-
Notifications
You must be signed in to change notification settings - Fork 236
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
As part of container image we also have detached gpg bundle signature and this pr is verify that with bundle to make sure bundle is coming from us.
- Loading branch information
1 parent
14f57d6
commit 3eeb176
Showing
64 changed files
with
12,365 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,96 @@ | ||
package gpg | ||
|
||
import ( | ||
"bytes" | ||
"errors" | ||
"fmt" | ||
"io" | ||
"os" | ||
|
||
"github.com/ProtonMail/go-crypto/openpgp" | ||
"github.com/ProtonMail/go-crypto/openpgp/armor" | ||
"github.com/ProtonMail/go-crypto/openpgp/packet" | ||
"github.com/code-ready/crc/pkg/crc/constants" | ||
) | ||
|
||
func readSignature(signatureFilePath string) (*packet.Signature, error) { | ||
sigFile, err := os.Open(signatureFilePath) | ||
if err != nil { | ||
return nil, err | ||
} | ||
sigFileBlock, err := armor.Decode(sigFile) | ||
if err != nil { | ||
sigFile.Close() | ||
return nil, fmt.Errorf("error decoding signature file: %w", err) | ||
} | ||
if sigFileBlock.Type != openpgp.SignatureType { | ||
sigFile.Close() | ||
return nil, errors.New("not an armored signature") | ||
} | ||
|
||
sigFileBody, err := packet.Read(sigFileBlock.Body) | ||
if err != nil { | ||
sigFile.Close() | ||
return nil, fmt.Errorf("error reading signature file: %w", err) | ||
} | ||
signature, ok := sigFileBody.(*packet.Signature) | ||
if !ok { | ||
sigFile.Close() | ||
return nil, errors.New("not a valid signature file") | ||
} | ||
return signature, sigFile.Close() | ||
} | ||
|
||
func getPublicKey() (*packet.PublicKey, error) { | ||
pubKeyBlock, err := armor.Decode(bytes.NewReader([]byte(constants.GPGPublicKey))) | ||
if err != nil { | ||
return nil, fmt.Errorf("error decoding public key: %s", err) | ||
} | ||
if pubKeyBlock.Type != openpgp.PublicKeyType { | ||
return nil, errors.New("not an armored public key") | ||
} | ||
|
||
pubKeyBody, err := packet.Read(pubKeyBlock.Body) | ||
if err != nil { | ||
return nil, fmt.Errorf("error reading public key: %s", err) | ||
} | ||
|
||
// Was it really a public key file ? If yes, get the PublicKey | ||
publicKey, ok := pubKeyBody.(*packet.PublicKey) | ||
if !ok { | ||
return nil, errors.New("invalid public key") | ||
} | ||
return publicKey, nil | ||
} | ||
|
||
func Verify(filePath, signatureFilePath string) error { | ||
f, err := os.Open(filePath) | ||
if err != nil { | ||
return err | ||
} | ||
defer func() { | ||
if err := f.Close(); err != nil { | ||
panic(err) | ||
} | ||
}() | ||
|
||
signature, err := readSignature(signatureFilePath) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
publicKey, err := getPublicKey() | ||
if err != nil { | ||
return err | ||
} | ||
|
||
// Get the hash method used for the signature | ||
hash := signature.Hash.New() | ||
_, err = io.Copy(hash, f) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
// Check the signature | ||
return publicKey.VerifySignature(hash, signature) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
Oops, something went wrong.