Check downloaded AppImages signature

azubieta · azubieta · commit 0c7e33588d86 · 2020-07-03T01:40:03.000-05:00
diff --git a/app/commands/install/install.go b/app/commands/install/install.go
@@ -52,6 +52,14 @@ func (cmd *InstallCmd) Run(*commands.Context) (err error) {
 
 	cmd.createDesktopIntegration(targetFilePath)
 
+	signingEntity, _ := utils.VerifySignature(targetFilePath)
+	if signingEntity != nil {
+		fmt.Println("AppImage signed by:")
+		for _, v := range signingEntity.Identities {
+			fmt.Println("\t", v.Name)
+		}
+	}
+
 	return
 }
 
diff --git a/app/commands/update/command.go b/app/commands/update/command.go
@@ -60,6 +60,14 @@ func (cmd *UpdateCmd) Run(*commands.Context) (err error) {
 			continue
 		}
 
+		signingEntity, _ := utils.VerifySignature(result)
+		if signingEntity != nil {
+			fmt.Println("AppImage signed by:")
+			for _, v := range signingEntity.Identities {
+				fmt.Println("\t", v.Name)
+			}
+		}
+
 		fmt.Println("Update downloaded to: " + result)
 	}
 
diff --git a/app/utils/signature.go b/app/utils/signature.go
@@ -0,0 +1,167 @@
+package utils
+
+import (
+	"bytes"
+	"crypto/sha256"
+	"debug/elf"
+	"encoding/hex"
+	"fmt"
+	"golang.org/x/crypto/openpgp"
+	"io"
+	"os"
+	"strings"
+)
+
+func VerifySignature(target string) (result *openpgp.Entity, err error) {
+	key, err := readElfSection(target, ".sig_key")
+	if err != nil {
+		return nil, err
+	}
+
+	signature, err := readElfSection(target, ".sha256_sig")
+	if err != nil {
+		return nil, err
+	}
+
+	file, err := newAppImagePreSignatureReader(target)
+	if err != nil {
+		return
+	}
+
+	sha256Hash := sha256.New()
+	_, err = io.Copy(sha256Hash, file)
+
+	if err != nil {
+		return nil, err
+	}
+
+	verification_target := hex.EncodeToString(sha256Hash.Sum(nil))
+
+	keyring, err := openpgp.ReadArmoredKeyRing(bytes.NewReader(key))
+	if err != nil {
+		return nil, err
+	}
+
+	entity, err := openpgp.CheckArmoredDetachedSignature(keyring, strings.NewReader(verification_target), bytes.NewReader(signature))
+	if err != nil {
+		return nil, err
+	}
+
+	return entity, nil
+}
+
+func readElfSection(appImagePath string, sectionName string) ([]byte, error) {
+	elfFile, err := elf.Open(appImagePath)
+	if err != nil {
+		panic("Unable to open target: \"" + appImagePath + "\"." + err.Error())
+	}
+
+	section := elfFile.Section(sectionName)
+	if section == nil {
+		return nil, fmt.Errorf("missing " + sectionName + " section on target elf")
+	}
+	sectionData, err := section.Data()
+
+	if err != nil {
+		return nil, fmt.Errorf("Unable to parse " + sectionName + " section: " + err.Error())
+	}
+
+	str_end := bytes.Index(sectionData, []byte("\000"))
+	if str_end == -1 || str_end == 0 {
+		return nil, nil
+	}
+
+	return sectionData[:str_end], nil
+}
+
+func ReadSignature(appImagePath string) ([]byte, error) {
+	elfFile, err := elf.Open(appImagePath)
+	if err != nil {
+		panic("Unable to open target: \"" + appImagePath + "\"." + err.Error())
+	}
+
+	updInfo := elfFile.Section(".sha256_sig")
+	if updInfo == nil {
+		panic("Missing .sha256_sig section on target elf ")
+	}
+	sectionData, err := updInfo.Data()
+
+	if err != nil {
+		panic("Unable to parse .sha256_sig section: " + err.Error())
+	}
+
+	str_end := bytes.Index(sectionData, []byte("\000"))
+	if str_end == -1 || str_end == 0 {
+		return nil, fmt.Errorf("No update information found in: " + appImagePath)
+	}
+
+	return sectionData[:str_end], nil
+}
+
+type appImagePreSignatureReader struct {
+	keySectionOffset uint64
+	keySectionSize   uint64
+
+	sigSectionOffset uint64
+	sigSectionSize   uint64
+
+	offset uint64
+	file   *os.File
+}
+
+func newAppImagePreSignatureReader(target string) (*appImagePreSignatureReader, error) {
+	elfFile, err := elf.Open(target)
+	if err != nil {
+		return nil, err
+	}
+
+	key := elfFile.Section(".sig_key")
+	if key == nil {
+		return nil, fmt.Errorf("Missing .sig_key section")
+	}
+
+	signature := elfFile.Section(".sha256_sig")
+	if signature == nil {
+		return nil, fmt.Errorf("Missing .sha256_sig section")
+	}
+
+	file, err := os.Open(target)
+	if err != nil {
+		return nil, err
+	}
+
+	return &appImagePreSignatureReader{
+		offset:           0,
+		file:             file,
+		keySectionOffset: key.Offset,
+		keySectionSize:   key.Size,
+		sigSectionOffset: signature.Offset,
+		sigSectionSize:   signature.Size,
+	}, nil
+}
+
+func (reader *appImagePreSignatureReader) Read(p []byte) (n int, err error) {
+	n, err = reader.file.Read(p)
+	if err != nil {
+		return
+	}
+
+	oldOffset := reader.offset
+	reader.offset += uint64(n)
+
+	if reader.keySectionOffset >= oldOffset && reader.keySectionOffset < reader.offset {
+		start := reader.keySectionOffset - oldOffset
+		for i := start; i < uint64(n) && (i-start) < reader.keySectionSize; i++ {
+			p[i] = 0
+		}
+	}
+
+	if reader.sigSectionOffset >= oldOffset && reader.sigSectionOffset < reader.offset {
+		start := reader.sigSectionOffset - oldOffset
+		for i := start; i < uint64(n) && (i-start) < reader.sigSectionSize; i++ {
+			p[i] = 0
+		}
+	}
+
+	return n, err
+}
diff --git a/go.mod b/go.mod
@@ -15,4 +15,5 @@ require (
 	github.com/schollz/progressbar/v3 v3.3.3
 	github.com/stretchr/testify v1.6.1
 	github.com/tidwall/gjson v1.6.0
+	golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9
 )

Original file line number	Diff line number	Diff line change
`@@ -60,6 +60,14 @@ func (cmd UpdateCmd) Run(commands.Context) (err error) {`
`60`	`60`	`continue`
`61`	`61`	`}`
`62`	`62`
	`63`	`+ signingEntity, _ := utils.VerifySignature(result)`
	`64`	`+ if signingEntity != nil {`
	`65`	`+ fmt.Println("AppImage signed by:")`
	`66`	`+ for _, v := range signingEntity.Identities {`
	`67`	`+ fmt.Println("\t", v.Name)`
	`68`	`+ }`
	`69`	`+ }`
	`70`	`+`
`63`	`71`	`fmt.Println("Update downloaded to: " + result)`
`64`	`72`	`}`
`65`	`73`
Original file line number	Diff line number	Diff line change
`@@ -15,4 +15,5 @@ require (`
`15`	`15`	`github.com/schollz/progressbar/v3 v3.3.3`
`16`	`16`	`github.com/stretchr/testify v1.6.1`
`17`	`17`	`github.com/tidwall/gjson v1.6.0`
	`18`	`+ golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9`
`18`	`19`	`)`