Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Verify file signatures #114

Merged
merged 5 commits into from
Oct 23, 2023
Merged

Verify file signatures #114

merged 5 commits into from
Oct 23, 2023

Conversation

Kijewski
Copy link
Contributor

@Kijewski Kijewski commented Sep 7, 2023

This work-in-progress PR implements signed ZIP files. I was hoping to attract a few more eyeballs before I invest more time. 👀

The idea is that even if your github credentials are compromised, and some evil actor can upload malicious releases in your name, then hopefully your private key was not compromised also. Without the private key an upload cannot be signed and the self update will intentionally fail.

The signature gets stored as the first 64 bytes of a ZIP file. This is possible because ZIP files have their "header" at the end of the file, and they can be prepended by any and all content. This feature is also used in e.g. self-extracting ZIP files.

The signatures use ed25519. In https://github.com/Kijewski/zipsign I am implementing a tool to craft signed ZIP files:

  • install "zipsign"
  • zipsign gen-key my-private.key my-public.key
  • sign an archive of your program(s):
    • create a .zip and/or .tar.gz of your program(s) with whatever tool you are already using
    • zipsign sign zip my-program.zip my-private.key
    • zipsign sign tar my-program.tar.gz my-private.key
  • verify that an archive is correctly signed
    • zipsign verify zip my-program.zip my-public.key
    • zipsign verify tar my-program.tar.gz my-public.key

Shortcomings:

  • You cannot sign uncompressed .tar files, .tar.bz2, .tar.xz, .tar.zstd or .tar.Z.

So, what do y'all think? Is this PR on the right track?

Closes #85, closes #111. Cc @jqnatividad, @rbauduin.

@jqnatividad
Copy link
Contributor

jqnatividad commented Sep 7, 2023

Hi @Kijewski ,
Thanks for looping me in on this. With my project's release tempo (165 releases in ~3 years), self-update is an essential part of qsv.

So long as zipsigned archive files can be unzipped by regular zip utilities, I'm all for it!

Right now, I use 7z with very aggressive compression settings for my release workflow:

https://github.com/jqnatividad/qsv/blob/master/.github/workflows/publish.yml

If I can just add zipsign to the workflow to sign the 7z-created zip file, it'd be a no-brainer for me.

You got my vote!

As for the implementation details, its LGTM, but I don't know enough about self-update's innards to offer any implementation advice.

So long as @jaemk blesses it, its good enough for me 😉

@Kijewski
Copy link
Contributor Author

Kijewski commented Sep 8, 2023

Thank you for providing me with your repo as an example! I was only looking at my own use case, and was missing the "bigger picture". You are packaging multiple files into one zip file, which is perfectly valid, but I still did not account for this event.

My current implementation adds a signature to the zip file that can be used to verify one unzipped file. I will change the implementation to cover the whole .zip file instead of its content. This has multiple advantages. First and foremost: You can have multiple files that all get signed. And you don't have to look inside the zip file to tell if it was tempered with, e.g. to reject zip bombs.

@Kijewski Kijewski force-pushed the pr-checksum branch 2 times, most recently from db23e56 to 96acaa6 Compare September 12, 2023 15:43
@Kijewski Kijewski marked this pull request as ready for review September 16, 2023 14:51
@Kijewski
Copy link
Contributor Author

I think the PR is ready to be reviewed. It bumps the msrv to 1.64 (released on 2022-09-22), because it uses weak dependency features (msrv: 1.60) and workspace inheritance (msrv: 1.64). I hope that is okay.

@Kijewski Kijewski changed the title WIP: Verify file signatures Verify file signatures Sep 17, 2023
@jaemk
Copy link
Owner

jaemk commented Oct 23, 2023

Sorry for the delay @Kijewski - This looks great, thanks!

@jaemk jaemk merged commit 16bba08 into jaemk:master Oct 23, 2023
@jaemk
Copy link
Owner

jaemk commented Oct 23, 2023

released in 0.39.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

add option to validate checksums? Feature Request: optional checksum verification
3 participants