-
Notifications
You must be signed in to change notification settings - Fork 29
Add binary signature verification #558
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Conversation
753e955
to
3e18934
Compare
The main thing here is to pass in an Axios client instead of the SDK client since this does not need to make API calls and we will need to pass a separate client without headers when downloading external signatures. Otherwise the structure remains the same. Some variables are renamed due to being in a new context and some strings messages are simplified.
A tiny refactor since I will need to get a third config option.
33b14b9
to
18c3c88
Compare
18c3c88
to
860b1aa
Compare
They are not needed, and the packaging step will error that it looks like you are trying to package secrets due to the test key fixtures.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm gonna need you to sign a waiver indicating that you know I'm not a cryptography expert and will not be held responsible for any glaring security issues before you merge this 😝 but it looks good!
aGN86JBOmwpU87sfFxLI7HdI02DkvlxYYK3vYlA6zEyWaeLZ3VNr6tHcQmOnFe8Q | ||
26gcS0AQcxQZrcWTCZ8DJYF+RnXjSVRmHV/3YDts4JyMKcD6QX8s/3aaldk= | ||
=dLmT | ||
-----END PGP PUBLIC KEY BLOCK----- |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
-----END PGP PUBLIC KEY BLOCK----- | |
-----END PGP PUBLIC KEY BLOCK----- | |
all of the test files have trailing new lines but this one does not
case VerificationErrorCode.Invalid: | ||
return "Signature does not match"; | ||
default: | ||
return "Failed to read signature"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return "Failed to read signature"; | |
return "Failed to verify signature"; |
since this is the default, it might not necessarily be about reading I guess?
// Download the binary to a temporary file. | ||
await fs.mkdir(path.dirname(binPath), { recursive: true }); | ||
const tempFile = | ||
binPath + ".temp-" + Math.random().toString(36).substring(8); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is such a silly way to get a couple random characters lol. I love it.
): Promise<number> { | ||
const baseUrl = client.defaults.baseURL; | ||
|
||
const controller = new AbortController(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've known about this api for years and literally never seen someone use it in production. 🥹 so proud!!
return new VerificationError(VerificationErrorCode.Invalid, error); | ||
} | ||
} catch (e) { | ||
const error = `Failed to read signature or binary: ${errToStr(e)}.`; | ||
logger?.warn(error); | ||
return new VerificationError(VerificationErrorCode.Read, error); | ||
} | ||
return true; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I feel weird about returning errors in js. if these were throw
n instead we could do something like...
try {
await verifySignature(...);
// more happy path here
} catch (error) {
if (error instanceof VerificationError) {
// unhappy path here
}
}
which is maybe a bit noisier than what you're currently doing, but is also a bit more "when in rome", y'know?
I extracted the download function (since I needed to reuse it to download signatures) to a separate commit so it is easier to review the signature additions separately, if that is of interest.
This downloads the detached signature from Coder if available or releases.coder.com if not, then verifies the binary using that detached signature and the bundled public key. The check is performed only when the binary is first download.