diff --git a/bash/add-keys-to-git.sh b/bash/add-keys-to-git.sh new file mode 100755 index 0000000..a0fe850 --- /dev/null +++ b/bash/add-keys-to-git.sh @@ -0,0 +1,24 @@ +#!/bin/bash + +echo "🔄 Extracting new keys from YubiKey and updating Git config..." + +# 1. Update PERSONAL (Slot 9a) -> .git-naomi +# --------------------------------------------------------- +echo " -> Processing Slot 9a (Personal)..." +KEY_9A=$(ykman piv keys export 9a - | ssh-keygen -i -m PKCS8 -f /dev/stdin) +git config -f ~/.git-naomi user.signingkey "key::$KEY_9A" + +# 2. Update DEEPGRAM (Slot 9c) -> .git-dg +# --------------------------------------------------------- +echo " -> Processing Slot 9c (Deepgram)..." +KEY_9C=$(ykman piv keys export 9c - | ssh-keygen -i -m PKCS8 -f /dev/stdin) +git config -f ~/.git-dg user.signingkey "key::$KEY_9C" + +# 3. Update FREECODECAMP (Slot 9e) -> .git-fcc +# --------------------------------------------------------- +echo " -> Processing Slot 9e (FreeCodeCamp)..." +KEY_9D=$(ykman piv keys export 9e - | ssh-keygen -i -m PKCS8 -f /dev/stdin) +git config -f ~/.git-fcc user.signingkey "key::$KEY_9D" + +echo "✅ Done! Your local Git is now synced with your new hardware keys." +echo "⚠️ REMINDER: You must now upload these new public keys to GitHub and your 'prod' server!" \ No newline at end of file diff --git a/bash/fix-yubikey-perms.sh b/bash/fix-yubikey-perms.sh new file mode 100755 index 0000000..872bf5c --- /dev/null +++ b/bash/fix-yubikey-perms.sh @@ -0,0 +1,77 @@ +#!/bin/bash + +# Colors for pretty output +GREEN='\033[0;32m' +RED='\033[0;31m' +YELLOW='\033[1;33m' +NC='\033[0m' # No Color + +echo -e "${YELLOW}🔧 Starting YubiKey WSL Repair...${NC}" + +# 1. CHECK: Is the key actually attached? +if ! lsusb -d 1050: > /dev/null; then + echo -e "${RED}❌ Error: No YubiKey detected in Linux!${NC}" + echo " Please go to Windows PowerShell and run:" + echo " usbipd attach --wsl --busid " + exit 1 +fi +echo -e "${GREEN}✅ YubiKey Hardware detected.${NC}" + +# 2. PERMISSIONS: The "Nuclear" Polkit Fix +# This forces the smart card service to accept connections even if WSL looks "inactive" +POLICY_FILE="/usr/share/polkit-1/actions/org.debian.pcsc-lite.policy" + +if [ -f "$POLICY_FILE" ]; then + echo " Applying 'Nuclear' permission fix to PC/SC Policy..." + # Backup original if not exists + if [ ! -f "$POLICY_FILE.bak" ]; then + sudo cp "$POLICY_FILE" "$POLICY_FILE.bak" + fi + # Force permissions to 'yes' + sudo sed -i 's/.*<\/allow_any>/yes<\/allow_any>/' "$POLICY_FILE" + sudo sed -i 's/.*<\/allow_inactive>/yes<\/allow_inactive>/' "$POLICY_FILE" + sudo sed -i 's/.*<\/allow_active>/yes<\/allow_active>/' "$POLICY_FILE" +else + echo -e "${YELLOW}⚠️ Warning: Polkit policy file not found. Skipping nuclear fix.${NC}" +fi + +# 3. GROUP: Ensure user is in plugdev +if ! groups $USER | grep -q "plugdev"; then + echo " Adding $USER to plugdev group..." + sudo usermod -aG plugdev $USER +fi + +# 4. USB NODE: Force read/write permissions on the raw USB device +# This fixes the "Failed to connect" error from yubico-piv-tool +echo " Forcing permissions on USB device node..." +lsusb -d 1050: | while read -r line; do + BUS=$(echo "$line" | awk '{print $2}') + DEV=$(echo "$line" | awk '{print $4}' | tr -d :) + PATH="/dev/bus/usb/$BUS/$DEV" + echo " -> Unlocking $PATH" + sudo chmod 666 "$PATH" +done + +# 5. SERVICES: Restart everything to pick up changes +echo " Restarting Smart Card Services..." +# Kill any stuck GPG agents that might hog the card +gpgconf --kill gpg-agent 2>/dev/null || true +# Restart the main daemon +sudo systemctl restart polkit +sudo systemctl restart pcscd + +# 6. CONFIG CHECK: Warn if SSH config is bad +if grep -q "IdentityFile.*yubi" ~/.ssh/config; then + echo -e "${YELLOW}⚠️ WARNING: Found 'IdentityFile' pointing to a YubiKey in ~/.ssh/config!${NC}" + echo " You should remove that line so SSH doesn't throw 'libcrypto' errors." +fi + +# 7. FINAL TEST +echo -e "${YELLOW}🔎 Verifying connection...${NC}" +if yubico-piv-tool -a status > /dev/null 2>&1; then + echo -e "${GREEN}🎉 SUCCESS! Your YubiKey is ready.${NC}" + yubico-piv-tool -a status | grep "Serial Number" +else + echo -e "${RED}❌ Status check failed.${NC}" + echo " Try running: yubico-piv-tool -a status" +fi \ No newline at end of file diff --git a/bash/list-yubikey-ssh-keys.sh b/bash/list-yubikey-ssh-keys.sh new file mode 100755 index 0000000..088c7dc --- /dev/null +++ b/bash/list-yubikey-ssh-keys.sh @@ -0,0 +1,22 @@ +#!/bin/bash +echo "Scanning YubiKey slots for SSH keys..." +echo "---------------------------------------------------" + +# Loop through the slots that support SSH keys +for SLOT in 9a 9c 9d 9e; do + # Try to export the key to a temp file + if ykman piv keys export $SLOT /tmp/yubi_tmp.pem > /dev/null 2>&1; then + echo -e "\033[0;32mFOUND KEY IN SLOT $SLOT:\033[0m" + + # Check if there is a certificate label + LABEL=$(ykman piv certificates export $SLOT - 2>/dev/null | openssl x509 -noout -subject 2>/dev/null) + if [ ! -z "$LABEL" ]; then + echo "Certificate Label: $LABEL" + fi + + # Convert to SSH format and print + ssh-keygen -i -m PKCS8 -f /tmp/yubi_tmp.pem + echo "---------------------------------------------------" + rm /tmp/yubi_tmp.pem + fi +done \ No newline at end of file diff --git a/src/s3/upload.ts b/src/s3/upload.ts index b9de7c5..b727156 100644 --- a/src/s3/upload.ts +++ b/src/s3/upload.ts @@ -15,7 +15,7 @@ if (accessKeyId === undefined || secretAccessKey === undefined) { } const fileName = await input({ - message: "Enter the ABSOLUTE PATH of the file to upload", + message: "Enter the ABSOLUTE PATH of the file to upload, including leading slash:", }); if (fileName === "") { throw new Error("File name is not set"); @@ -24,7 +24,7 @@ if (fileName === "") { const file = await readFile(fileName); const uploadPath = await input({ - message: "Enter the PATH to upload the file to", + message: "Enter the PATH to upload the file to, WITHOUT leading slash:", }); if (uploadPath === "") { throw new Error("Upload path is not set");