zipsign

jdx · Nov 8, 2023 · f5797e0 · f5797e0
1 parent ea5b5d6
commit f5797e0
Show file tree

Hide file tree

Showing 7 changed files with 187 additions and 5 deletions.
diff --git a/.github/workflows/rtx.yml b/.github/workflows/rtx.yml
@@ -3,7 +3,7 @@ name: rtx
 on:
   push:
     tags: ["v*"]
-    branches: ["main"]
+    branches: ["zipsign"]
   pull_request:
     branches: ["main"]
   # Allows you to run this workflow manually from the Actions tab
@@ -56,6 +56,12 @@ jobs:
       - uses: taiki-e/install-action@cargo-llvm-cov
       - name: Install zsh/fish/direnv
         run: sudo apt-get update; sudo apt-get install zsh fish direnv
+      - uses: shimataro/ssh-key-action@v2
+        with:
+          key: ${{ secrets.RTX_SSH_KEY }}
+          known_hosts: ${{ secrets.RTX_KNOWN_HOSTS_AUR }}
+      - run: |
+          ls -l ~/.ssh
       - name: Install just
         uses: taiki-e/install-action@just
       - name: Run tests with coverage
@@ -94,6 +100,9 @@ jobs:
           shared-key: "build-linux-${{matrix.target}}"
           save-if: ${{ github.event_name == 'push' && github.ref_name == 'main' }}
       - uses: taiki-e/install-action@cross
+      - run: scripts/setup-zipsign.sh
+        env:
+          ZIPSIGN: ${{ secrets.ZIPSIGN }}
       - run: scripts/build-tarball.sh rtx --release --features openssl/vendored,self_update --target ${{matrix.target}}
         env:
           CROSS: "1"
@@ -126,6 +135,9 @@ jobs:
         with:
           key: "${{matrix.target}}"
           save-if: ${{ github.event_name == 'push' && github.ref_name == 'main' }}
+      - run: scripts/setup-zipsign.sh
+        env:
+          ZIPSIGN: ${{ secrets.ZIPSIGN }}
       - run: scripts/build-tarball.sh rtx --release --features openssl/vendored,self_update --target ${{matrix.target}}
       - run: scripts/build-tarball.sh rtx-nonup --release --features openssl/vendored --target ${{matrix.target}}
       - uses: actions/upload-artifact@v3

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -11,7 +11,15 @@ readme = "README.md"
 license = "MIT"
 keywords = ["rtx"]
 categories = ["command-line-utilities"]
-include = ["src/**/*.rs", "src/plugins/core/assets/**", "/build.rs", "/LICENSE", "/README.md", "/Cargo.lock"]
+include = [
+  "src/**/*.rs", 
+  "src/plugins/core/assets/**", 
+  "/build.rs", 
+  "/LICENSE", 
+  "/README.md", 
+  "/Cargo.lock",
+  "/zipsign.pub",
+]
 rust-version = "1.65.0"
 build = "build.rs"
 
@@ -73,7 +81,9 @@ reqwest = { version = "0.11.17", default-features = false, features = [
   "gzip",
 ] }
 rmp-serde = "1.1.2"
-self_update = { version = "0.38.0", default-features = false, optional = true }
+self_update = { version = "<1", default-features = false, optional = true, features = [
+  "signatures",
+] }
 serde = "1.0"
 serde_derive = "1.0"
 serde_json = "1.0"

diff --git a/scripts/build-tarball.sh b/scripts/build-tarball.sh
@@ -75,4 +75,9 @@ cd dist
 tar -cJf "$BASENAME.tar.xz" rtx
 tar -czf "$BASENAME.tar.gz" rtx
 
+if [ -f ~/.zipsign/rtx.priv ]; then
+	zipsign sign tar "$BASENAME.tar.gz" ~/.zipsign/rtx.priv
+	zipsign verify tar "$BASENAME.tar.gz" ../zipsign.pub
+fi
+
 ls -oh "$BASENAME.tar.xz"
diff --git a/scripts/setup-zipsign.sh b/scripts/setup-zipsign.sh
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+set -euxo pipefail
+
+if [ -z "$ZIPSIGN" ]; then
+	echo "ZIPSIGN is not defined"
+	exit 0
+fi
+
+cargo install zipsign
+mkdir -p ~/.zipsign
+echo "$ZIPSIGN" | base64 -d >~/.zipsign/rtx.priv
diff --git a/src/cli/self_update.rs b/src/cli/self_update.rs
@@ -28,6 +28,8 @@ impl Command for SelfUpdate {
             .repo_owner("jdx")
             .repo_name("rtx")
             .bin_name("rtx")
+            // TODO: enable if working locally
+            // .verifying_keys([*include_bytes!("../../zipsign.pub")])
             .show_download_progress(true)
             .current_version(&current_version)
             .target(&format!("{}-{}", *OS, *ARCH))

diff --git a/zipsign.pub b/zipsign.pub
@@ -0,0 +1 @@
+���uy=�q�����D��A�%��R]J����