Verify file signatures #114
Conversation
|
Hi @Kijewski , So long as zipsigned archive files can be unzipped by regular zip utilities, I'm all for it! Right now, I use 7z with very aggressive compression settings for my release workflow: https://github.com/jqnatividad/qsv/blob/master/.github/workflows/publish.yml If I can just add zipsign to the workflow to sign the 7z-created zip file, it'd be a no-brainer for me. You got my vote! As for the implementation details, its LGTM, but I don't know enough about self-update's innards to offer any implementation advice. So long as @jaemk blesses it, its good enough for me 😉 |
|
Thank you for providing me with your repo as an example! I was only looking at my own use case, and was missing the "bigger picture". You are packaging multiple files into one zip file, which is perfectly valid, but I still did not account for this event. My current implementation adds a signature to the zip file that can be used to verify one unzipped file. I will change the implementation to cover the whole .zip file instead of its content. This has multiple advantages. First and foremost: You can have multiple files that all get signed. And you don't have to look inside the zip file to tell if it was tempered with, e.g. to reject zip bombs. |
Kijewski
force-pushed
the
pr-checksum
branch
2 times, most recently
from
db23e56
to
96acaa6
Compare
Kijewski
force-pushed
the
pr-checksum
branch
from
96acaa6
to
2460b59
Compare
|
I think the PR is ready to be reviewed. It bumps the msrv to 1.64 (released on 2022-09-22), because it uses weak dependency features (msrv: 1.60) and workspace inheritance (msrv: 1.64). I hope that is okay. |
|
Sorry for the delay @Kijewski - This looks great, thanks! |
|
released in |
This work-in-progress PR implements signed ZIP files. I was hoping to attract a few more eyeballs before I invest more time. 👀
The idea is that even if your github credentials are compromised, and some evil actor can upload malicious releases in your name, then hopefully your private key was not compromised also. Without the private key an upload cannot be signed and the self update will intentionally fail.
The signature gets stored as the first 64 bytes of a ZIP file. This is possible because ZIP files have their "header" at the end of the file, and they can be prepended by any and all content. This feature is also used in e.g. self-extracting ZIP files.
The signatures use ed25519. In https://github.com/Kijewski/zipsign I am implementing a tool to craft signed ZIP files:
zipsign gen-key my-private.key my-public.key.zipand/or.tar.gzof your program(s) with whatever tool you are already usingzipsign sign zip my-program.zip my-private.keyzipsign sign tar my-program.tar.gz my-private.keyzipsign verify zip my-program.zip my-public.keyzipsign verify tar my-program.tar.gz my-public.keyShortcomings:
.tarfiles,.tar.bz2,.tar.xz,.tar.zstdor.tar.Z.So, what do y'all think? Is this PR on the right track?
Closes #85, closes #111. Cc @jqnatividad, @rbauduin.