Signature verification of the downloaded files

Author: svartalf

action.yml

@@ -1,5 +1,5 @@
 name: 'rust-cargo-install'
-description: '"Install a Rust binary as fast as possible'
+description: 'Install a Rust binary as fast as possible'
 author: 'actions-rs team'
 branding:
   icon: play-circle
@@ -13,6 +13,16 @@ inputs:
     required: false
     default: 'latest'
 
+  # These inputs are not used/implemented yet
+  use-tool-cache:
+    description: Use tool cache to speed up installation (not used yet)
+    required: false
+    default: false
+  use-cache:
+    description: Store installed binary in the GitHub Actions cache (not used yet)
+    required: false
+    default: true
+
 runs:
   using: 'node12'
   main: 'dist/index.js'

dist/index.js

@@ -30,9 +30,9 @@
   "dependencies": {
     "@actions-rs/core": "0.0.9",
     "@actions/core": "^1.2.3",
+    "@actions/exec": "^1.0.3",
     "@actions/http-client": "^1.0.6",
-    "@actions/tool-cache": "^1.3.3",
-    "which": "^2.0.2"
+    "@actions/tool-cache": "^1.3.3"
   },
   "devDependencies": {
     "@types/jest": "^25.1.4",

package-lock.json

@@ -0,0 +1,14 @@
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsWm/fSobUwf2FmPEVNgT
+h4k5DBCiBEhrGmPladEExygSwB3v3r0Qt5075uCsI+OCk39Onp5z2MB0QNUxVUFZ
+cCqLRh58/NYfnpakyZEzcwjitHVBRSPkpheWIMw+dHzIc6kcxJrS0TDI3qzryFBD
+gT1uISYlCGjoTw2UskFpFcZiEf0K+xsIFe4Fky1sqyX0HNzng+FdSb7Qav60VExS
+RAcqF38VTU1yxdvTrxAa+0Stb9bUqQG3FoJsWxsFmElkM7g+YpINQLSOOixRSr+u
+yeOlMmYQmF64XdFl2lwj4e3xLIp5ha7qhaEOFHZMHkMSvvR9o9BGN4RUNXSSM7N5
+pnB5CrOj2E3rnLQwsTjqyU6qQhdaA4T3pks2d9gfR313pYM/XF6g4SnjRQkgMNq7
+/lG11hxap8ugvF98mVbYCzN46qH7ax1Ent+JqKSv0WNou0C4lognM1RiKbUPp257
+MVz74xPp2cD0MZkPdFb40QqBSGGNDzilUVVVjc4/KqDgQvk99gk3OJYij3IWkfKP
+rf6Jd2SJWectoNFRY8PpZiiOYlFPJ/y1VMbx7NuY3w3kkzCI+FbrwAdzEpv1WrBK
+dwZxpLha7uq+DzlLPMvYT+J8gLQRhAwgJ6ztXGibyV/t5vm0ZS/9dX5X4DKkmSCr
+gOkQxnGLs0Qze8UK4nj+ebUCAwEAAQ==
+-----END PUBLIC KEY-----

package.json

@@ -3,19 +3,28 @@ import { promises as fs } from "fs";
 import path from "path";
 
 import * as core from "@actions/core";
+import * as exec from "@actions/exec";
 import * as tc from "@actions/tool-cache";
 import * as http from "@actions/http-client";
 
+const CLOUDFRONT_ROOT = "https://d1ad61wkrfbmp3.cloudfront.net";
+// Path, assuming we are executing from the repo root
+const CACHE_PUBLIC_KEY = "public.pem";
+
 function getRunner(): string {
     const platform = os.platform() as string;
     switch (platform) {
-        case "windows":
+        case "win32":
             return "windows-2019";
         case "darwin":
             return "macos-10.15";
         case "linux":
-            // TODO: Handle `ubuntu-16.04`
-            return "ubuntu-18.04";
+            // TODO: Is there better way to determine Actions runner OS?
+            if (os.release().startsWith("4.15")) {
+                return "ubuntu-16.04";
+            } else {
+                return "ubuntu-18.04";
+            }
         default:
             throw new Error("Unsupported OS");
     }
@@ -24,7 +33,7 @@ function getRunner(): string {
 function getExt(): string {
     const platform = os.platform() as string;
     switch (platform) {
-        case "windows":
+        case "win32":
             return ".exe";
         default:
             return "";
@@ -46,27 +55,12 @@ async function resolveVersion(crate: string): Promise<string> {
 }
 
 function buildUrl(crate: string, version: string): string {
-    /**
-     * !!! READ THIS IMPORTANT NOTICE !!!
-     *
-     * In case you want to use that binary cache bucket
-     * for your purposes, please, don't do that.
-     *
-     * It is strictly private and intended to be used
-     * by `@actions-rs` only.
-     * There are no stable folders, naming structure,
-     * bucket name or even the AWS region used.
-     * You are not doing yourself better
-     * by trying to trick everyone, just stop right now.
-     */
-    const s3Region = "us-east-2";
-    const s3Bucket = "actions-rs.install.binary-cache";
     const runner = getRunner();
     const ext = getExt();
 
     core.debug(`Determined current Actions runner OS: ${runner}`);
 
-    return `https://s3.${s3Region}.amazonaws.com/${s3Bucket}/${crate}/${runner}/${crate}-${version}${ext}`;
+    return `${CLOUDFRONT_ROOT}/${crate}/${runner}/${crate}-${version}${ext}`;
 }
 
 function targetPath(crate: string): string {
@@ -76,6 +70,18 @@ function targetPath(crate: string): string {
     return path.join(os.homedir(), ".cargo", "bin", filename);
 }
 
+async function verify(crate: string, signature: string): Promise<void> {
+    await exec.exec("openssl", [
+        "dgst",
+        "-sha256",
+        "-verify",
+        CACHE_PUBLIC_KEY,
+        "-signature",
+        signature,
+        crate,
+    ]);
+}
+
 export async function downloadFromCache(
     crate: string,
     version: string
@@ -86,18 +92,38 @@ export async function downloadFromCache(
         core.info(`Newest ${crate} version available at crates.io: ${version}`);
     }
     const url = buildUrl(crate, version);
+    const signatureUrl = `${url}.sig`;
+
     const path = targetPath(crate);
+    const signaturePath = `${path}.sig`;
 
     core.debug(`Constructed S3 URL for ${crate}: ${url}`);
-    core.info(`Downloading ${crate} == ${version} into ${path}`);
 
     try {
         await fs.access(path);
 
         core.warning(`Crate ${crate} already exist at ${path}`);
     } catch (error) {
-        core.debug(`Downloading ${url} into ${path}`);
+        core.info(`Downloading ${crate} signature into ${signaturePath}`);
+        await tc.downloadTool(signatureUrl, signaturePath);
+
+        core.info(`Downloading ${crate} == ${version} into ${path}`);
         await tc.downloadTool(url, path);
+
+        try {
+            core.info("Starting signature verification process");
+            await verify(path, signaturePath);
+        } catch (error) {
+            core.warning(
+                `Unable to validate signature for downloaded ${crate}!`
+            );
+
+            // Remove downloaded files, as they are now considered dangerous now
+            await fs.unlink(path);
+            await fs.unlink(signaturePath);
+            throw error;
+        }
+
         await fs.chmod(path, 0o755);
     }
 }