Code signing: sign Linux executables with GPG

strager · strager · commit 4158540a6eb3 · 2021-11-02T20:02:51.000-07:00
Use GnuPG to sign the Linux executables in our release. The signatures
are detached in .asc files, one signature per executable.
diff --git a/dist/certificates/README.md b/dist/certificates/README.md
@@ -11,3 +11,5 @@ documentation](../../docs/CODE_SIGNING.md).
 * `quick-lint-js.cer`: Self-signed certificate (public key). Use this file to
   verify signatures of quick-lint-js on macOS.
   * SHA1: dc4f675b74b3a86c1f59fbdac17538b7d996db99
+* `quick-lint-js.gpg.key`: GPG key (public key). Use this file to verify GPG
+  signatures of quick-lint-js.
diff --git a/dist/certificates/quick-lint-js.gpg.key b/dist/certificates/quick-lint-js.gpg.key
@@ -0,0 +1,49 @@
+pub   rsa3072 2021-01-21 [SC] [expires: 2023-01-21]
+      0327 DE8F 9CEF 4998 51D1  9F6E D20B A9DC CF0E 9D20
+uid           [ultimate] Matthew "strager" Glazar (quick-lint-js signing key) <strager.nds@gmail.com>
+sig!3        D20BA9DCCF0E9D20 2021-01-21  Matthew "strager" Glazar (quick-lint-js signing key) <strager.nds@gmail.com>
+sub   rsa3072 2021-01-21 [E] [expires: 2023-01-21]
+sig!         D20BA9DCCF0E9D20 2021-01-21  Matthew "strager" Glazar (quick-lint-js signing key) <strager.nds@gmail.com>
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGNBGAJNzIBDAC3Qod9Nbs6z1Cbt4Rd8+epwWFA1gDSEsdckj7Dk7y2093V+fbo
+k1lyyLqK3zDryUoPL004zMXmqNVSOE406hzcUNER/DOB5gNwVfgfcjY4HNzmTjUn
+NwlY2LsVnFksluzb4Ucrfe5eLyB3T7wOMjq9ZJ+h4IQsNco9nyRnPeatfRLKM0G9
+Q8CEp492U/C4/qMbxxdbOzHw7W5eyUdsGgXIIKHd16xiHOyQm4jCZqeJ2nYZvPvz
++tSgnZbwYwCly4SXQPzytG5hLEBEuZui4IKibyv7bpefh2Ror8dBcsKj4K4WJN25
+8PM6neYM7ez7fW4Nu3ATMdJ5O1YQm0hd/FF5QGqEtouq9g57VVBge8GE5g/JwHCV
+vx85vu1+avfbBj9rVJIMw6uHCIj7so10qdjoe+7zRKjnf/RAyLkQEos5S88TfpUo
+68kgK45Z6EaCJcdSSFOd+i3/t0e3mAZV8vKPpZyi1DB7IJG7QWSkyRwW7v70HIcV
+Xu8tE7mc21GSTAEAEQEAAbRMTWF0dGhldyAic3RyYWdlciIgR2xhemFyIChxdWlj
+ay1saW50LWpzIHNpZ25pbmcga2V5KSA8c3RyYWdlci5uZHNAZ21haWwuY29tPokB
+1AQTAQgAPhYhBAMn3o+c70mYUdGfbtILqdzPDp0gBQJgCTcyAhsDBQkDwmcABQsJ
+CAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJENILqdzPDp0gT4IL/3nA3lBHw1m7GCSz
+jjxclQFqp+1JmOu4stnHYPRhVoUT4Avz+tQ9wSBp5oigSpQc9TBVvUC1BRrHKIG7
+pb53LDWkJDbO91/dEZCDFmcRqjADR7dsPGAX0xkiaOegUsZtbqv+bhmuIzo6GyKU
+SDKbEPHkDXZ3Psytr2ekEl1C5ovvFjFdhbNuHZHINy0tB5tv6m9MIVDaquHlaYsi
+6J2gvDt+NZ4/9WvWpxSc6OvjzbzgaLoVFMu3mBMqQ6CJ32ACYYWryCaCR57PfyVu
+OFSFYJA7gJM09t8OeZ3kVkXApNVelL7Hko4bGeZreocPO1NthrdcBW4O1ZOliw/3
+4+4o8q0Q32EhvgA0iqtESLqvV7peN4VhhVJk5uYGLdYrQqJdi9v56kERT4IOXAIc
+gz3BPBmRKHXHVeAHaK4L51Hu6drAFwBc+Y6W8KV64P2tniJ0JTMXD+/QwCwDzZIO
+Riu7HR4L1jwqw+w8bcwPxflyBejyaezkGKLVF1RoQ0A63GYCVbkBjQRgCTcyAQwA
+vhJ5av8kuf5tCFq5+931yMXU3JOU0FXEVWiiXJ/s5xS3q+n84tMZe1MDxw1VcwJF
+2VgnLOPiXPi8yHvJS+V2IN45OfpHvTAnTHb/dWGUTg3Bhr1k4/xOGwuUX9KWjw6+
+bsN+Yl1lpdMV2/kSddg4f8BwIhVFkMdtgT7jNmlLCdQDgeMm2pD6udnmqLJchbBO
+hqKLKNxIEt3Y5bKAF5Pu4pIDnKye17mzLXVwhgqjtbA/CWZ1qXsrZnzGhI/zz7CM
+DcHd40qnoyNbLiKyUruoQNC5TCRmvgPdlU9L7nl58GZeuv8GF29vMaYq/MU1Mck4
+84+tIoKKehj5IcCefITkROtfbwY8jcJ9MADtOtPx4D4repGc5aTAQpCpveKFA6mO
+9gUJc14H57r94NKUVRJXFlB/6IXm/ufTRZLuardgmCC/Ws2RxDG2s4LPlK/SyjOa
+JAPqt7l1QzGBbYPJRTHgx4EyVVS8j7MItTRm217tBtL4S5vjPbIu36tAqMUv1Qc/
+ABEBAAGJAbwEGAEIACYWIQQDJ96PnO9JmFHRn27SC6nczw6dIAUCYAk3MgIbDAUJ
+A8JnAAAKCRDSC6nczw6dIFErC/9riiYTVPFJzHYWVBkhXfRaMhTdmYbe7RmWtJT3
+fr9wgVJFexw2wxZYRg7E4eGIEZ1LYujjnuwbczEvtztKEQ6GglP6SqYvrfPiWNRO
+OI6NzrivvkD71V3fspMLIIHg1kmQh2q0FDZNK6Gy0sC6yasWrGq4/mICxMa83rrd
+VHWyw72iU+nO3BVuE7MM26FCYG3SkGmhF+fUdgUKDrnsFJ/zH2R9NGA77HGj6YR3
+ben59e4GoYrKcIOyjgHZ6qhUkqhlY/5sB+RAOGtr/NtA2Ot4w1U9PDSzx2qzxiY6
+t7cIRvKGxssBgPfl7sjpy3PyW2xitoeNRuUhVaoBNzs4V11EyMZipInLhlZVHfPa
+5dWbNDzOFzVASQFOTp3u830vBZ38HHmtuRt+Rya7rvrQRxfFNbKaIgUd582vxhjv
+EI35clvarZT6qsbjfKj9+ViBvAbqHKmE3L43Vqcfmj1GDA+i5t2KwXAKW6zYNok9
+wK1pk2CDI9ALK6lAoAcA/gNux5w=
+=l5TX
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/dist/sign-release.go b/dist/sign-release.go
@@ -25,10 +25,15 @@ import _ "embed"
 //go:embed certificates/quick-lint-js.cer
 var AppleCodesignCertificate []byte
 
+//go:embed certificates/quick-lint-js.gpg.key
+var QLJSGPGKey []byte
+
 type SigningStuff struct {
 	AppleCodesignIdentity string // Common Name from the macOS Keychain.
 	Certificate           []byte
 	CertificateSHA1Hash   [20]byte
+	GPGIdentity           string // Fingerprint or email or name.
+	GPGKey                []byte
 	PrivateKeyPKCS12Path  string
 }
 
@@ -39,8 +44,10 @@ func main() {
 
 	var signingStuff SigningStuff
 	signingStuff.Certificate = AppleCodesignCertificate
+	signingStuff.GPGKey = QLJSGPGKey
 
 	flag.StringVar(&signingStuff.AppleCodesignIdentity, "AppleCodesignIdentity", "", "")
+	flag.StringVar(&signingStuff.GPGIdentity, "GPGIdentity", "", "")
 	flag.StringVar(&signingStuff.PrivateKeyPKCS12Path, "PrivateKeyPKCS12", "", "")
 	flag.Parse()
 	if flag.NArg() != 2 {
@@ -92,10 +99,20 @@ type FileTransformType int
 const (
 	NoTransform FileTransformType = iota
 	AppleCodesign
+	GPGSign
 	MicrosoftOsslsigncode
 )
 
 var filesToTransform map[string]map[string]FileTransformType = map[string]map[string]FileTransformType{
+	"manual/linux-aarch64.tar.gz": map[string]FileTransformType{
+		"quick-lint-js/bin/quick-lint-js": GPGSign,
+	},
+	"manual/linux-armhf.tar.gz": map[string]FileTransformType{
+		"quick-lint-js/bin/quick-lint-js": GPGSign,
+	},
+	"manual/linux.tar.gz": map[string]FileTransformType{
+		"quick-lint-js/bin/quick-lint-js": GPGSign,
+	},
 	"manual/macos-aarch64.tar.gz": map[string]FileTransformType{
 		"quick-lint-js/bin/quick-lint-js": AppleCodesign,
 	},
@@ -114,12 +131,18 @@ var filesToTransform map[string]map[string]FileTransformType = map[string]map[st
 	"npm/quick-lint-js-0.5.0.tgz": map[string]FileTransformType{
 		"package/darwin-aarch64/bin/quick-lint-js": AppleCodesign,
 		"package/darwin-x64/bin/quick-lint-js":     AppleCodesign,
+		"package/linux-arm/bin/quick-lint-js":      GPGSign,
+		"package/linux-arm64/bin/quick-lint-js":    GPGSign,
+		"package/linux-x64/bin/quick-lint-js":      GPGSign,
 		"package/win32-arm64/bin/quick-lint-js":    MicrosoftOsslsigncode,
 		"package/win32-x64/bin/quick-lint-js":      MicrosoftOsslsigncode,
 	},
 	"vscode/quick-lint-js-0.5.0.vsix": map[string]FileTransformType{
 		"extension/dist/quick-lint-js-vscode-node_darwin-arm64.node": AppleCodesign,
 		"extension/dist/quick-lint-js-vscode-node_darwin-x64.node":   AppleCodesign,
+		"extension/dist/quick-lint-js-vscode-node_linux-arm.node":    GPGSign,
+		"extension/dist/quick-lint-js-vscode-node_linux-arm64.node":  GPGSign,
+		"extension/dist/quick-lint-js-vscode-node_linux-x64.node":    GPGSign,
 		"extension/dist/quick-lint-js-vscode-node_win32-arm.node":    MicrosoftOsslsigncode,
 		"extension/dist/quick-lint-js-vscode-node_win32-arm64.node":  MicrosoftOsslsigncode,
 		"extension/dist/quick-lint-js-vscode-node_win32-ia32.node":   MicrosoftOsslsigncode,
@@ -195,6 +218,14 @@ type FileTransformResult struct {
 	// If newFile is not nil, Close will delete the file as if by
 	// os.Remove(newFile.Name())
 	newFile *os.File
+
+	// If siblingFile is not nil, then a new file is created named
+	// siblingFileName.
+	//
+	// If siblingFile is not nil, Close will delete the file as if by
+	// os.Remove(siblingFile.Name()).
+	siblingFile     *os.File
+	siblingFileName string
 }
 
 func (self *FileTransformResult) UpdateTarHeader(header *tar.Header) error {
@@ -232,6 +263,12 @@ func (self *FileTransformResult) Close() {
 		os.Remove(self.newFile.Name())
 		self.newFile = nil
 	}
+
+	if self.siblingFile != nil {
+		self.siblingFile.Close()
+		os.Remove(self.siblingFile.Name())
+		self.siblingFile = nil
+	}
 }
 
 func TransformTarGz(
@@ -252,6 +289,14 @@ func TransformTarGz(
 				}
 				return transform, nil
 
+			case GPGSign:
+				log.Printf("signing with GPG: %s:%s\n", sourceFilePath, path)
+				transform, err := GPGSignTransform(path, file, signingStuff)
+				if err != nil {
+					return FileTransformResult{}, err
+				}
+				return transform, nil
+
 			case MicrosoftOsslsigncode:
 				log.Printf("signing with osslsigncode: %s:%s\n", sourceFilePath, path)
 				transform, err := MicrosoftOsslsigncodeTransform(file, signingStuff)
@@ -289,7 +334,16 @@ func TransformTarGzGeneric(
 			return err
 		}
 
-		transformResult, err := transform(header.Name, tarReader)
+		var fileContent bytes.Buffer
+		bytesWritten, err := fileContent.ReadFrom(tarReader)
+		if err != nil {
+			return err
+		}
+		if bytesWritten != header.Size {
+			return fmt.Errorf("failed to read entire file")
+		}
+
+		transformResult, err := transform(header.Name, bytes.NewReader(fileContent.Bytes()))
 		if err != nil {
 			return err
 		}
@@ -298,13 +352,35 @@ func TransformTarGzGeneric(
 		if err := transformResult.UpdateTarHeader(header); err != nil {
 			return err
 		}
-		var file io.Reader = tarReader
+		var file io.Reader = bytes.NewReader(fileContent.Bytes())
 		if transformResult.newFile != nil {
 			file = transformResult.newFile
 		}
 		if err := WriteTarEntry(header, file, tarWriter); err != nil {
 			return err
 		}
+
+		if transformResult.siblingFile != nil {
+			siblingFileStat, err := transformResult.siblingFile.Stat()
+			if err != nil {
+				return err
+			}
+			siblingHeader := tar.Header{
+				Typeflag: tar.TypeReg,
+				Name:     filepath.Join(filepath.Dir(header.Name), transformResult.siblingFileName),
+				Size:     siblingFileStat.Size(),
+				Mode:     header.Mode &^ 0111,
+				Uid:      header.Uid,
+				Gid:      header.Gid,
+				Uname:    header.Uname,
+				Gname:    header.Gname,
+				ModTime:  siblingFileStat.ModTime(),
+				Format:   tar.FormatUSTAR,
+			}
+			if err := WriteTarEntry(&siblingHeader, transformResult.siblingFile, tarWriter); err != nil {
+				return err
+			}
+		}
 	}
 	return nil
 }
@@ -326,6 +402,14 @@ func TransformZip(
 				}
 				return transform, nil
 
+			case GPGSign:
+				log.Printf("signing with GPG: %s:%s\n", sourceFile.Name(), path)
+				transform, err := GPGSignTransform(path, file, signingStuff)
+				if err != nil {
+					return FileTransformResult{}, err
+				}
+				return transform, nil
+
 			case MicrosoftOsslsigncode:
 				log.Printf("signing with osslsigncode: %s:%s\n", sourceFile.Name(), path)
 				transform, err := MicrosoftOsslsigncodeTransform(file, signingStuff)
@@ -397,6 +481,17 @@ func TransformZipGeneric(
 				return err
 			}
 		}
+
+		if transformResult.siblingFile != nil {
+			siblingZIPEntryFile, err := destinationZipFile.Create(filepath.Join(filepath.Dir(zipEntry.Name), transformResult.siblingFileName))
+			if err != nil {
+				return err
+			}
+			_, err = io.Copy(siblingZIPEntryFile, transformResult.siblingFile)
+			if err != nil {
+				return err
+			}
+		}
 	}
 	return nil
 }
@@ -479,6 +574,109 @@ func AppleCodesignVerifyFile(filePath string, signingStuff SigningStuff) error {
 	return nil
 }
 
+// originalPath need not be a path to a real file.
+func GPGSignTransform(originalPath string, exe io.Reader, signingStuff SigningStuff) (FileTransformResult, error) {
+	tempDir, err := ioutil.TempDir("", "quick-lint-js-sign-release")
+	if err != nil {
+		return FileTransformResult{}, err
+	}
+	TempDirs = append(TempDirs, tempDir)
+
+	tempFile, err := os.Create(filepath.Join(tempDir, "data"))
+	if err != nil {
+		return FileTransformResult{}, err
+	}
+	defer os.Remove(tempFile.Name())
+	_, err = io.Copy(tempFile, exe)
+	tempFile.Close()
+	if err != nil {
+		return FileTransformResult{}, err
+	}
+
+	signatureFilePath, err := GPGSignFile(tempFile.Name(), signingStuff)
+	if err != nil {
+		return FileTransformResult{}, err
+	}
+	if err := GPGVerifySignature(tempFile.Name(), signatureFilePath, signingStuff); err != nil {
+		return FileTransformResult{}, err
+	}
+
+	signatureFile, err := os.Open(signatureFilePath)
+	if err != nil {
+		return FileTransformResult{}, err
+	}
+
+	return FileTransformResult{
+		siblingFile:     signatureFile,
+		siblingFileName: filepath.Base(originalPath) + ".asc",
+	}, nil
+}
+
+func GPGSignFile(filePath string, signingStuff SigningStuff) (string, error) {
+	process := exec.Command(
+		"gpg",
+		"--local-user", signingStuff.GPGIdentity,
+		"--armor",
+		"--detach-sign",
+		"--",
+		filePath,
+	)
+	process.Stdout = os.Stdout
+	process.Stderr = os.Stderr
+	if err := process.Start(); err != nil {
+		return "", err
+	}
+	if err := process.Wait(); err != nil {
+		return "", err
+	}
+	return filePath + ".asc", nil
+}
+
+func GPGVerifySignature(filePath string, signatureFilePath string, signingStuff SigningStuff) error {
+	// HACK(strager): Use /tmp instead of the default temp dir. macOS'
+	// default temp dir is so long that it breaks gpg-agent.
+	tempGPGHome, err := ioutil.TempDir("/tmp", "quick-lint-js-sign-release")
+	if err != nil {
+		return err
+	}
+	TempDirs = append(TempDirs, tempGPGHome)
+
+	var env []string
+	env = append([]string{}, os.Environ()...)
+	env = append(env, "GNUPGHOME="+tempGPGHome)
+
+	process := exec.Command("gpg", "--import")
+	keyReader := bytes.NewReader(signingStuff.GPGKey)
+	process.Stdin = keyReader
+	process.Stdout = os.Stdout
+	process.Stderr = os.Stderr
+	process.Env = env
+	if err := process.Start(); err != nil {
+		return err
+	}
+	if err := process.Wait(); err != nil {
+		return err
+	}
+
+	process = exec.Command(
+		"gpg", "--verify",
+		"--",
+		signatureFilePath,
+		filePath,
+	)
+	process.Stdout = os.Stdout
+	process.Stderr = os.Stderr
+	process.Env = env
+	if err := process.Start(); err != nil {
+		return err
+	}
+	if err := process.Wait(); err != nil {
+		return err
+	}
+
+	return nil
+}
+
 func MicrosoftOsslsigncodeTransform(exe io.Reader, signingStuff SigningStuff) (FileTransformResult, error) {
 	tempDir, err := ioutil.TempDir("", "quick-lint-js-sign-release")
 	if err != nil {
diff --git a/docs/CODE_SIGNING.md b/docs/CODE_SIGNING.md
@@ -13,8 +13,11 @@ In the Keychain Access app, export your code signing certificate (not CA) and
 private key as a .p12 file. Call it
 `dist/certificates/quick-lint-js-PRIVATE.p12`. **Do not commit this file.**
 
+You will also need a GnuPG key. Create the key, then export the public key to
+`dist/certificates/quick-lint-js.gpg.key`.
+
 When you run the `dist/sign-release.go` program, specify
-`-AppleCodesignIdentity COMMON_NAME_OF_YOUR_KEY -PrivateKeyPKCS12 dist/certificates/quick-lint-js-PRIVATE.p12`.
+`-AppleCodesignIdentity COMMON_NAME_OF_YOUR_KEY -GPGIdentity GPG_KEY_FINGERPRINT -PrivateKeyPKCS12 dist/certificates/quick-lint-js-PRIVATE.p12`.
 
 [macos-create-ca]: https://www.simplified.guide/macos/keychain-ca-code-signing-create
 [macos-create-cert]: https://www.simplified.guide/macos/keychain-cert-code-signing-create
diff --git a/docs/RELEASE.md b/docs/RELEASE.md
@@ -33,7 +33,7 @@ Follow the following steps to release a new version of quick-lint-js:
    `rsync -av c.quick-lint-js.com:/var/www/c.quick-lint-js.com/builds/$YOUR_COMMIT_HASH/ builds/`
 
 7. Sign the build artifacts:
-   `go run dist/sign-releases.go -AppleCodesignIdentity=quick-lint-js -PrivateKeyPKCS12=dist/certificates/quick-lint-js-PRIVATE.p12 builds/ signed-builds/`
+   `go run dist/sign-releases.go -AppleCodesignIdentity=quick-lint-js -GPGIdentity=0327DE8F9CEF499851D19F6ED20BA9DCCF0E9D20 -PrivateKeyPKCS12=dist/certificates/quick-lint-js-PRIVATE.p12 builds/ signed-builds/`
    * **Warning**: This signing command only works on macOS hosts.
 
 8. Upload the signed build artifacts to the artifact server:
