A tool to add and verify digital signatures to/from WASM binaries
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
src
.gitignore
.travis.yml
Cargo.toml
README.md
logo.png

README.md

Build Status

Wasmsign

A tool to add and verify digital signatures to/from WASM binaries.

WASM signatures

Unlike typical desktop and mobile applications, WebAssembly binaries do not embed any kind of digital signatures to verify that they come from a trusted source, and haven't been tampered with.

Wasmsign takes an existing wasm binary, computes an EdDSA signature, and builds a new binary embedding that signature as a global, exported symbol.

The resulting binary remains a standalone, valid wasm binary, but its signature can be verified prior to executing it.

Installation

wasmsign requires rust-nightly, which can be installed using rustup.

cargo install is then all it takes to compile and install the command-line wasmsign tool.

Usage

    wasmsign [FLAGS] [OPTIONS] --symbol-name <symbol-name>

FLAGS:
    -h, --help       Prints help information
    -G, --keygen     Generate a key pair
    -S, --sign       Sign a file
        --version    Prints version information
    -V, --verify     Verify a file

OPTIONS:
    -a, --ad <ad>                      Additional content to authenticate
    -i, --input <input-path>           Path to the wasm input file
    -o, --output <output-path>         Path to the wasm output file
    -p, --pk-path <pk-path>            Path to the public key file
    -s, --sk-path <sk-path>            Path to the secret key file
    -n, --symbol-name <symbol-name>    Name of the exported symbol containing the signature [default: ___SIGNATURE]

Create a key pair

wasmsign --keygen --pk-path key.public --sk-path key.secret

Sign an existing wasm binary

wasmsign --sign --pk-path key.public --sk-path key.secret \
  --input unsigned.wasm --output signed.wasm

Additional data can be authenticated, so that the signature is only valid for a given user, group, or machine:

wasmsign --sign --pk-path key.public --sk-path key.secret \
  --input unsigned.wasm --output signed.wasm --ad user19238

Verify an existing wasm binary

wasmsign --verify --pk-path key.public --input signed.wasm

or with additional data:

wasmsign --verify --pk-path key.public --input signed.wasm --ad user19238

The command exits with 0 if the embedded signature is valid for the given public key, content and additional data, or with a non-0 value on error.