Skip to content

Commit 67c915a

Browse files
avrabeclaude
avrabe
and
claude
committed
feat: implement complete WebAssembly component signing with wasmsign2
Add comprehensive cryptographic signing support for WebAssembly components using wasmsign2, enabling secure component distribution and verification workflows. This implementation provides: - **Complete toolchain integration**: wasmsign2 built from source with cross-platform support for Linux, macOS, and Windows - **Core signing rules**: wasm_keygen for key generation, wasm_sign for component signing, and wasm_verify for signature verification - **Multiple signature formats**: Support for both embedded and detached signatures - **Key format flexibility**: OpenSSH Ed25519 and compact key formats - **Provider architecture**: WasmSignatureInfo and WasmKeyInfo providers for clean data flow between signing operations - **Enhanced validation**: Optional signature verification integrated into wasm_validate - **Production features**: GitHub integration, partial verification, and comprehensive error handling The implementation follows Bazel-native patterns with hermetic builds, proper toolchain abstraction, and cross-platform compatibility. All signing operations are integrated seamlessly with the existing WasmComponentInfo provider system. Example usage: ```starlark wasm_keygen(name = "keys") wasm_sign(name = "signed", component = ":my_component", keys = ":keys") wasm_verify(name = "verified", signed_component = ":signed", keys = ":keys") ``` Includes comprehensive examples in //examples/wasm_signing demonstrating key generation, component signing with both embedded and detached signatures, and verification workflows. This enables secure WebAssembly component distribution with cryptographic guarantees of component integrity and authenticity. Co-Authored-By: Assistant <[email protected]>
1 parent 4eb6c49 commit 67c915a

File tree

13 files changed

+1265
-22
lines changed

13 files changed

+1265
-22
lines changed

MODULE.bazel.lock

Lines changed: 8 additions & 8 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

checksums/registry.bzl

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -202,6 +202,45 @@ def _get_hardcoded_checksums(tool_name):
202202
},
203203
},
204204
},
205+
"wasmsign2": {
206+
"tool_name": "wasmsign2",
207+
"github_repo": "wasm-signatures/wasmsign2",
208+
"latest_version": "0.2.6",
209+
"build_type": "rust_source",
210+
"versions": {
211+
"0.2.6": {
212+
"release_date": "2024-11-22",
213+
"source_info": {
214+
"git_tag": "0.2.6",
215+
"commit_sha": "3a2defd9ab2aa8f28513af42e6d73408ee7ac43a",
216+
"cargo_package": "wasmsign2-cli",
217+
"binary_name": "wasmsign2",
218+
},
219+
"platforms": {
220+
"darwin_amd64": {
221+
"sha256": "SOURCE_BUILD_NO_CHECKSUM_RUST_COMPILATION_TARGET",
222+
"rust_target": "x86_64-apple-darwin",
223+
},
224+
"darwin_arm64": {
225+
"sha256": "SOURCE_BUILD_NO_CHECKSUM_RUST_COMPILATION_TARGET",
226+
"rust_target": "aarch64-apple-darwin",
227+
},
228+
"linux_amd64": {
229+
"sha256": "SOURCE_BUILD_NO_CHECKSUM_RUST_COMPILATION_TARGET",
230+
"rust_target": "x86_64-unknown-linux-gnu",
231+
},
232+
"linux_arm64": {
233+
"sha256": "SOURCE_BUILD_NO_CHECKSUM_RUST_COMPILATION_TARGET",
234+
"rust_target": "aarch64-unknown-linux-gnu",
235+
},
236+
"windows_amd64": {
237+
"sha256": "SOURCE_BUILD_NO_CHECKSUM_RUST_COMPILATION_TARGET",
238+
"rust_target": "x86_64-pc-windows-msvc",
239+
},
240+
},
241+
},
242+
},
243+
},
205244
}
206245

207246
return hardcoded_data.get(tool_name, {})

examples/wasm_signing/BUILD.bazel

Lines changed: 152 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,152 @@
1+
"""
2+
WebAssembly Signing Example
3+
4+
This example demonstrates the complete WebAssembly signing workflow using
5+
wasmsign2 integration, including key generation, component signing, and
6+
signature verification.
7+
"""
8+
9+
load("@rules_wasm_component//wit:defs.bzl", "wit_library")
10+
load("@rules_wasm_component//rust:defs.bzl", "rust_wasm_component_bindgen")
11+
load("@rules_wasm_component//wasm:defs.bzl", "wasm_keygen", "wasm_sign", "wasm_verify", "wasm_validate")
12+
13+
package(default_visibility = ["//visibility:public"])
14+
15+
# Step 1: Define WIT interfaces
16+
wit_library(
17+
name = "example_interfaces",
18+
package_name = "example:signature",
19+
srcs = ["wit/example.wit"],
20+
world = "example-world",
21+
)
22+
23+
# Step 2: Create a simple WASM component to sign
24+
rust_wasm_component_bindgen(
25+
name = "example_component",
26+
srcs = ["src/lib.rs"],
27+
wit = ":example_interfaces",
28+
profiles = ["release"],
29+
)
30+
31+
# Step 3: Generate signing keys
32+
wasm_keygen(
33+
name = "example_keys",
34+
public_key_name = "example.public",
35+
secret_key_name = "example.secret",
36+
openssh_format = True,
37+
)
38+
39+
# Alternative: Generate compact format keys
40+
wasm_keygen(
41+
name = "compact_keys",
42+
public_key_name = "compact.public",
43+
secret_key_name = "compact.secret",
44+
openssh_format = False,
45+
)
46+
47+
# Step 4: Sign the component with embedded signature
48+
wasm_sign(
49+
name = "signed_component_embedded",
50+
component = ":example_component",
51+
keys = ":example_keys",
52+
detached = False,
53+
)
54+
55+
# Step 5: Sign the component with detached signature
56+
wasm_sign(
57+
name = "signed_component_detached",
58+
component = ":example_component",
59+
keys = ":compact_keys",
60+
detached = True,
61+
)
62+
63+
# Step 6: Verify embedded signature
64+
wasm_verify(
65+
name = "verify_embedded",
66+
signed_component = ":signed_component_embedded",
67+
keys = ":example_keys",
68+
)
69+
70+
# Step 7: Verify detached signature
71+
wasm_verify(
72+
name = "verify_detached",
73+
signed_component = ":signed_component_detached",
74+
keys = ":compact_keys",
75+
)
76+
77+
# Step 8: Validate with signature verification
78+
wasm_validate(
79+
name = "validate_with_signature_check",
80+
component = ":signed_component_embedded",
81+
verify_signature = True,
82+
signing_keys = ":example_keys",
83+
)
84+
85+
# Step 9: Test different verification methods
86+
wasm_validate(
87+
name = "validate_with_public_key",
88+
component = ":signed_component_embedded",
89+
verify_signature = True,
90+
public_key = ":example_keys",
91+
)
92+
93+
# Step 10: Demonstrate signing a raw WASM file
94+
wasm_sign(
95+
name = "signed_raw_wasm",
96+
wasm_file = ":example_component",
97+
keys = ":example_keys",
98+
detached = False,
99+
)
100+
101+
wasm_verify(
102+
name = "verify_raw_wasm",
103+
wasm_file = ":signed_raw_wasm",
104+
keys = ":example_keys",
105+
)
106+
107+
# Step 11: Create test targets for the complete workflow
108+
genrule(
109+
name = "test_signing_workflow",
110+
srcs = [
111+
":verify_embedded",
112+
":verify_detached",
113+
":validate_with_signature_check",
114+
],
115+
outs = ["signing_test_results.txt"],
116+
cmd = """
117+
echo "=== WebAssembly Signing Test Results ===" > $@
118+
echo "Embedded signature verification: $(if [ -f $(location :verify_embedded) ]; then echo PASSED; else echo FAILED; fi)" >> $@
119+
echo "Detached signature verification: $(if [ -f $(location :verify_detached) ]; then echo PASSED; else echo FAILED; fi)" >> $@
120+
echo "Validation with signature check: $(if [ -f $(location :validate_with_signature_check) ]; then echo PASSED; else echo FAILED; fi)" >> $@
121+
echo "Test completed successfully" >> $@
122+
""",
123+
)
124+
125+
# Export files for easy access
126+
filegroup(
127+
name = "all_keys",
128+
srcs = [
129+
":example_keys",
130+
":compact_keys",
131+
],
132+
)
133+
134+
filegroup(
135+
name = "all_signed_components",
136+
srcs = [
137+
":signed_component_embedded",
138+
":signed_component_detached",
139+
":signed_raw_wasm",
140+
],
141+
)
142+
143+
filegroup(
144+
name = "all_verification_results",
145+
srcs = [
146+
":verify_embedded",
147+
":verify_detached",
148+
":verify_raw_wasm",
149+
":validate_with_signature_check",
150+
":test_signing_workflow",
151+
],
152+
)

0 commit comments

Comments
 (0)