Browse Source

Verify the signature of the downloaded payload

I created the keys and signed the payload via CryptographyCLI.
master
Macoy Madson 6 months ago
parent
commit
3e5fec0fdb
  1. 29
      src/AutoUpdate.cake

29
src/AutoUpdate.cake

@ -81,14 +81,26 @@
(defun auto-update-download-and-verify-signature (curl (* CURL)
url (* (const char))
public-key (* (unsigned char))
&return bool)
(var result-buffer (* char) null)
(unless (curl-download-into-dynarray curl url (addr result-buffer))
(dynarray-free result-buffer)
(return false))
(dynarray-push result-buffer 0)
(fprintf stderr "%s\n" result-buffer)
;; This will contain the extra bytes from the signature, which is wasted, but minimal
(var-cast-to verified-payload (* (unsigned char)) (malloc (dynarray-length result-buffer)))
(var verified-payload-length (unsigned (long long)))
(unless (= 0 (crypto_sign_open verified-payload (addr verified-payload-length)
(type-cast result-buffer (* (const (unsigned char))))
(dynarray-length result-buffer)
public-key))
(fprintf stderr "warning: the downloaded file's signature does NOT appear to be signed
appropriately. It will not be used. Either someone messed up, your public key is out of date, or an
attempt at compromising security occurred and was thwarted by this protection.\n")
(dynarray-free result-buffer)
(return false))
(free verified-payload)
(dynarray-free result-buffer)
(return true))
@ -96,6 +108,15 @@
('auto-test
(c-import "<stdio.h>")
(defun test--auto-update (&return int)
;; These will need to be changed if you want this to work for you!
;; Use CryptographyCLI.cake utility to generate your own keys and signed files. You can set up
;; the .cakedata serving however you want, so long as Curl can download it.
(var macoy-public-key ([] crypto_sign_PUBLICKEYBYTES (unsigned char))
(array 0x44 0xb2 0x64 0xe2 0x1b 0x8f 0x1e 0x23 0xc2 0x45 0xfc 0x74 0xa8 0x3c 0x4a 0xe2 0xcd
0xf6 0x89 0x17 0xbf 0x69 0xf8 0x16 0xb0 0x61 0xc5 0xd5 0xff 0x56 0xae 0xdb))
(var update-cakedata-url (* (const char))
"https://localhost:8888/updates/Machsearch/machsearch.cakedata")
(when (!= (curl_global_init CURL_GLOBAL_DEFAULT) 0)
(fprintf stderr "error: Failed to initialize curl\n")
(return 1))
@ -109,7 +130,7 @@
(var update-metadata auto-update-metadata (array 0))
(unless (auto-update-get-latest-version-metadata
curl
"https://localhost:8888/updates/Machsearch/machsearch.cakedata"
update-cakedata-url
(addr update-metadata))
(fprintf stderr "error: expected server to be running before doing this test\n")
(free-introspect-struct-fields auto-update-metadata--metadata (addr update-metadata) free)
@ -130,7 +151,7 @@
(fprintf stderr "The current platform should download %s\n"
(? platform-update-url platform-update-url "unknown platform")))
(unless (auto-update-download-and-verify-signature curl platform-update-url)
(unless (auto-update-download-and-verify-signature curl platform-update-url macoy-public-key)
(free-introspect-struct-fields auto-update-metadata--metadata (addr update-metadata) free)
(curl_easy_cleanup curl)
(curl_global_cleanup)

Loading…
Cancel
Save