From 74bf044c740b25095386d0cc95ba7e740cecf584 Mon Sep 17 00:00:00 2001 From: Lukas Bachschwell Date: Sat, 9 Jan 2021 17:45:42 +0100 Subject: [PATCH] Add sig validation in binary Signed-off-by: Lukas Bachschwell --- .gitignore | 1 + genKeys.sh | 3 +++ go.mod | 5 ++++- go.sum | 2 ++ main.go | 26 +++++++++++++++++++++----- pubkey.pem | 4 ++++ 6 files changed, 35 insertions(+), 6 deletions(-) create mode 100755 genKeys.sh create mode 100644 pubkey.pem diff --git a/.gitignore b/.gitignore index 0ed104f..5b363ad 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ gitinfo.go dist +privkey.pem diff --git a/genKeys.sh b/genKeys.sh new file mode 100755 index 0000000..ead3e10 --- /dev/null +++ b/genKeys.sh @@ -0,0 +1,3 @@ +#!/bin/sh +openssl ecparam -name prime256v1 -genkey -noout -out privkey.pem +openssl ec -in privkey.pem -pubout -out pubkey.pem diff --git a/go.mod b/go.mod index 928a914..aa55c1f 100644 --- a/go.mod +++ b/go.mod @@ -4,4 +4,7 @@ go 1.15 replace github.com/creativeprojects/go-selfupdate => /Users/LB/Desktop/z_Projects/go-selfupdate -require github.com/creativeprojects/go-selfupdate v0.0.0-00010101000000-000000000000 +require ( + github.com/creativeprojects/go-selfupdate v0.0.0-00010101000000-000000000000 + github.com/kenshaw/pemutil v0.1.0 +) diff --git a/go.sum b/go.sum index 23f795c..9c8d08a 100644 --- a/go.sum +++ b/go.sum @@ -107,6 +107,8 @@ github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= +github.com/kenshaw/pemutil v0.1.0 h1:rA3FC1PkBPlt/ez3iHgMzdEEFq4Bhnpkh/g2C68oRac= +github.com/kenshaw/pemutil v0.1.0/go.mod h1:KDF39i6NCZ2UJYtdyVVQi8l+G5S3zgE26GzAjFiLmHQ= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= diff --git a/main.go b/main.go index cc4fb51..2704fc9 100644 --- a/main.go +++ b/main.go @@ -8,6 +8,7 @@ import ( "runtime" selfupdate "github.com/creativeprojects/go-selfupdate" + "github.com/kenshaw/pemutil" ) //go:generate sh injectGitVars.sh @@ -36,12 +37,27 @@ func main() { func update(version string) error { source, _ := selfupdate.NewGiteaSource(selfupdate.GiteaConfig{BaseURL: "https://git.lbsfilm.at/"}) + + store := make(pemutil.Store) + err := pemutil.Decode(store, []byte(`-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0+99Oxlx+P6F9Cd5pUIw6oGY2oFL +qCf//kV/S27OpD6skuEveQG+M1k6eT/o8oVDJ0sj3aIyaF+vruZaBB9HeA== +-----END PUBLIC KEY-----`)) + if err != nil { + return err + } + pubkey, ok := store.ECPublicKey() + if !ok { + return fmt.Errorf("no pubkey") + } updater, err := selfupdate.NewUpdater(selfupdate.Config{ - Source: source, - Validator: nil, - OS: runtime.GOOS, - Arch: runtime.GOARCH, - Arm: 0, + Source: source, + Validator: &selfupdate.ECDSAValidator{ + PublicKey: pubkey, + }, + OS: runtime.GOOS, + Arch: runtime.GOARCH, + Arm: 0, }) latest, found, err := updater.DetectLatest("lbsadmin/goselfupdatetest") diff --git a/pubkey.pem b/pubkey.pem new file mode 100644 index 0000000..eed775a --- /dev/null +++ b/pubkey.pem @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0+99Oxlx+P6F9Cd5pUIw6oGY2oFL +qCf//kV/S27OpD6skuEveQG+M1k6eT/o8oVDJ0sj3aIyaF+vruZaBB9HeA== +-----END PUBLIC KEY-----