Add ct-honeybee

8 files changed, 179 insertions, 0 deletions

diff --git a/.SRCINFO b/.SRCINFO
new file mode 100644
index 000000000000..3e962e8de9f3
--- /dev/null
+++ b/.SRCINFO
@@ -0,0 +1,19 @@
+pkgbase = ct-honeybee
+	pkgdesc = Pollinates STHs between Certificate Transparency logs and auditors
+	pkgver = 20210914
+	pkgrel = 1
+	url = https://github.com/SSLMate/ct-honeybee
+	install = ct-honeybee.install
+	arch = any
+	license = custom:CC0
+	depends = python
+	source = ct-honeybee-20210914-1.tar.gz::https://github.com/SSLMate/ct-honeybee/archive/40157b03c9d93d932a92c308097efe0778410dc7.tar.gz
+	source = ct-honeybee.service
+	source = ct-honeybee.timer
+	source = ct-honeybee.1
+	sha512sums = 9157c982f272d7b033bab36f42b378deead0b40a31c062f4a067198028022035ecb9b405428a479398820039318c0706e02ee1681d58ce885f5a7533d1a336be
+	sha512sums = 470c1107f0e21d40bf181a142df2900aae28ce1930b46ad881ef23508f5fb2f169b267a61a62c7c14711b088254432d0e32500d77a9530bb76196f3c6a7bc8e4
+	sha512sums = b8cb1eb7385b002c8926d6a57f2df297c98b9c3d5a6adadf2fa156cd52cf4902b1ccd6c8163eb404675bea7477e1114b1e08fea292c4749f9233391b681c47c0
+	sha512sums = c4d1e87b22a6e025b7a6887296718fc2fb0d248a15b685c4342ec87ada66d3014d1ad7a9ac140f6e0c95ac233d3f079881ef2d104e3311bfc3735804dfa0c0e5
+
+pkgname = ct-honeybee
diff --git a/.editorconfig b/.editorconfig
new file mode 100644
index 000000000000..a467ee9a97a6
--- /dev/null
+++ b/.editorconfig
@@ -0,0 +1,8 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+indent_style = tab
+tab_width = 4
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 000000000000..82b3c183d5d4
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,14 @@
+# from https://github.com/github/gitignore/blob/master/ArchLinuxPackages.gitignore
+*.tar
+*.tar.*
+*.rpm
+*.jar
+*.exe
+*.msi
+*.zip
+*.tgz
+*.log
+*.log.*
+*.sig
+
+*/
diff --git a/PKGBUILD b/PKGBUILD
new file mode 100644
index 000000000000..5a2f83e4eb3b
--- /dev/null
+++ b/PKGBUILD
@@ -0,0 +1,40 @@
+# Maintainer: Daniel Peukert <daniel@peukert.cc>
+pkgname='ct-honeybee'
+pkgver='20210914'
+_commit='40157b03c9d93d932a92c308097efe0778410dc7'
+pkgrel='1'
+pkgdesc='Pollinates STHs between Certificate Transparency logs and auditors'
+arch=('any')
+url="https://github.com/SSLMate/$pkgname"
+license=('custom:CC0')
+depends=('python')
+install="$pkgname.install"
+source=(
+	"$pkgname-$pkgver-$pkgrel.tar.gz::$url/archive/$_commit.tar.gz"
+	"$pkgname.service"
+	"$pkgname.timer"
+	"$pkgname.1"
+)
+sha512sums=('9157c982f272d7b033bab36f42b378deead0b40a31c062f4a067198028022035ecb9b405428a479398820039318c0706e02ee1681d58ce885f5a7533d1a336be'
+            '470c1107f0e21d40bf181a142df2900aae28ce1930b46ad881ef23508f5fb2f169b267a61a62c7c14711b088254432d0e32500d77a9530bb76196f3c6a7bc8e4'
+            'b8cb1eb7385b002c8926d6a57f2df297c98b9c3d5a6adadf2fa156cd52cf4902b1ccd6c8163eb404675bea7477e1114b1e08fea292c4749f9233391b681c47c0'
+            'c4d1e87b22a6e025b7a6887296718fc2fb0d248a15b685c4342ec87ada66d3014d1ad7a9ac140f6e0c95ac233d3f079881ef2d104e3311bfc3735804dfa0c0e5')
+
+_sourcedirectory="$pkgname-$_commit"
+
+package() {
+	cd "$srcdir/"
+
+	# Binary
+	install -Dm755 "$_sourcedirectory/$pkgname" "$pkgdir/usr/bin/$pkgname"
+
+	# Service and timer
+	install -Dm644 "$pkgname.service" "$pkgdir/usr/lib/systemd/system/$pkgname.service"
+	install -Dm644 "$pkgname.timer" "$pkgdir/usr/lib/systemd/system/$pkgname.timer"
+
+	# Man page
+	install -Dm644 "$pkgname.1" "$pkgdir/usr/share/man/man1/$pkgname.1"
+
+	# License
+	install -Dm644 "$_sourcedirectory/COPYING" "$pkgdir/usr/share/licenses/$pkgname/LICENSE"
+}
diff --git a/ct-honeybee.1 b/ct-honeybee.1
new file mode 100644
index 000000000000..a61069de9852
--- /dev/null
+++ b/ct-honeybee.1
@@ -0,0 +1,50 @@
+.TH "CT-HONEYBEE" "1" "2021-09-14"
+.
+.SH "NAME"
+ct-honeybee - pollinates STHs between Certificate Transparency logs and auditors
+.
+.SH "SYNOPSIS"
+\fBct-honeybee\fR
+.
+.SH "DESCRIPTION"
+The Certificate Transparency Honeybee (\fBct-honeybee\fR) is a lightweight program that retrieves signed tree heads (STHs) from Certificate Transparency logs and uploads them to auditors.
+.PP
+You can help strengthen the integrity of the Certificate Transparency ecosystem by running \fBct-honeybee\fR on your workstation/server/toaster every hour or so (pick a random minute so that not everyone runs \fBct-honeybee\fR at the same time).  Running \fBct-honeybee\fR from many different Internet vantage points increases the likelihood of detecting a misbehaving log which has presented a different view of the log to different clients.
+.PP
+\fBct-honeybee\fR is stateless and won't write to your filesystem.
+.
+.SH "LOGS"
+All logs trusted or pending inclusion by Chrome are audited by \fBct-honeybee\fR. For the current list of logs audited, see \fIhttps://loglist.certspotter.org/honeybee.json\fR.
+.
+.SH "AUDITORS"
+\fBct-honeybee\fR uploads STHs to the following auditors:
+.PP
+.IP "\(bu" 4
+certspotter.com
+.
+.IP "\(bu" 4
+ct.grahamedgecombe.com
+.
+.PP
+If you run an auditor that implements the sth-pollination endpoint described in Section 8.2 of draft-ietf-trans-gossip-00, please get in touch via \<\fIsslmate@sslmate.com\fR\> and we will add you to \fBct-honeybee\fR.
+.
+.SH "TECHNICAL OPERATION"
+.nr step 1 1
+.IP "\n[step]." 4
+For each log: fetch the latest STH and add it to the list of STHs. For simplicity, signatures are not checked; we leave this job to the auditors.
+.
+.IP "\n+[step]." 4
+Shuffle the list of auditors.
+.
+.IP "\n+[step]." 4
+For each auditor: upload the list of STHs to the auditor using the protocol described in Section 8.2 of draft-ietf-trans-gossip-00. Add each returned STH to the list of STHs so they get pollinated to subsequent auditors.  Since we shuffle the list of auditors, we will pollinate in a different order each time ct-honeybee is run.
+.
+.SH "LEGALESE"
+Written in 2017 by Opsmate, Inc. d/b/a SSLMate \<\fIsslmate@sslmate.com\fR\>
+.PP
+To the extent possible under law, the author(s) have dedicated all copyright and related and neighboring rights to this software to the public domain worldwide. This software is distributed without any warranty.
+.PP
+A copy of the CC0 Public Domain Dedication has been included with this software and is available in
+\fI/usr/share/licenses/ct-honeybee/LICENSE\fR.
+.PP
+It is also available online at \fIhttp://creativecommons.org/publicdomain/zero/1.0/\fR.
diff --git a/ct-honeybee.install b/ct-honeybee.install
new file mode 100644
index 000000000000..d376a14fe262
--- /dev/null
+++ b/ct-honeybee.install
@@ -0,0 +1,4 @@
+post_install() {
+	echo '==> A systemd timer has been provided, if you wish to run ct-honeybee hourly,'
+	echo '==> enable it by running systemctl enable ct-honeybee.timer.'
+}
diff --git a/ct-honeybee.service b/ct-honeybee.service
new file mode 100644
index 000000000000..2239e4b9a800
--- /dev/null
+++ b/ct-honeybee.service
@@ -0,0 +1,33 @@
+[Unit]
+Description=Upload STHs to CT auditors via ct-honeybee
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/ct-honeybee
+
+# Hardening
+CapabilityBoundingSet=
+DynamicUser=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+PrivateDevices=true
+PrivateUsers=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=true
+RestrictRealtime=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged
+SystemCallFilter=~@resources
+UMask=0777
diff --git a/ct-honeybee.timer b/ct-honeybee.timer
new file mode 100644
index 000000000000..4916c2d87503
--- /dev/null
+++ b/ct-honeybee.timer
@@ -0,0 +1,11 @@
+[Unit]
+Description=Hourly ct-honeybee run
+
+[Timer]
+OnCalendar=hourly
+RandomizedDelaySec=59m
+FixedRandomDelay=true
+Persistent=true
+
+[Install]
+WantedBy=timers.target