zipsign (#985)

jdx · Nov 9, 2023 · d360332 · d360332
1 parent 9aaecba
commit d360332
Show file tree

Hide file tree

Showing 9 changed files with 209 additions and 8 deletions.
diff --git a/.gitattributes b/.gitattributes
@@ -0,0 +1 @@
+zipsign.pub binary
diff --git a/.github/workflows/rtx.yml b/.github/workflows/rtx.yml
@@ -94,6 +94,9 @@ jobs:
           shared-key: "build-linux-${{matrix.target}}"
           save-if: ${{ github.event_name == 'push' && github.ref_name == 'main' }}
       - uses: taiki-e/install-action@cross
+      - run: scripts/setup-zipsign.sh
+        env:
+          ZIPSIGN: ${{ secrets.ZIPSIGN }}
       - run: scripts/build-tarball.sh rtx --release --features openssl/vendored,self_update --target ${{matrix.target}}
         env:
           CROSS: "1"
@@ -126,6 +129,9 @@ jobs:
         with:
           key: "${{matrix.target}}"
           save-if: ${{ github.event_name == 'push' && github.ref_name == 'main' }}
+      - run: scripts/setup-zipsign.sh
+        env:
+          ZIPSIGN: ${{ secrets.ZIPSIGN }}
       - run: scripts/build-tarball.sh rtx --release --features openssl/vendored,self_update --target ${{matrix.target}}
       - run: scripts/build-tarball.sh rtx-nonup --release --features openssl/vendored --target ${{matrix.target}}
       - uses: actions/upload-artifact@v3

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -11,7 +11,15 @@ readme = "README.md"
 license = "MIT"
 keywords = ["rtx"]
 categories = ["command-line-utilities"]
-include = ["src/**/*.rs", "src/plugins/core/assets/**", "/build.rs", "/LICENSE", "/README.md", "/Cargo.lock"]
+include = [
+  "src/**/*.rs",
+  "src/plugins/core/assets/**",
+  "/Cargo.lock",
+  "/LICENSE",
+  "/README.md",
+  "/build.rs",
+  "/zipsign.pub",
+]
 rust-version = "1.65.0"
 build = "build.rs"
 
@@ -73,7 +81,11 @@ reqwest = { version = "0.11.17", default-features = false, features = [
   "gzip",
 ] }
 rmp-serde = "1.1.2"
-self_update = { version = "0.38.0", default-features = false, optional = true }
+self_update = { version = "<1", default-features = false, optional = true, features = [
+  "archive-tar",
+  "compression-flate2",
+  "signatures",
+] }
 serde = "1.0"
 serde_derive = "1.0"
 serde_json = "1.0"

diff --git a/deny.toml b/deny.toml
@@ -101,7 +101,15 @@ unlicensed = "deny"
 # List of explicitly allowed licenses
 # See https://spdx.org/licenses/ for list of possible licenses
 # [possible values: any SPDX 3.11 short identifier (+ optional exception)].
-allow = ["MIT", "ISC", "Apache-2.0", "Unicode-DFS-2016", "BSD-3-Clause", "OpenSSL"]
+allow = [
+  "MIT",
+  "ISC",
+  "Apache-2.0",
+  "Apache-2.0 WITH LLVM-exception",
+  "Unicode-DFS-2016",
+  "BSD-3-Clause",
+  "OpenSSL",
+]
 # List of explicitly disallowed licenses
 # See https://spdx.org/licenses/ for list of possible licenses
 # [possible values: any SPDX 3.11 short identifier (+ optional exception)].

diff --git a/scripts/build-tarball.sh b/scripts/build-tarball.sh
@@ -75,4 +75,9 @@ cd dist
 tar -cJf "$BASENAME.tar.xz" rtx
 tar -czf "$BASENAME.tar.gz" rtx
 
+if [ -f ~/.zipsign/rtx.priv ]; then
+	zipsign sign tar "$BASENAME.tar.gz" ~/.zipsign/rtx.priv
+	zipsign verify tar "$BASENAME.tar.gz" ../zipsign.pub
+fi
+
 ls -oh "$BASENAME.tar.xz"
diff --git a/scripts/setup-zipsign.sh b/scripts/setup-zipsign.sh
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+set -euxo pipefail
+
+if [ -z "$ZIPSIGN" ]; then
+	echo "ZIPSIGN is not defined"
+	exit 0
+fi
+
+cargo install zipsign
+mkdir -p ~/.zipsign
+echo "$ZIPSIGN" | base64 -d >~/.zipsign/rtx.priv
diff --git a/src/cli/self_update.rs b/src/cli/self_update.rs
@@ -1,7 +1,7 @@
 use color_eyre::Result;
 use console::style;
 
-use self_update::backends::github::Update;
+use self_update::backends::github::{ReleaseList, Update};
 use self_update::cargo_crate_version;
 
 use crate::cli::command::Command;
@@ -23,15 +23,27 @@ impl Command for SelfUpdate {
     fn run(self, _config: Config, out: &mut Output) -> Result<()> {
         let current_version =
             env::var("RTX_SELF_UPDATE_VERSION").unwrap_or(cargo_crate_version!().to_string());
+        let target = format!("{}-{}", *OS, *ARCH);
+        let mut releases = ReleaseList::configure();
+        releases.repo_owner("jdx").repo_name("rtx");
+        if let Some(token) = &*env::GITHUB_API_TOKEN {
+            releases.auth_token(token);
+        }
+        let releases = releases.build()?.fetch()?;
+        let latest = &releases[0].version;
+
         let mut update = Update::configure();
         update
             .repo_owner("jdx")
             .repo_name("rtx")
             .bin_name("rtx")
+            // TODO: enable if working locally
+            //.verifying_keys([*include_bytes!("../../zipsign.pub")])
             .show_download_progress(true)
             .current_version(&current_version)
-            .target(&format!("{}-{}", *OS, *ARCH))
-            .identifier("rtx-v");
+            .target(&target)
+            .bin_path_in_archive("rtx/bin/rtx")
+            .identifier(&format!("rtx-v{latest}-{target}.tar.gz"));
         if let Some(token) = &*env::GITHUB_API_TOKEN {
             update.auth_token(token);
         }

diff --git a/zipsign.pub b/zipsign.pub
@@ -0,0 +1 @@
+���uy=�q�����D��A�%��R]J����