From bbaba698569ad6e97a697c285172b81bf5d36335 Mon Sep 17 00:00:00 2001
From: Luke Childs <lukechilds123@gmail.com>
Date: Wed, 10 Feb 2021 18:09:23 +0700
Subject: [PATCH] Derive custom app seed (#500)

---
 scripts/app | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/scripts/app b/scripts/app
index 7baeb10..cd5485c 100755
--- a/scripts/app
+++ b/scripts/app
@@ -35,8 +35,22 @@ list_installed_apps() {
   cat "${USER_FILE}" 2> /dev/null | jq -r 'if has("installedApps") then .installedApps else [] end | join("\n")' || true
 }
 
+# Deterministically derives 128 bits of cryptographically secure entropy
+derive_entropy () {
+  identifier="${1}"
+  umbrel_seed=$(cat "${UMBREL_ROOT}/db/umbrel-seed/seed") || true
+
+  if [[ -z "$umbrel_seed" ]] || [[ -z "$identifier" ]]; then
+    >&2 echo "Missing derivation parameter, this is unsafe, exiting."
+    exit 1
+  fi
+
+  # We need `sed 's/^.* //'` to trim the "(stdin)= " prefix from some versions of openssl
+  printf "%s" "${identifier}" | openssl dgst -sha256 -hmac "${umbrel_seed}" | sed 's/^.* //'
+}
+
 # Check dependencies
-check_dependencies docker-compose jq
+check_dependencies docker-compose jq openssl
 
 if [ -z ${1+x} ]; then
   command=""
@@ -85,11 +99,13 @@ compose() {
   local app_base_compose_file="${UMBREL_ROOT}/apps/docker-compose.common.yml"
   local app_compose_file="${app_dir}/docker-compose.yml"
   local app_hidden_servive_file="${UMBREL_ROOT}/tor/data/app-${app}/hostname"
+  local app_entropy_identifier="app-${app}-seed"
 
   export BITCOIN_DATA_DIR="${UMBREL_ROOT}/bitcoin"
   export LND_DATA_DIR="${UMBREL_ROOT}/lnd"
   export APP_DATA_DIR="${app_data_dir}"
   export APP_HIDDEN_SERVICE="$(cat "${app_hidden_servive_file}" 2>/dev/null || echo "notyetset.onion")"
+  export APP_SEED=$(derive_entropy "${app_entropy_identifier}")
   docker-compose \
     --env-file "${env_file}" \
     --project-name "${app}" \