Add sign command (#66)

casey · web-flow · commit 1bafb0cf60e6 · 2024-10-09T23:32:58.000Z
diff --git a/bin/version b/bin/version
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+sed -En 's/version[[:space:]]*=[[:space:]]*"([^"]+)"/\1/p' Cargo.toml | head -1
diff --git a/justfile b/justfile
@@ -38,7 +38,7 @@ publish: tmp
   set -euxo pipefail
   git clone git@github.com:casey/filepack.git tmp
   cd tmp
-  VERSION=`sed -En 's/version[[:space:]]*=[[:space:]]*"([^"]+)"/\1/p' Cargo.toml | head -1`
+  VERSION=`bin/version`
   git tag -a $VERSION -m "Release $VERSION"
   git push origin $VERSION
   cargo publish
@@ -74,13 +74,34 @@ test-progress-bar: tmp
   cargo run --release create tmp
   rm tmp/data*
 
-download-release: tmp
-  #!/usr/bin/env bash
-  VERSION=`sed -En 's/version[[:space:]]*=[[:space:]]*"([^"]+)"/\1/p' Cargo.toml | head -1`
-  cd tmp
-  cargo run download --github-release casey/filepack/$VERSION
-
 check-error-variant-order: tmp
   cat src/error.rs | rg '^  ([A-Z].*) \{' -or '$1' > tmp/original.txt
   sort tmp/original.txt > tmp/sorted.txt
   diff tmp/{original,sorted}.txt
+
+sign-release: tmp
+  #!/usr/bin/env bash
+  set -euxo pipefail
+  VERSION=`bin/version`
+  gh release download \
+    --repo casey/filepack \
+    --pattern filepack.json \
+    --dir tmp \
+    $VERSION
+  cargo run sign tmp/filepack.json
+  gh release upload \
+    --clobber \
+    --repo casey/filepack \
+    $VERSION \
+    tmp/filepack.json
+
+verify-release: tmp
+  #!/usr/bin/env bash
+  set -euxo pipefail
+  VERSION=`bin/version`
+  gh release download \
+    --repo casey/filepack \
+    --pattern '*' \
+    --dir tmp \
+    $VERSION
+  cargo run verify tmp --key `cargo run key`
diff --git a/src/error.rs b/src/error.rs
@@ -129,6 +129,11 @@ pub(crate) enum Error {
   },
   #[snafu(display("root hash mismatch"))]
   RootHashMismatch { backtrace: Option<Backtrace> },
+  #[snafu(display("manifest has already been signed by public key `{public_key}`"))]
+  SignatureAlreadyExists {
+    backtrace: Option<Backtrace>,
+    public_key: PublicKey,
+  },
   #[snafu(display("invalid signature for public key `{public_key}`"))]
   SignatureInvalid {
     backtrace: Option<Backtrace>,
diff --git a/src/manifest.rs b/src/manifest.rs
@@ -24,6 +24,10 @@ impl Manifest {
 
     hasher.finalize().into()
   }
+
+  pub(crate) fn to_json(&self) -> String {
+    serde_json::to_string(self).unwrap()
+  }
 }
 
 #[cfg(test)]
diff --git a/src/metadata.rs b/src/metadata.rs
@@ -8,6 +8,10 @@ pub(crate) struct Metadata {
 
 impl Metadata {
   pub(crate) const FILENAME: &'static str = "metadata.json";
+
+  pub(crate) fn to_json(&self) -> String {
+    serde_json::to_string(self).unwrap()
+  }
 }
 
 impl From<Template> for Metadata {
diff --git a/src/private_key.rs b/src/private_key.rs
@@ -52,6 +52,14 @@ impl PrivateKey {
     Ok(private_key)
   }
 
+  pub(crate) fn load_and_sign(path: &Utf8Path, message: &[u8]) -> Result<(PublicKey, Signature)> {
+    let private_key = Self::load(path)?;
+
+    let signature = private_key.sign(message);
+
+    Ok((private_key.public_key(), signature))
+  }
+
   pub(crate) fn public_key(&self) -> PublicKey {
     self.clone().into()
   }
diff --git a/src/public_key.rs b/src/public_key.rs
@@ -42,11 +42,14 @@ impl PublicKey {
     Ok(public_key)
   }
 
-  pub(crate) fn verify(&self, message: &[u8], signature: &Signature) -> Result<(), SignatureError> {
+  pub(crate) fn verify(&self, message: &[u8], signature: &Signature) -> Result<()> {
     self
       .0
       .verify_strict(message, signature.as_ref())
       .map_err(SignatureError)
+      .context(error::SignatureInvalid {
+        public_key: self.clone(),
+      })
   }
 }
 
diff --git a/src/subcommand.rs b/src/subcommand.rs
@@ -11,6 +11,7 @@ mod hash;
 mod key;
 mod keygen;
 mod man;
+mod sign;
 mod verify;
 
 #[derive(Parser)]
@@ -34,6 +35,8 @@ pub(crate) enum Subcommand {
   Keygen,
   #[command(about = "Print man page")]
   Man,
+  #[command(about = "Add signature to manifest")]
+  Sign(sign::Sign),
   #[command(about = "Verify manifest")]
   Verify(verify::Verify),
 }
@@ -46,6 +49,7 @@ impl Subcommand {
       Self::Key => key::run(options),
       Self::Keygen => keygen::run(options),
       Self::Man => man::run(),
+      Self::Sign(sign) => sign.run(options),
       Self::Verify(verify) => verify.run(options),
     }
   }
diff --git a/src/subcommand/create.rs b/src/subcommand/create.rs
@@ -41,7 +41,7 @@ impl Create {
         error::MetadataAlreadyExists { path: &path },
       }
       let metadata = Metadata::from(template);
-      let json = serde_json::to_string(&metadata).unwrap();
+      let json = metadata.to_json();
       fs::write(&path, json).context(error::Io { path: &path })?;
     }
 
@@ -181,18 +181,13 @@ impl Create {
     if self.sign {
       let private_key_path = options.key_dir()?.join(MASTER_PRIVATE_KEY);
 
-      let private_key = PrivateKey::load(&private_key_path)?;
-
-      let signature = private_key.sign(manifest.root_hash().as_bytes());
-
-      let public_key = private_key.public_key();
+      let (public_key, signature) =
+        PrivateKey::load_and_sign(&private_key_path, manifest.root_hash().as_bytes())?;
 
       manifest.signatures.insert(public_key, signature);
     }
 
-    let json = serde_json::to_string(&manifest).unwrap();
-
-    fs::write(&manifest_path, &json).context(error::Io {
+    fs::write(&manifest_path, manifest.to_json()).context(error::Io {
       path: manifest_path,
     })?;
 
diff --git a/src/subcommand/hash.rs b/src/subcommand/hash.rs
@@ -2,13 +2,13 @@ use super::*;
 
 #[derive(Parser)]
 pub(crate) struct Hash {
-  #[arg(help = "Hash file at <PATH>, defaulting to standard input")]
-  path: Option<Utf8PathBuf>,
+  #[arg(help = "Hash <FILE>, defaulting to standard input")]
+  file: Option<Utf8PathBuf>,
 }
 
 impl Hash {
   pub(crate) fn run(self, options: Options) -> Result {
-    let hash = if let Some(path) = self.path {
+    let hash = if let Some(path) = self.file {
       options.hash_file(&path).context(error::Io { path })?.hash
     } else {
       let mut hasher = Hasher::new();
diff --git a/src/subcommand/key.rs b/src/subcommand/key.rs
@@ -5,14 +5,16 @@ pub(crate) fn run(options: Options) -> Result {
 
   let public_key = PublicKey::load(&key_dir.join(MASTER_PUBLIC_KEY))?;
 
-  let private_key = PrivateKey::load(&key_dir.join(MASTER_PRIVATE_KEY))?;
+  {
+    let private_key = PrivateKey::load(&key_dir.join(MASTER_PRIVATE_KEY))?;
 
-  ensure! {
-    private_key.public_key() == public_key,
-    error::KeyMismatch {
-      public_key: MASTER_PUBLIC_KEY,
-      private_key: MASTER_PRIVATE_KEY,
-    },
+    ensure! {
+      private_key.public_key() == public_key,
+      error::KeyMismatch {
+        public_key: MASTER_PUBLIC_KEY,
+        private_key: MASTER_PRIVATE_KEY,
+      },
+    }
   }
 
   println!("{public_key}");
diff --git a/src/subcommand/sign.rs b/src/subcommand/sign.rs
@@ -0,0 +1,50 @@
+use super::*;
+
+#[derive(Parser)]
+pub(crate) struct Sign {
+  #[arg(help = "Allow overwriting signature", long)]
+  force: bool,
+  #[arg(help = "Sign <MANIFEST>")]
+  manifest: Utf8PathBuf,
+}
+
+impl Sign {
+  pub(crate) fn run(self, options: Options) -> Result {
+    let json = fs::read_to_string(&self.manifest).context(error::Io {
+      path: &self.manifest,
+    })?;
+
+    let mut manifest =
+      serde_json::from_str::<Manifest>(&json).context(error::DeserializeManifest {
+        path: &self.manifest,
+      })?;
+
+    let root_hash = manifest.root_hash();
+
+    for (public_key, signature) in &manifest.signatures {
+      public_key.verify(root_hash.as_bytes(), signature)?;
+    }
+
+    if !self.force {
+      let public_key_path = options.key_dir()?.join(MASTER_PUBLIC_KEY);
+      let public_key = PublicKey::load(&public_key_path)?;
+      ensure! {
+        !manifest.signatures.contains_key(&public_key),
+        error::SignatureAlreadyExists { public_key },
+      }
+    }
+
+    let private_key_path = options.key_dir()?.join(MASTER_PRIVATE_KEY);
+
+    let (public_key, signature) =
+      PrivateKey::load_and_sign(&private_key_path, root_hash.as_bytes())?;
+
+    manifest.signatures.insert(public_key, signature);
+
+    fs::write(&self.manifest, manifest.to_json()).context(error::Io {
+      path: &self.manifest,
+    })?;
+
+    Ok(())
+  }
+}
diff --git a/src/subcommand/verify.rs b/src/subcommand/verify.rs
@@ -177,11 +177,7 @@ mismatched file: `{path}`
     }
 
     for (public_key, signature) in &manifest.signatures {
-      public_key
-        .verify(root_hash.as_bytes(), signature)
-        .context(error::SignatureInvalid {
-          public_key: public_key.clone(),
-        })?;
+      public_key.verify(root_hash.as_bytes(), signature)?;
     }
 
     if let Some(key) = self.key {
diff --git a/tests/create.rs b/tests/create.rs
@@ -574,10 +574,7 @@ fn sign_creates_valid_signature() {
 
   let manifest = Manifest::load(&dir.child("foo/filepack.json"));
 
-  let public_key = fs::read_to_string(dir.child("keys/master.public"))
-    .unwrap()
-    .trim()
-    .to_owned();
+  let public_key = load_key(&dir.child("keys/master.public"));
 
   assert_eq!(manifest.signatures.len(), 1);
 
diff --git a/tests/keygen.rs b/tests/keygen.rs
@@ -21,18 +21,12 @@ fn keygen_generates_master_key_by_default() {
   private.assert(is_match("[0-9a-f]{64}\n"));
 
   let public = ed25519_dalek::VerifyingKey::from_bytes(
-    &hex::decode(fs::read_to_string(public).unwrap().trim())
-      .unwrap()
-      .try_into()
-      .unwrap(),
+    &hex::decode(load_key(&public)).unwrap().try_into().unwrap(),
   )
   .unwrap();
 
   let private = ed25519_dalek::SigningKey::from_bytes(
-    &hex::decode(fs::read_to_string(private).unwrap().trim())
-      .unwrap()
-      .try_into()
-      .unwrap(),
+    &hex::decode(load_key(&private)).unwrap().try_into().unwrap(),
   );
 
   assert!(!public.is_weak());
diff --git a/tests/lib.rs b/tests/lib.rs
@@ -19,6 +19,10 @@ where
   predicates::prelude::predicate::str::is_match(format!("^(?s){}$", pattern.as_ref())).unwrap()
 }
 
+fn load_key(path: &Path) -> String {
+  fs::read_to_string(path).unwrap().trim().into()
+}
+
 #[derive(Deserialize, Serialize)]
 struct Manifest {
   #[serde(default, skip_serializing_if = "BTreeMap::is_empty")]
@@ -49,4 +53,5 @@ mod key;
 mod keygen;
 mod man;
 mod misc;
+mod sign;
 mod verify;
diff --git a/tests/sign.rs b/tests/sign.rs
diff --git a/tests/verify.rs b/tests/verify.rs

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,10 @@ impl Manifest {`
`24`	`24`
`25`	`25`	`hasher.finalize().into()`
`26`	`26`	`}`
	`27`	`+`
	`28`	`+ pub(crate) fn to_json(&self) -> String {`
	`29`	`+ serde_json::to_string(self).unwrap()`
	`30`	`+ }`
`27`	`31`	`}`
`28`	`32`
`29`	`33`	`#[cfg(test)]`
Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,10 @@ pub(crate) struct Metadata {`
`8`	`8`
`9`	`9`	`impl Metadata {`
`10`	`10`	`pub(crate) const FILENAME: &'static str = "metadata.json";`
	`11`	`+`
	`12`	`+ pub(crate) fn to_json(&self) -> String {`
	`13`	`+ serde_json::to_string(self).unwrap()`
	`14`	`+ }`
`11`	`15`	`}`
`12`	`16`
`13`	`17`	`impl From<Template> for Metadata {`
Original file line number	Diff line number	Diff line change
`@@ -52,6 +52,14 @@ impl PrivateKey {`
`52`	`52`	`Ok(private_key)`
`53`	`53`	`}`
`54`	`54`
	`55`	`+ pub(crate) fn load_and_sign(path: &Utf8Path, message: &[u8]) -> Result<(PublicKey, Signature)> {`
	`56`	`+ let private_key = Self::load(path)?;`
	`57`	`+`
	`58`	`+ let signature = private_key.sign(message);`
	`59`	`+`
	`60`	`+ Ok((private_key.public_key(), signature))`
	`61`	`+ }`
	`62`	`+`
`55`	`63`	`pub(crate) fn public_key(&self) -> PublicKey {`
`56`	`64`	`self.clone().into()`
`57`	`65`	`}`
Original file line number	Diff line number	Diff line change
`@@ -42,11 +42,14 @@ impl PublicKey {`
`42`	`42`	`Ok(public_key)`
`43`	`43`	`}`
`44`	`44`
`45`		`- pub(crate) fn verify(&self, message: &[u8], signature: &Signature) -> Result<(), SignatureError> {`
	`45`	`+ pub(crate) fn verify(&self, message: &[u8], signature: &Signature) -> Result<()> {`
`46`	`46`	`self`
`47`	`47`	`.0`
`48`	`48`	`.verify_strict(message, signature.as_ref())`
`49`	`49`	`.map_err(SignatureError)`
	`50`	`+ .context(error::SignatureInvalid {`
	`51`	`+ public_key: self.clone(),`
	`52`	`+ })`
`50`	`53`	`}`
`51`	`54`	`}`
`52`	`55`