: "Internal server error",
+      error: JSON.stringify(error),
+    });
+  }
+}
+
+async function handleGetGpgPubKeys(ws: ServerWebSocket<unknown>) {
+  try {
+    const keys = await getGpgKeys();
+    if (keys) {
+      sendMessage(ws, { communication: "Keys retrieved.", gpgkeys: keys });
+    } else {
+      console.log("No Keys found in the output.");
+    }
+  } catch (error) {
+    sendMessage(ws, {
+      communication: "Failed to retrieve keys.",
+      error: error.message,
+    });
+  }
+}
+
+export async function getGpgKeys() {
+  const stdout = await $`gpg --list-keys`;
+
+  const lines = stdout.text().split("\n");
+  const keys = [];
+  let currentKey;
+
+  for (let i = 0; i < lines.length; i++) {
+    if (lines[i].startsWith("pub")) {
+      currentKey = {};
+      currentKey.fingerprint = lines[i + 1].trim();
+    } else if (lines[i].startsWith("uid")) {
+      currentKey.uid = lines[i].slice(3).trim();
+      keys.push(currentKey);
+    }
+  }
+
+  for (let key of keys) {
+    const armoredKey = await $`gpg --export --armor ${key.fingerprint}`;
+    key.pubkey = armoredKey.text();
+  }
+
+  return keys satisfies Array<GpgKey>;
+}
+
+function sendMessage(ws: ServerWebSocket<unknown>, payload: OutboundPayload) {
+  try {
+    // Validate the payload
+    const validatedPayload = OutboundPayloadSchema.parse(payload);
+
+    // Send the payload to the client
+    ws.send(JSON.stringify(validatedPayload));
+  } catch (error) {
+    console.error("Invalid outbound payload:", error);
+  }
+}
+
+// execute:
+main();

package.json

@@ -0,0 +1,32 @@
+{
+  "name": "gpg-bridge",
+  "version": "1.0.0",
+  "description": "A WebSocket server executing GPG commands via the GPG CLI based on incoming requests.",
+  "type": "module",
+  "main": "index.ts",
+  "private": true,
+  "scripts": {
+    "dev": "bun run --watch --verbose index.ts",
+    "compile:win": "bun build index.ts --compile --target=bun-windows-x64 --outfile ./dist/bridge-executable-win.exe",
+    "compile:mac-intel": "bun build index.ts --compile --target=bun-darwin-x64 --outfile ./dist/bridge-executable-mac-intel",
+    "compile:mac-arm": "bun build index.ts --compile --target=bun-darwin-arm64 --outfile ./dist/bridge-executable-mac-arm",
+    "compile:linux": "bun build index.ts --compile --target=bun-linux-x64 --outfile ./dist/bridge-executable-linux",
+    "compile:linux-arm": "bun build index.ts --compile --target=bun-linux-arm64 --outfile ./dist/bridge-executable-linux-arm",
+    "compile:all": "bun run compile:win && bun run compile:mac-intel && bun run compile:mac-arm && bun run compile:linux && bun run compile:linux-arm",
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "bun": "^1.1.17",
+    "cors": "^2.8.5",
+    "dotenv": "^16.4.5",
+    "express": "^4.19.2",
+    "kill-port": "^2.0.1",
+    "openpgp": "^5.11.1",
+    "zod": "^3.22.4"
+  },
+  "devDependencies": {
+    "bun-types": "^1.1.3"
+  }
+}