feat: sign manifest command

src/manifest/manifest-create.action.ts

@@ -16,7 +16,10 @@ async function resolveTaskPackageUrl(tag: string): Promise<ImageInfo> {
   const url = `${repoUrl}/v1/image/info?&tag=${tag}`;
 
   const response = await fetch(url);
-  if (response.status != 200) {
+  if (response.status === 404) {
+    // TODO: Print url on debug and stop using exceptions.
+    throw new Error(`Error: Image ${tag} not found.`)
+  } else if (response.status != 200) {
     throw Error(`Failed to fetch image information: ${response.status} ${response.statusText}`);
   }
 

src/manifest/manifest-sign.action.ts

@@ -1,6 +1,7 @@
 import { ManifestSignOptions } from "./manifest-sign.options";
 import { readManifest } from "./manifest-utils";
-import { readFile } from "fs/promises";
+import { readFile, writeFile } from "fs/promises";
+import { createSign } from "crypto";
 
 export async function manifestSignAction(options: ManifestSignOptions): Promise<void> {
   // Read and validate the manifest.
@@ -13,13 +14,15 @@ export async function manifestSignAction(options: ManifestSignOptions): Promise<
   const keyFile = await readFile(options.keyFile);
 
   // Parse key file to KeyObject?
-
-  // sign with Sign?
+  const sign = createSign('RSA-SHA256');
+  sign.update(manifestBase64);
+  const signature = sign.sign({
+    key: keyFile,
+    // FIXME: Allow secure passphrase input and detect if a passphrase is needed.
+    passphrase: options.passphrase,
+  });
 
   // write signature to options.signatureFile.
-  // It's ok to use base64 here as the signature is a binary file.
-  // `checkFileOverwrite('signature', options.signatureFile, options.overwrite);` can be used to make sure we don't overwrite
-  // existing signature file. Not sure if this is needed (UX/DX question).
-
+  await writeFile(options.signatureFile, Buffer.from(signature).toString('base64'), 'ascii');
 }
 

src/manifest/manifest-sign.command.ts

@@ -6,6 +6,7 @@ manifestSignCommand
   .description('Sign Golem manifest file.')
   .addOption(createManifestOption())
   .option('-k, --key-file <file>', 'Private key file.')
+  .option('-p, --passphrase <passphrase>', 'Passphrase for the private key.')
   .option('-s, --signature-file <file>', 'Signature file.', 'manifest.sig')
   .action(async (options: any) => {
     const action = await import("./manifest-sign.action");

src/manifest/manifest-sign.options.ts

@@ -2,4 +2,5 @@ export interface ManifestSignOptions {
   manifest: string;
   keyFile: string;
   signatureFile: string;
+  passphrase?: string;
 }

src/manifest/manifest-verify.action.ts

@@ -26,7 +26,6 @@ export async function manifestVerifyAction(options: ManifestVerifyOptions) {
 
   const verify = createVerify('RSA-SHA256');
   verify.update(manifestBase64);
-  verify.update('\n'); // FIXME: Remove this, this is only for testing.
 
   if (!verify.verify(cert.publicKey, signature)) {
     console.error('Manifest doesn\'t match signature.');

src/manifest/manifest.command.ts

@@ -2,12 +2,14 @@ import { Command } from "commander";
 import { manifestCreateCommand } from "./manifest-create.command";
 import { manifestNetCommand } from "./net/manifest-net.command";
 import { manifestVerifyCommand } from "./manifest-verify.command";
+import { manifestSignCommand } from "./manifest-sign.command";
 
 export const manifestCommand = new Command("manifest");
 manifestCommand
   .description('Manage Golem manifest.')
   .addCommand(manifestCreateCommand)
   .addCommand(manifestNetCommand)
+  .addCommand(manifestSignCommand)
   .addCommand(manifestVerifyCommand)
 ;