Skip to content

Support signature verification (minisign)#237

Merged
taiki-e merged 1 commit intomainfrom
minisign-binstall
Sep 28, 2023
Merged

Support signature verification (minisign)#237
taiki-e merged 1 commit intomainfrom
minisign-binstall

Conversation

@taiki-e
Copy link
Owner

@taiki-e taiki-e commented Sep 27, 2023
edited
Loading

This supports signature verification for the following format:

algorithm: minisign
public key: package.metadata.binstall.signing.pubkey at Cargo.toml

This is the format that cargo-binstall supports: https://github.com/cargo-bins/cargo-binstall/blob/HEAD/SIGNING.md

It should be easy to support public key in other places, but I support only what we need for now.

The implementation is basically the same as that described in #228 (comment).

We can extend the codegen to ensure that the hash in the generated manifest is the same as that obtained from the signed archive or indicated in the signed checksum file. This allows signature verification to be performed without additional cost at the time of execution of the action.

AFAIK, currently, there are no tools other than cargo-binstall that distribute signed archives in the tools we support.

@taiki-e taiki-e requested a review from NobodyXu September 27, 2023 13:16
@taiki-e taiki-e force-pushed the minisign-binstall branch 3 times, most recently from bd10fae to 5f9243b Compare September 27, 2023 13:42
@taiki-e
Copy link
Owner Author

taiki-e commented Sep 27, 2023

https://github.com/taiki-e/install-action/actions/runs/6326816086/job/17181208549

downloading releases of https://github.com/cargo-bins/cargo-binstall from https://api.github.com/repos/cargo-bins/cargo-binstall/releases
downloading crate info from https://crates.io/api/v1/crates/cargo-binstall
update manifest for versions '=1.4.1'
downloading https://github.com/cargo-bins/cargo-binstall/releases/download/v1.4.1/cargo-binstall-x86_64-unknown-linux-musl.tgz for checksum ... download complete
getting sha256 hash for https://github.com/cargo-bins/cargo-binstall/releases/download/v1.4.1/cargo-binstall-x86_64-unknown-linux-musl.tgz
382c45dfbdbcaee37f10cb37d6e519c75d174622cab9e287521eaa3b5f71e162 *cargo-binstall-x86_64-unknown-linux-musl.tgz
downloading https://github.com/cargo-bins/cargo-binstall/releases/download/v1.4.1/cargo-binstall-x86_64-unknown-linux-musl.tgz.sig for signature validation ... download complete
downloading https://crates.io/api/v1/crates/cargo-binstall/1.4.1/download for signature verification ... download complete
algorithm: minisign
pubkey: RWQuEpy2Ocjox5ppbdesj/VYAKvGyXITtw8OelPN1xY40izwAG/wSMvg
verifying signature for https://github.com/cargo-bins/cargo-binstall/releases/download/v1.4.1/cargo-binstall-x86_64-unknown-linux-musl.tgz ... done

@taiki-e taiki-e enabled auto-merge (rebase) September 27, 2023 15:20
NobodyXu
NobodyXu previously approved these changes Sep 27, 2023
View reviewed changes
@taiki-e taiki-e disabled auto-merge September 28, 2023 02:49
@taiki-e taiki-e merged commit b30758c into main Sep 28, 2023
@taiki-e taiki-e deleted the minisign-binstall branch September 28, 2023 03:01
This was referenced Mar 20, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@NobodyXu NobodyXu NobodyXu left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@taiki-e @NobodyXu