|
|
|
@ -81,14 +81,26 @@ |
|
|
|
|
|
|
|
(defun auto-update-download-and-verify-signature (curl (* CURL) |
|
|
|
url (* (const char)) |
|
|
|
public-key (* (unsigned char)) |
|
|
|
&return bool) |
|
|
|
(var result-buffer (* char) null) |
|
|
|
(unless (curl-download-into-dynarray curl url (addr result-buffer)) |
|
|
|
(dynarray-free result-buffer) |
|
|
|
(return false)) |
|
|
|
(dynarray-push result-buffer 0) |
|
|
|
(fprintf stderr "%s\n" result-buffer) |
|
|
|
|
|
|
|
;; This will contain the extra bytes from the signature, which is wasted, but minimal |
|
|
|
(var-cast-to verified-payload (* (unsigned char)) (malloc (dynarray-length result-buffer))) |
|
|
|
(var verified-payload-length (unsigned (long long))) |
|
|
|
(unless (= 0 (crypto_sign_open verified-payload (addr verified-payload-length) |
|
|
|
(type-cast result-buffer (* (const (unsigned char)))) |
|
|
|
(dynarray-length result-buffer) |
|
|
|
public-key)) |
|
|
|
(fprintf stderr "warning: the downloaded file's signature does NOT appear to be signed |
|
|
|
appropriately. It will not be used. Either someone messed up, your public key is out of date, or an |
|
|
|
attempt at compromising security occurred and was thwarted by this protection.\n") |
|
|
|
(dynarray-free result-buffer) |
|
|
|
(return false)) |
|
|
|
(free verified-payload) |
|
|
|
(dynarray-free result-buffer) |
|
|
|
(return true)) |
|
|
|
|
|
|
|
@ -96,6 +108,15 @@ |
|
|
|
('auto-test |
|
|
|
(c-import "<stdio.h>") |
|
|
|
(defun test--auto-update (&return int) |
|
|
|
;; These will need to be changed if you want this to work for you! |
|
|
|
;; Use CryptographyCLI.cake utility to generate your own keys and signed files. You can set up |
|
|
|
;; the .cakedata serving however you want, so long as Curl can download it. |
|
|
|
(var macoy-public-key ([] crypto_sign_PUBLICKEYBYTES (unsigned char)) |
|
|
|
(array 0x44 0xb2 0x64 0xe2 0x1b 0x8f 0x1e 0x23 0xc2 0x45 0xfc 0x74 0xa8 0x3c 0x4a 0xe2 0xcd |
|
|
|
0xf6 0x89 0x17 0xbf 0x69 0xf8 0x16 0xb0 0x61 0xc5 0xd5 0xff 0x56 0xae 0xdb)) |
|
|
|
(var update-cakedata-url (* (const char)) |
|
|
|
"https://localhost:8888/updates/Machsearch/machsearch.cakedata") |
|
|
|
|
|
|
|
(when (!= (curl_global_init CURL_GLOBAL_DEFAULT) 0) |
|
|
|
(fprintf stderr "error: Failed to initialize curl\n") |
|
|
|
(return 1)) |
|
|
|
@ -109,7 +130,7 @@ |
|
|
|
(var update-metadata auto-update-metadata (array 0)) |
|
|
|
(unless (auto-update-get-latest-version-metadata |
|
|
|
curl |
|
|
|
"https://localhost:8888/updates/Machsearch/machsearch.cakedata" |
|
|
|
update-cakedata-url |
|
|
|
(addr update-metadata)) |
|
|
|
(fprintf stderr "error: expected server to be running before doing this test\n") |
|
|
|
(free-introspect-struct-fields auto-update-metadata--metadata (addr update-metadata) free) |
|
|
|
@ -130,7 +151,7 @@ |
|
|
|
(fprintf stderr "The current platform should download %s\n" |
|
|
|
(? platform-update-url platform-update-url "unknown platform"))) |
|
|
|
|
|
|
|
(unless (auto-update-download-and-verify-signature curl platform-update-url) |
|
|
|
(unless (auto-update-download-and-verify-signature curl platform-update-url macoy-public-key) |
|
|
|
(free-introspect-struct-fields auto-update-metadata--metadata (addr update-metadata) free) |
|
|
|
(curl_easy_cleanup curl) |
|
|
|
(curl_global_cleanup) |
|
|
|
|
