have some sort of signing going

Emyrk · Emyrk · commit f76959969bf3 · 2024-12-11T17:23:12.000-06:00
diff --git a/cli/signature.go b/cli/signature.go
@@ -0,0 +1,61 @@
+package cli
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/spf13/cobra"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/code-marketplace/internal/extensionsign"
+)
+
+func signature() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:     "signature",
+		Aliases: []string{"sig", "sigs", "signatures"},
+	}
+	cmd.AddCommand(compareSignatureSigZips())
+	return cmd
+}
+
+func compareSignatureSigZips() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:  "compare",
+		Args: cobra.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			decode := func(path string) (extensionsign.SignatureManifest, error) {
+				data, err := os.ReadFile(path)
+				if err != nil {
+					return extensionsign.SignatureManifest{}, xerrors.Errorf("read %q: %w", args[0], err)
+				}
+
+				sig, err := extensionsign.ExtractSignatureManifest(data)
+				if err != nil {
+					return extensionsign.SignatureManifest{}, xerrors.Errorf("unmarshal %q: %w", path, err)
+				}
+				return sig, nil
+			}
+
+			a, err := decode(args[0])
+			if err != nil {
+				return err
+			}
+			b, err := decode(args[1])
+			if err != nil {
+				return err
+			}
+
+			_, _ = fmt.Fprintf(os.Stdout, "Signature A:%s\n", a)
+			_, _ = fmt.Fprintf(os.Stdout, "Signature B:%s\n", b)
+			err = a.Equal(b)
+			if err != nil {
+				return err
+			}
+
+			_, _ = fmt.Fprintf(os.Stdout, "Signatures are equal\n")
+			return nil
+		},
+	}
+	return cmd
+}
diff --git a/internal/extensionsign/doc.go b/internal/extensionsign/doc.go
@@ -0,0 +1,2 @@
+// Package extensionsign is a Go implementation of https://github.com/filiptronicek/node-ovsx-sign
+package extensionsign
diff --git a/internal/extensionsign/key.go b/internal/extensionsign/key.go
@@ -0,0 +1,14 @@
+package extensionsign
+
+import (
+	"crypto/ed25519"
+	"crypto/rand"
+)
+
+func GenerateKey() (ed25519.PrivateKey, error) {
+	_, private, err := ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		return nil, err
+	}
+	return private, nil
+}
diff --git a/internal/extensionsign/sigmanifest.go b/internal/extensionsign/sigmanifest.go
@@ -0,0 +1,111 @@
+package extensionsign
+
+import (
+	"bytes"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"io"
+
+	"github.com/cloudflare/cfssl/scan/crypto/sha256"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/code-marketplace/storage"
+)
+
+type SignatureManifest struct {
+	Package File
+	// Entries is base64(filepath) -> File
+	Entries map[string]File
+}
+
+func (a SignatureManifest) String() string {
+	return fmt.Sprintf("Package %q with Entries: %d", a.Package.Digests.SHA256, len(a.Entries))
+}
+
+// Equal is helpful for debugging
+func (a SignatureManifest) Equal(b SignatureManifest) error {
+	var err error
+	if err := a.Package.Equal(b.Package); err != nil {
+		err = errors.Join(err, xerrors.Errorf("package: %w", err))
+	}
+
+	if len(a.Entries) != len(b.Entries) {
+		err = errors.Join(err, xerrors.Errorf("entry count mismatch: %d != %d", len(a.Entries), len(b.Entries)))
+	}
+
+	for k, v := range a.Entries {
+		if _, ok := b.Entries[k]; !ok {
+			err = errors.Join(err, xerrors.Errorf("entry %q not found in second set", k))
+			continue
+		}
+		if err := v.Equal(b.Entries[k]); err != nil {
+			err = errors.Join(err, xerrors.Errorf("entry %q: %w", k, err))
+		}
+	}
+	return err
+}
+
+type File struct {
+	Size    int64   `json:"size"`
+	Digests Digests `json:"digests"`
+}
+
+func (f File) Equal(b File) error {
+	if f.Size != b.Size {
+		return xerrors.Errorf("size mismatch: %d != %d", f.Size, b.Size)
+	}
+	if f.Digests.SHA256 != b.Digests.SHA256 {
+		return xerrors.Errorf("sha256 mismatch: %s != %s", f.Digests.SHA256, b.Digests.SHA256)
+	}
+	return nil
+}
+
+func FileManifest(file io.Reader) (File, error) {
+	hash := sha256.New()
+
+	n, err := io.Copy(hash, file)
+	if err != nil {
+		return File{}, xerrors.Errorf("hash file: %w", err)
+	}
+
+	return File{
+		Size: n,
+		Digests: Digests{
+			SHA256: base64.StdEncoding.EncodeToString(hash.Sum(nil)),
+		},
+	}, nil
+}
+
+type Digests struct {
+	SHA256 string `json:"sha256"`
+}
+
+// GenerateSignatureManifest generates a signature manifest for a VSIX file.
+// It does not sign the manifest.
+func GenerateSignatureManifest(vsixFile []byte) (SignatureManifest, error) {
+	pkgManifest, err := FileManifest(bytes.NewReader(vsixFile))
+	if err != nil {
+		return SignatureManifest{}, xerrors.Errorf("package manifest: %w", err)
+	}
+
+	manifest := SignatureManifest{
+		Package: pkgManifest,
+		Entries: make(map[string]File),
+	}
+
+	err = storage.ExtractZip(vsixFile, func(name string, reader io.Reader) error {
+		fm, err := FileManifest(reader)
+		if err != nil {
+			return xerrors.Errorf("file %q: %w", name, err)
+		}
+		manifest.Entries[base64.StdEncoding.EncodeToString([]byte(name))] = fm
+		return nil
+	})
+
+	if err != nil {
+		return SignatureManifest{}, err
+	}
+
+	return manifest, nil
+}
diff --git a/internal/extensionsign/sigmanifest_test.go b/internal/extensionsign/sigmanifest_test.go
@@ -0,0 +1,7 @@
+package extensionsign_test
+
+import "testing"
+
+func TestManifestEqual(t *testing.T) {
+
+}
diff --git a/internal/extensionsign/sigzip.go b/internal/extensionsign/sigzip.go
@@ -3,6 +3,7 @@ package extensionsign
 import (
 	"archive/zip"
 	"bytes"
+	"crypto/ed25519"
 	"encoding/json"
 
 	"golang.org/x/xerrors"
@@ -25,7 +26,10 @@ func ExtractSignatureManifest(zip []byte) (SignatureManifest, error) {
 	return manifest, nil
 }
 
-func Zip(manifest SignatureManifest) ([]byte, error) {
+// SignAndZip signs a manifest and zips it up
+// Should be a PCKS8 key
+// TODO: Support other key types
+func SignAndZip(key ed25519.PrivateKey, manifest SignatureManifest) ([]byte, error) {
 	var buf bytes.Buffer
 	w := zip.NewWriter(&buf)
 
@@ -34,11 +38,40 @@ func Zip(manifest SignatureManifest) ([]byte, error) {
 		return nil, xerrors.Errorf("create manifest: %w", err)
 	}
 
-	err = json.NewEncoder(manFile).Encode(manifest)
+	manifestData, err := json.Marshal(manifest)
 	if err != nil {
 		return nil, xerrors.Errorf("encode manifest: %w", err)
 	}
 
+	_, err = manFile.Write(manifestData)
+	if err != nil {
+		return nil, xerrors.Errorf("write manifest: %w", err)
+	}
+
+	// Empty file
+	_, err = w.Create(".signature.p7s")
+	if err != nil {
+		return nil, xerrors.Errorf("create empty p7s signature: %w", err)
+	}
+
+	// Actual sig
+	sigFile, err := w.Create(".signature.sig")
+	if err != nil {
+		return nil, xerrors.Errorf("create signature: %w", err)
+	}
+
+	signature := ed25519.Sign(key, manifestData)
+
+	//signature, err := key.Sign(rand.Reader, manifestData, crypto.SHA512)
+	//if err != nil {
+	//	return nil, xerrors.Errorf("sign: %w", err)
+	//}
+
+	_, err = sigFile.Write(signature)
+	if err != nil {
+		return nil, xerrors.Errorf("write signature: %w", err)
+	}
+
 	err = w.Close()
 	if err != nil {
 		return nil, xerrors.Errorf("close zip: %w", err)

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+// Package extensionsign is a Go implementation of https://github.com/filiptronicek/node-ovsx-sign`
	`2`	`+package extensionsign`