Embed the signer binary into tkey-sign

Adds a build.sh script that clones tkey-libs and the
tkey-device-signer, builds them, and copies the resulting signer to
signer.bin for embedding.

.github/workflows/ci.yaml

@@ -27,7 +27,7 @@ jobs:
           git config --global --add safe.directory "$GITHUB_WORKSPACE"
           
       - name: make
-        run: make -j
+        run: ./build.sh
 
       - name: lint go code
         run: make lint

README.md

@@ -67,12 +67,16 @@ should be enough to get you a working Podman setup.
 
 ### Building with host tools
 
-You need `golang` and `make`.
+You need to build `tkey-libs` and the `signer` device app. There's a
+script available that clones the repos and copies the resulting
+`signer` binary to this directory:
 
 ```
-$ make
+$ ./build.sh
 ```
 
+Please inspect the script before running.
+
 ## Licenses and SPDX tags
 
 Unless otherwise noted, the project sources are licensed under the

build.sh

@@ -0,0 +1,11 @@
+#! /bin/sh
+
+git clone https://github.com/tillitis/tkey-libs.git ../tkey-libs
+git clone https://github.com/tillitis/tkey-device-signer.git ../tkey-device-signer
+
+make -j -C ../tkey-libs
+make -j -C ../tkey-device-signer
+
+cp ../tkey-device-signer/signer/app.bin signer.bin
+
+make -j

go.mod

@@ -9,7 +9,8 @@ require (
 	github.com/tillitis/tkeyclient v0.0.0-20230511144543-9ee035fb0288
 	github.com/tillitis/tkeysign v0.0.0-20230511181826-bdde22885b71
 	go.bug.st/serial v1.5.0
-	golang.org/x/sys v0.7.0
+	golang.org/x/crypto v0.7.0
+	golang.org/x/sys v0.8.0
 	golang.org/x/term v0.7.0
 )
 
@@ -18,5 +19,9 @@ require (
 	github.com/godbus/dbus/v5 v5.1.0 // indirect
 	github.com/nu7hatch/gouuid v0.0.0-20131221200532-179d4d0c4d8d // indirect
 	github.com/tadvi/systray v0.0.0-20190226123456-11a2b8fa57af // indirect
-	golang.org/x/crypto v0.7.0 // indirect
+	github.com/tillitis/tkeyutil v0.0.0-00010101000000-000000000000 // indirect
 )
+
+replace github.com/tillitis/tkeyclient => ../tkeyclient
+
+replace github.com/tillitis/tkeyutil => ../tkeyutil

go.sum

@@ -15,17 +15,15 @@ github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An
 github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
 github.com/tadvi/systray v0.0.0-20190226123456-11a2b8fa57af h1:6yITBqGTE2lEeTPG04SN9W+iWHCRyHqlVYILiSXziwk=
 github.com/tadvi/systray v0.0.0-20190226123456-11a2b8fa57af/go.mod h1:4F09kP5F+am0jAwlQLddpoMDM+iewkxxt6nxUQ5nq5o=
-github.com/tillitis/tkeyclient v0.0.0-20230511144543-9ee035fb0288 h1:CHmvhOmNGklUHWEdmoCIdS+OptIBd50d+l+Iwxann+Q=
-github.com/tillitis/tkeyclient v0.0.0-20230511144543-9ee035fb0288/go.mod h1:B/O+T4WWEXDbJ/w7ktWxoZ7GE8+WZDWrw7RJS1xAAYQ=
 github.com/tillitis/tkeysign v0.0.0-20230511181826-bdde22885b71 h1:ij0tJ+CNjGj2C1rexax1ZGhszhH6LODfVC52K1XNwHs=
 github.com/tillitis/tkeysign v0.0.0-20230511181826-bdde22885b71/go.mod h1:sEDRw2sHyXT1CojrTViorg98dpI3L1G+TBhZrkNba7Y=
 go.bug.st/serial v1.5.0 h1:ThuUkHpOEmCVXxGEfpoExjQCS2WBVV4ZcUKVYInM9T4=
 go.bug.st/serial v1.5.0/go.mod h1:UABfsluHAiaNI+La2iESysd9Vetq7VRdpxvjx7CmmOE=
 golang.org/x/crypto v0.7.0 h1:AvwMYaRytfdeVt3u6mLaxYtErKYjxA2OXjJ1HHq6t3A=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.7.0 h1:3jlCCIQZPdOYu1h8BkNvLz8Kgwtae2cagcG/VamtZRU=
-golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.7.0 h1:BEvjmm5fURWqcfbSKTdpkDXYBrUS1c0m8agp14W48vQ=
 golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

main.go

@@ -5,7 +5,10 @@ package main
 
 import (
 	"crypto/ed25519"
+	_ "embed"
+	"errors"
 	"fmt"
+	"io"
 	"log"
 	"os"
 	"os/signal"
@@ -18,17 +21,57 @@ import (
 	"github.com/tillitis/tkeysign"
 )
 
+// nolint:typecheck // Avoid lint error when the embedding file is missing.
+// Build copies the built signer here
+//
+//go:embed signer.bin
+var signerBinary []byte
+
 // Use when printing err/diag msgs
 var le = log.New(os.Stderr, "", 0)
 
 // May be set to non-empty at build time to indicate that the signer
 // app has been compiled with touch requirement removed.
 var signerAppNoTouch string
 
+const (
+	// 4 chars each.
+	wantFWName0  = "tk1 "
+	wantFWName1  = "mkdf"
+	wantAppName0 = "tk1 "
+	wantAppName1 = "sign"
+)
+
+func isFirmwareMode(tk *tkeyclient.TillitisKey) bool {
+	nameVer, err := tk.GetNameVersion()
+	if err != nil {
+		return false
+	}
+	// not caring about nameVer.Version
+	return nameVer.Name0 == wantFWName0 &&
+		nameVer.Name1 == wantFWName1
+}
+
+func isWantedApp(signer tkeysign.Signer) bool {
+	nameVer, err := signer.GetAppNameVersion()
+	if err != nil {
+		if !errors.Is(err, io.EOF) {
+			le.Printf("GetAppNameVersion: %s\n", err)
+		}
+		return false
+	}
+
+	fmt.Printf("name0: %v, name1: %v\n", nameVer.Name0, nameVer.Name1)
+
+	// not caring about nameVer.Version
+	return nameVer.Name0 == wantAppName0 &&
+		nameVer.Name1 == wantAppName1
+}
+
 func main() {
 	var fileName, devPath string
 	var speed int
-	var showPubkeyOnly, verbose, helpOnly bool
+	var enterUSS, showPubkeyOnly, verbose, helpOnly bool
 	pflag.CommandLine.SetOutput(os.Stderr)
 	pflag.CommandLine.SortFlags = false
 	pflag.BoolVarP(&showPubkeyOnly, "show-pubkey", "p", false,
@@ -37,6 +80,8 @@ func main() {
 		"Set serial port device `PATH`. If this is not passed, auto-detection will be attempted.")
 	pflag.IntVar(&speed, "speed", tkeyclient.SerialSpeed,
 		"Set serial port speed in `BPS` (bits per second).")
+	pflag.BoolVar(&enterUSS, "uss", false,
+		"Enable typing of a phrase to be hashed as the User Supplied Secret. The USS is loaded onto the TKey along with the app itself. A different USS results in different SSH public/private keys, meaning a different identity.")
 	pflag.BoolVar(&verbose, "verbose", false, "Enable verbose output.")
 	pflag.BoolVar(&helpOnly, "help", false, "Output this help.")
 	pflag.Usage = func() {
@@ -100,6 +145,16 @@ public key of the signer app on the TKey.`, os.Args[0])
 		os.Exit(1)
 	}
 
+	if isFirmwareMode(tk) {
+		var secret []byte
+		if err := tk.LoadApp(signerBinary, secret); err != nil {
+			le.Printf("Couldn't load signer: %v\n", err)
+			os.Exit(1)
+		}
+
+		le.Printf("Signer app loaded.\n")
+	}
+
 	signer := tkeysign.New(tk)
 	exit := func(code int) {
 		if err := signer.Close(); err != nil {
@@ -109,6 +164,12 @@ public key of the signer app on the TKey.`, os.Args[0])
 	}
 	handleSignals(func() { exit(1) }, os.Interrupt, syscall.SIGTERM)
 
+	if !isWantedApp(signer) {
+		le.Printf("No TKey on the serial port, or it's running wrong app (and is not in firmware mode)")
+		tk.Close()
+		os.Exit(1)
+	}
+
 	pubkey, err := signer.GetPubkey()
 	if err != nil {
 		le.Printf("GetPubKey failed: %v\n", err)

tools/spdx-ensure

@@ -19,6 +19,7 @@ missingok_files=(
 .editorconfig
 .gitignore
 .golangci.yml
+build.sh
 LICENSE
 Makefile
 README.md