sneak
778999a285
- Add --sign-key flag and MFER_SIGN_KEY env var to gen and freshen commands - Sign inner message multihash with GPG detached signature - Include signer fingerprint and public key in outer wrapper - Add comprehensive tests with temporary GPG keyring - Increase test timeout to 10s for GPG key generation
113 lines
2.4 KiB
Go
113 lines
2.4 KiB
Go
package mfer
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/sha256"
|
|
"errors"
|
|
"fmt"
|
|
"time"
|
|
|
|
"github.com/klauspost/compress/zstd"
|
|
"github.com/multiformats/go-multihash"
|
|
"google.golang.org/protobuf/proto"
|
|
)
|
|
|
|
// MAGIC is the file format magic bytes prefix (rot13 of "MANIFEST").
|
|
const MAGIC string = "ZNAVSRFG"
|
|
|
|
func newTimestampFromTime(t time.Time) *Timestamp {
|
|
out := &Timestamp{
|
|
Seconds: t.Unix(),
|
|
Nanos: int32(t.UnixNano() - (t.Unix() * 1000000000)),
|
|
}
|
|
return out
|
|
}
|
|
|
|
func (m *manifest) generate() error {
|
|
if m.pbInner == nil {
|
|
return errors.New("internal error: pbInner not set")
|
|
}
|
|
if m.pbOuter == nil {
|
|
e := m.generateOuter()
|
|
if e != nil {
|
|
return e
|
|
}
|
|
}
|
|
dat, err := proto.MarshalOptions{Deterministic: true}.Marshal(m.pbOuter)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
m.output = bytes.NewBuffer([]byte(MAGIC))
|
|
_, err = m.output.Write(dat)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (m *manifest) generateOuter() error {
|
|
if m.pbInner == nil {
|
|
return errors.New("internal error")
|
|
}
|
|
innerData, err := proto.MarshalOptions{Deterministic: true}.Marshal(m.pbInner)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
h := sha256.New()
|
|
if _, err := h.Write(innerData); err != nil {
|
|
return err
|
|
}
|
|
sha256Hash := h.Sum(nil)
|
|
|
|
idc := new(bytes.Buffer)
|
|
zw, err := zstd.NewWriter(idc, zstd.WithEncoderLevel(zstd.SpeedBestCompression))
|
|
if err != nil {
|
|
return err
|
|
}
|
|
_, err = zw.Write(innerData)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
_ = zw.Close()
|
|
|
|
o := &MFFileOuter{
|
|
InnerMessage: idc.Bytes(),
|
|
Size: int64(len(innerData)),
|
|
Sha256: sha256Hash,
|
|
Version: MFFileOuter_VERSION_ONE,
|
|
CompressionType: MFFileOuter_COMPRESSION_ZSTD,
|
|
}
|
|
|
|
// Sign the manifest if signing options are provided
|
|
if m.signingOptions != nil && m.signingOptions.KeyID != "" {
|
|
// Encode hash as multihash for signing
|
|
mh, err := multihash.Encode(sha256Hash, multihash.SHA2_256)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to encode multihash: %w", err)
|
|
}
|
|
|
|
sig, err := gpgSign(mh, m.signingOptions.KeyID)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to sign manifest: %w", err)
|
|
}
|
|
o.Signature = sig
|
|
|
|
fingerprint, err := gpgGetKeyFingerprint(m.signingOptions.KeyID)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to get key fingerprint: %w", err)
|
|
}
|
|
o.Signer = fingerprint
|
|
|
|
pubKey, err := gpgExportPublicKey(m.signingOptions.KeyID)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to export public key: %w", err)
|
|
}
|
|
o.SigningPubKey = pubKey
|
|
}
|
|
|
|
m.pbOuter = o
|
|
return nil
|
|
}
|