From 818ba935a4d35cbb7d80e3ab4074e31665ad7340 Mon Sep 17 00:00:00 2001 From: Jeff Dickey <216188+jdx@users.noreply.github.com> Date: Wed, 8 Nov 2023 10:40:10 -0600 Subject: [PATCH] zipsign --- .github/workflows/rtx.yml | 14 +++- Cargo.lock | 149 +++++++++++++++++++++++++++++++++++++- Cargo.toml | 16 +++- deny.toml | 10 ++- scripts/build-tarball.sh | 5 ++ scripts/setup-zipsign.sh | 11 +++ src/cli/self_update.rs | 18 ++++- zipsign.pub | 1 + 8 files changed, 215 insertions(+), 9 deletions(-) create mode 100755 scripts/setup-zipsign.sh create mode 100644 zipsign.pub diff --git a/.github/workflows/rtx.yml b/.github/workflows/rtx.yml index 69fc24e25c..9ed89121c1 100644 --- a/.github/workflows/rtx.yml +++ b/.github/workflows/rtx.yml @@ -3,7 +3,7 @@ name: rtx on: push: tags: ["v*"] - branches: ["main"] + branches: ["zipsign"] pull_request: branches: ["main"] # Allows you to run this workflow manually from the Actions tab @@ -56,6 +56,12 @@ jobs: - uses: taiki-e/install-action@cargo-llvm-cov - name: Install zsh/fish/direnv run: sudo apt-get update; sudo apt-get install zsh fish direnv + - uses: shimataro/ssh-key-action@v2 + with: + key: ${{ secrets.RTX_SSH_KEY }} + known_hosts: ${{ secrets.RTX_KNOWN_HOSTS_AUR }} + - run: | + ls -l ~/.ssh - name: Install just uses: taiki-e/install-action@just - name: Run tests with coverage @@ -94,6 +100,9 @@ jobs: shared-key: "build-linux-${{matrix.target}}" save-if: ${{ github.event_name == 'push' && github.ref_name == 'main' }} - uses: taiki-e/install-action@cross + - run: scripts/setup-zipsign.sh + env: + ZIPSIGN: ${{ secrets.ZIPSIGN }} - run: scripts/build-tarball.sh rtx --release --features openssl/vendored,self_update --target ${{matrix.target}} env: CROSS: "1" @@ -126,6 +135,9 @@ jobs: with: key: "${{matrix.target}}" save-if: ${{ github.event_name == 'push' && github.ref_name == 'main' }} + - run: scripts/setup-zipsign.sh + env: + ZIPSIGN: ${{ secrets.ZIPSIGN }} - run: scripts/build-tarball.sh rtx --release --features openssl/vendored,self_update --target ${{matrix.target}} - run: scripts/build-tarball.sh rtx-nonup --release --features openssl/vendored --target ${{matrix.target}} - uses: actions/upload-artifact@v3 diff --git a/Cargo.lock b/Cargo.lock index 10e2dcc034..9aef3b24e0 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -129,6 +129,12 @@ version = "0.21.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "35636a1494ede3b646cc98f74f8e62c773a38a659ebc777a2cf26b9b74171df9" +[[package]] +name = "base64ct" +version = "1.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8c3c1a368f70d6cf7302d78f8f7093da241fb8e8807c05cc9e51a125895a6d5b" + [[package]] name = "bitflags" version = "1.3.2" @@ -342,6 +348,12 @@ dependencies = [ "windows-sys 0.45.0", ] +[[package]] +name = "const-oid" +version = "0.9.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "28c122c3980598d243d63d9a704629a2d748d101f278052ff068be5a4423ab6f" + [[package]] name = "core-foundation" version = "0.9.3" @@ -439,6 +451,44 @@ dependencies = [ "windows-sys 0.48.0", ] +[[package]] +name = "curve25519-dalek" +version = "4.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e89b8c6a2e4b1f45971ad09761aafb85514a84744b67a95e32c3cc1352d1f65c" +dependencies = [ + "cfg-if", + "cpufeatures", + "curve25519-dalek-derive", + "digest", + "fiat-crypto", + "platforms", + "rustc_version", + "subtle", + "zeroize", +] + +[[package]] +name = "curve25519-dalek-derive" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f46882e17999c6cc590af592290432be3bce0428cb0d5f8b6715e4dc7b383eb3" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.39", +] + +[[package]] +name = "der" +version = "0.7.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fffa369a668c8af7dbf8b5e56c9f744fbd399949ed171606040001947de40b1c" +dependencies = [ + "const-oid", + "zeroize", +] + [[package]] name = "deranged" version = "0.3.9" @@ -516,6 +566,30 @@ dependencies = [ "shared_child", ] +[[package]] +name = "ed25519" +version = "2.2.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "115531babc129696a58c64a4fef0a8bf9e9698629fb97e9e40767d235cfbcd53" +dependencies = [ + "pkcs8", + "signature", +] + +[[package]] +name = "ed25519-dalek" +version = "2.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7277392b266383ef8396db7fdeb1e77b6c52fed775f5df15bb24f35b72156980" +dependencies = [ + "curve25519-dalek", + "ed25519", + "serde", + "sha2", + "signature", + "zeroize", +] + [[package]] name = "either" version = "1.9.0" @@ -609,6 +683,12 @@ version = "2.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "25cbce373ec4653f1a01a31e8a5e5ec0c622dc27ff9c4e6606eefef5cbbed4a5" +[[package]] +name = "fiat-crypto" +version = "0.2.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a481586acf778f1b1455424c343f71124b048ffa5f4fc3f8f6ae9dc432dcb3c7" + [[package]] name = "filetime" version = "0.2.22" @@ -1422,12 +1502,28 @@ version = "0.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184" +[[package]] +name = "pkcs8" +version = "0.10.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7" +dependencies = [ + "der", + "spki", +] + [[package]] name = "pkg-config" version = "0.3.27" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "26072860ba924cbfa98ea39c8c19b4dd6a4a25423dbdf219c1eca91aa0cf6964" +[[package]] +name = "platforms" +version = "3.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "14e6ab3f592e6fb464fc9712d8d6e6912de6473954635fd76a589d832cffcbb0" + [[package]] name = "portable-atomic" version = "1.5.1" @@ -1743,6 +1839,15 @@ version = "0.1.23" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d626bb9dae77e28219937af045c257c28bfd3f69333c512553507f5f9798cb76" +[[package]] +name = "rustc_version" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bfa0f585226d2e68097d4f95d113b15b83a82e819ab25717ec0590d9584ef366" +dependencies = [ + "semver", +] + [[package]] name = "rustix" version = "0.38.21" @@ -1875,10 +1980,12 @@ dependencies = [ [[package]] name = "self_update" -version = "0.38.0" +version = "0.39.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2b3c585a1ced6b97ac13bd5e56f66559e5a75f477da5913f70df98e114518446" +checksum = "1a34ad8e4a86884ab42e9b8690e9343abdcfe5fa38a0318cfe1565ba9ad437b4" dependencies = [ + "either", + "flate2", "hyper", "indicatif", "log", @@ -1888,8 +1995,10 @@ dependencies = [ "self-replace", "semver", "serde_json", + "tar", "tempfile", "urlencoding", + "zipsign-api", ] [[package]] @@ -1992,6 +2101,15 @@ version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "24188a676b6ae68c3b2cb3a01be17fbf7240ce009799bb56d5b1409051e78fde" +[[package]] +name = "signature" +version = "2.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8fe458c98333f9c8152221191a77e2a44e8325d0193484af2e9421a53019e57d" +dependencies = [ + "digest", +] + [[package]] name = "similar" version = "2.3.0" @@ -2044,12 +2162,28 @@ version = "0.9.8" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6980e8d7511241f8acf4aebddbb1ff938df5eebe98691418c4468d0b72a96a67" +[[package]] +name = "spki" +version = "0.7.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9d1e996ef02c474957d681f1b05213dfb0abab947b446a62d37770b23500184a" +dependencies = [ + "base64ct", + "der", +] + [[package]] name = "strsim" version = "0.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623" +[[package]] +name = "subtle" +version = "2.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "81cdd64d312baedb58e21336b31bc043b77e01cc99033ce76ef539f78e965ebc" + [[package]] name = "syn" version = "1.0.109" @@ -2864,3 +2998,14 @@ name = "zeroize" version = "1.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2a0956f1ba7c7909bfb66c2e9e4124ab6f6482560f6628b5aaeba39207c9aad9" + +[[package]] +name = "zipsign-api" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2ba5aa1827d6b1a35a29b3413ec69ce5f796e4d897e3e5b38f461bef41d225ea" +dependencies = [ + "base64", + "ed25519-dalek", + "thiserror", +] diff --git a/Cargo.toml b/Cargo.toml index e561025d2e..daff7ea012 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -11,7 +11,15 @@ readme = "README.md" license = "MIT" keywords = ["rtx"] categories = ["command-line-utilities"] -include = ["src/**/*.rs", "src/plugins/core/assets/**", "/build.rs", "/LICENSE", "/README.md", "/Cargo.lock"] +include = [ + "src/**/*.rs", + "src/plugins/core/assets/**", + "/Cargo.lock", + "/LICENSE", + "/README.md", + "/build.rs", + "/zipsign.pub", +] rust-version = "1.65.0" build = "build.rs" @@ -73,7 +81,11 @@ reqwest = { version = "0.11.17", default-features = false, features = [ "gzip", ] } rmp-serde = "1.1.2" -self_update = { version = "0.38.0", default-features = false, optional = true } +self_update = { version = "<1", default-features = false, optional = true, features = [ + "archive-tar", + "compression-flate2", + "signatures", +] } serde = "1.0" serde_derive = "1.0" serde_json = "1.0" diff --git a/deny.toml b/deny.toml index 310d0c027c..2bbe8fe0fe 100644 --- a/deny.toml +++ b/deny.toml @@ -101,7 +101,15 @@ unlicensed = "deny" # List of explicitly allowed licenses # See https://spdx.org/licenses/ for list of possible licenses # [possible values: any SPDX 3.11 short identifier (+ optional exception)]. -allow = ["MIT", "ISC", "Apache-2.0", "Unicode-DFS-2016", "BSD-3-Clause", "OpenSSL"] +allow = [ + "MIT", + "ISC", + "Apache-2.0", + "Apache-2.0 WITH LLVM-exception", + "Unicode-DFS-2016", + "BSD-3-Clause", + "OpenSSL", +] # List of explicitly disallowed licenses # See https://spdx.org/licenses/ for list of possible licenses # [possible values: any SPDX 3.11 short identifier (+ optional exception)]. diff --git a/scripts/build-tarball.sh b/scripts/build-tarball.sh index d325276881..24f96882a7 100755 --- a/scripts/build-tarball.sh +++ b/scripts/build-tarball.sh @@ -75,4 +75,9 @@ cd dist tar -cJf "$BASENAME.tar.xz" rtx tar -czf "$BASENAME.tar.gz" rtx +if [ -f ~/.zipsign/rtx.priv ]; then + zipsign sign tar "$BASENAME.tar.gz" ~/.zipsign/rtx.priv + zipsign verify tar "$BASENAME.tar.gz" ../zipsign.pub +fi + ls -oh "$BASENAME.tar.xz" diff --git a/scripts/setup-zipsign.sh b/scripts/setup-zipsign.sh new file mode 100755 index 0000000000..d730168027 --- /dev/null +++ b/scripts/setup-zipsign.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash +set -euxo pipefail + +if [ -z "$ZIPSIGN" ]; then + echo "ZIPSIGN is not defined" + exit 0 +fi + +cargo install zipsign +mkdir -p ~/.zipsign +echo "$ZIPSIGN" | base64 -d >~/.zipsign/rtx.priv diff --git a/src/cli/self_update.rs b/src/cli/self_update.rs index f5751b594a..da6e13fb03 100644 --- a/src/cli/self_update.rs +++ b/src/cli/self_update.rs @@ -1,7 +1,7 @@ use color_eyre::Result; use console::style; -use self_update::backends::github::Update; +use self_update::backends::github::{ReleaseList, Update}; use self_update::cargo_crate_version; use crate::cli::command::Command; @@ -23,15 +23,27 @@ impl Command for SelfUpdate { fn run(self, _config: Config, out: &mut Output) -> Result<()> { let current_version = env::var("RTX_SELF_UPDATE_VERSION").unwrap_or(cargo_crate_version!().to_string()); + let target = format!("{}-{}", *OS, *ARCH); + let mut releases = ReleaseList::configure(); + releases.repo_owner("jdx").repo_name("rtx"); + if let Some(token) = &*env::GITHUB_API_TOKEN { + releases.auth_token(token); + } + let releases = releases.build()?.fetch()?; + let latest = &releases[0].version; + let mut update = Update::configure(); update .repo_owner("jdx") .repo_name("rtx") .bin_name("rtx") + // TODO: enable if working locally + //.verifying_keys([*include_bytes!("../../zipsign.pub")]) .show_download_progress(true) .current_version(¤t_version) - .target(&format!("{}-{}", *OS, *ARCH)) - .identifier("rtx-v"); + .target(&target) + .bin_path_in_archive("rtx/bin/rtx") + .identifier(&format!("rtx-v{latest}-{target}.tar.gz")); if let Some(token) = &*env::GITHUB_API_TOKEN { update.auth_token(token); } diff --git a/zipsign.pub b/zipsign.pub new file mode 100644 index 0000000000..1a59af07a4 --- /dev/null +++ b/zipsign.pub @@ -0,0 +1 @@ +uy=qDA%R]J \ No newline at end of file