Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support signature verification (minisign) #237

Merged
merged 1 commit into from
Sep 28, 2023
Merged

Support signature verification (minisign) #237

merged 1 commit into from
Sep 28, 2023

Conversation

taiki-e
Copy link
Owner

@taiki-e taiki-e commented Sep 27, 2023
edited

This supports signature verification for the following format:

algorithm: minisign
public key: package.metadata.binstall.signing.pubkey at Cargo.toml

This is the format that cargo-binstall supports: https://github.com/cargo-bins/cargo-binstall/blob/HEAD/SIGNING.md

It should be easy to support public key in other places, but I support only what we need for now.

The implementation is basically the same as that described in #228 (comment).

We can extend the codegen to ensure that the hash in the generated manifest is the same as that obtained from the signed archive or indicated in the signed checksum file. This allows signature verification to be performed without additional cost at the time of execution of the action.

AFAIK, currently, there are no tools other than cargo-binstall that distribute signed archives in the tools we support.

@taiki-e taiki-e force-pushed the minisign-binstall branch 3 times, most recently from bd10fae to 5f9243b Compare September 27, 2023 13:42
@taiki-e
Copy link
Owner Author

taiki-e commented Sep 27, 2023

https://github.com/taiki-e/install-action/actions/runs/6326816086/job/17181208549

downloading releases of https://github.com/cargo-bins/cargo-binstall from https://api.github.com/repos/cargo-bins/cargo-binstall/releases
downloading crate info from https://crates.io/api/v1/crates/cargo-binstall
update manifest for versions '=1.4.1'
downloading https://github.com/cargo-bins/cargo-binstall/releases/download/v1.4.1/cargo-binstall-x86_64-unknown-linux-musl.tgz for checksum ... download complete
getting sha256 hash for https://github.com/cargo-bins/cargo-binstall/releases/download/v1.4.1/cargo-binstall-x86_64-unknown-linux-musl.tgz
382c45dfbdbcaee37f10cb37d6e519c75d174622cab9e287521eaa3b5f71e162 *cargo-binstall-x86_64-unknown-linux-musl.tgz
downloading https://github.com/cargo-bins/cargo-binstall/releases/download/v1.4.1/cargo-binstall-x86_64-unknown-linux-musl.tgz.sig for signature validation ... download complete
downloading https://crates.io/api/v1/crates/cargo-binstall/1.4.1/download for signature verification ... download complete
algorithm: minisign
pubkey: RWQuEpy2Ocjox5ppbdesj/VYAKvGyXITtw8OelPN1xY40izwAG/wSMvg
verifying signature for https://github.com/cargo-bins/cargo-binstall/releases/download/v1.4.1/cargo-binstall-x86_64-unknown-linux-musl.tgz ... done

@taiki-e taiki-e enabled auto-merge (rebase) September 27, 2023 15:20
NobodyXu
NobodyXu previously approved these changes Sep 27, 2023
View reviewed changes
@taiki-e taiki-e merged commit b30758c into main Sep 28, 2023
26 checks passed
@taiki-e taiki-e deleted the minisign-binstall branch September 28, 2023 03:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@NobodyXu NobodyXu NobodyXu left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@taiki-e @NobodyXu