sneak/mfer
1
0
Fork 0
Code Issues 8 Pull Requests 2 Actions Releases Wiki Activity

progress

Browse Source
This commit is contained in:
Jeffrey Paul
2026-02-08 09:25:58 -08:00
parent 4a2060087d
commit 5ab092098b
5 changed files with 748 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
internal/cli/check.go
View File

@@ -1,6 +1,7 @@
package cli
import (
"encoding/hex"
"fmt"
"path/filepath"
"strings"
@@ -72,19 +73,30 @@ func (mfa *CLIApp) checkManifestOperation(ctx *cli.Context) error {
// Check signature requirement
requiredSigner := ctx.String("require-signature")
if requiredSigner != "" {
// Validate fingerprint format: must be exactly 40 hex characters
if len(requiredSigner) != 40 {
return fmt.Errorf("invalid fingerprint: must be exactly 40 hex characters, got %d", len(requiredSigner))
}
if _, err := hex.DecodeString(requiredSigner); err != nil {
return fmt.Errorf("invalid fingerprint: must be valid hex: %w", err)
}
if !chk.IsSigned() {
return fmt.Errorf("manifest is not signed, but signature from %s is required", requiredSigner)
}
signer := chk.Signer()
if signer == nil {
return fmt.Errorf("manifest signature has no signer fingerprint")
// Extract fingerprint from the embedded public key (not from the signer field)
// This validates the key is importable and gets its actual fingerprint
embeddedFP, err := chk.ExtractEmbeddedSigningKeyFP()
if err != nil {
return fmt.Errorf("failed to extract fingerprint from embedded signing key: %w", err)
}
// Compare signer - the required key ID might be a suffix of the full fingerprint
signerStr := string(signer)
if !strings.EqualFold(signerStr, requiredSigner) && !strings.HasSuffix(strings.ToUpper(signerStr), strings.ToUpper(requiredSigner)) {
return fmt.Errorf("manifest signed by %s, but %s is required", signerStr, requiredSigner)
// Compare fingerprints - must be exact match (case-insensitive)
if !strings.EqualFold(embeddedFP, requiredSigner) {
return fmt.Errorf("embedded signing key fingerprint %s does not match required %s", embeddedFP, requiredSigner)
}
log.Infof("manifest signature verified (signer: %s)", signerStr)
log.Infof("manifest signature verified (signer: %s)", embeddedFP)
}
log.Infof("manifest contains %d files, %s", chk.FileCount(), humanize.IBytes(uint64(chk.TotalBytes())))