feat: support verifying with minisign (#2994)

* feat: support verifying with minisign * fix: fix minisign exe path * fix: use GetFiles * fix: download minisign signature * fix: make public_key optional
aquaproj · Jul 17, 2024 · f2b5196 · f2b5196
1 parent 22e2139
commit f2b5196
Show file tree

Hide file tree

Showing 25 changed files with 653 additions and 39 deletions.
diff --git a/json-schema/aqua-yaml.json b/json-schema/aqua-yaml.json
@@ -74,6 +74,9 @@
         },
         "update": {
           "$ref": "#/$defs/Update"
+        },
+        "go_version_file": {
+          "type": "string"
         }
       },
       "additionalProperties": false,
@@ -138,6 +141,15 @@
       "properties": {
         "enabled": {
           "type": "boolean"
+        },
+        "allowed_version": {
+          "type": "string"
+        },
+        "types": {
+          "items": {
+            "type": "string"
+          },
+          "type": "array"
         }
       },
       "additionalProperties": false,

diff --git a/json-schema/registry.json b/json-schema/registry.json
@@ -133,9 +133,6 @@
         "enabled": {
           "type": "boolean"
         },
-        "cosign_experimental": {
-          "type": "boolean"
-        },
         "opts": {
           "items": {
             "type": "string"
@@ -240,6 +237,37 @@
       },
       "type": "array"
     },
+    "Minisign": {
+      "properties": {
+        "enabled": {
+          "type": "boolean"
+        },
+        "type": {
+          "type": "string",
+          "enum": [
+            "github_release",
+            "http"
+          ]
+        },
+        "repo_owner": {
+          "type": "string"
+        },
+        "repo_name": {
+          "type": "string"
+        },
+        "asset": {
+          "type": "string"
+        },
+        "url": {
+          "type": "string"
+        },
+        "public_key": {
+          "type": "string"
+        }
+      },
+      "additionalProperties": false,
+      "type": "object"
+    },
     "Override": {
       "properties": {
         "goos": {
@@ -340,6 +368,9 @@
         "slsa_provenance": {
           "$ref": "#/$defs/SLSAProvenance"
         },
+        "minisign": {
+          "$ref": "#/$defs/Minisign"
+        },
         "envs": {
           "$ref": "#/$defs/SupportedEnvs"
         }
@@ -488,6 +519,9 @@
         "slsa_provenance": {
           "$ref": "#/$defs/SLSAProvenance"
         },
+        "minisign": {
+          "$ref": "#/$defs/Minisign"
+        },
         "version_constraint": {
           "type": "string"
         },
@@ -679,6 +713,9 @@
         "slsa_provenance": {
           "$ref": "#/$defs/SLSAProvenance"
         },
+        "minisign": {
+          "$ref": "#/$defs/Minisign"
+        },
         "build": {
           "$ref": "#/$defs/Build"
         },

diff --git a/pkg/cli/cp.go b/pkg/cli/cp.go
@@ -82,7 +82,10 @@ func (r *Runner) cpAction(c *cli.Context) error {
 		return fmt.Errorf("parse the command line arguments: %w", err)
 	}
 	param.SkipLink = true
-	ctrl := controller.InitializeCopyCommandController(c.Context, param, http.DefaultClient, r.Runtime)
+	ctrl, err := controller.InitializeCopyCommandController(c.Context, param, http.DefaultClient, r.Runtime)
+	if err != nil {
+		return fmt.Errorf("initialize a CopyController: %w", err)
+	}
 	if err := ctrl.Copy(c.Context, r.LogE, param); err != nil {
 		return err //nolint:wrapcheck
 	}

diff --git a/pkg/cli/exec.go b/pkg/cli/exec.go
@@ -53,7 +53,10 @@ func (r *Runner) execAction(c *cli.Context) error {
 	if err := r.setParam(c, "exec", param); err != nil {
 		return fmt.Errorf("parse the command line arguments: %w", err)
 	}
-	ctrl := controller.InitializeExecCommandController(c.Context, param, http.DefaultClient, r.Runtime)
+	ctrl, err := controller.InitializeExecCommandController(c.Context, param, http.DefaultClient, r.Runtime)
+	if err != nil {
+		return fmt.Errorf("initialize a ExecController: %w", err)
+	}
 	exeName, args, err := parseExecArgs(c.Args().Slice())
 	if err != nil {
 		return err

diff --git a/pkg/cli/install.go b/pkg/cli/install.go
@@ -81,6 +81,9 @@ func (r *Runner) installAction(c *cli.Context) error {
 	if err := r.setParam(c, "install", param); err != nil {
 		return fmt.Errorf("parse the command line arguments: %w", err)
 	}
-	ctrl := controller.InitializeInstallCommandController(c.Context, param, http.DefaultClient, r.Runtime)
+	ctrl, err := controller.InitializeInstallCommandController(c.Context, param, http.DefaultClient, r.Runtime)
+	if err != nil {
+		return fmt.Errorf("initialize a InstallController: %w", err)
+	}
 	return ctrl.Install(c.Context, r.LogE, param) //nolint:wrapcheck
 }
diff --git a/pkg/cli/update_aqua.go b/pkg/cli/update_aqua.go
@@ -49,6 +49,9 @@ func (r *Runner) updaetAquaAction(c *cli.Context) error {
 	if err := r.setParam(c, "update-aqua", param); err != nil {
 		return fmt.Errorf("parse the command line arguments: %w", err)
 	}
-	ctrl := controller.InitializeUpdateAquaCommandController(c.Context, param, http.DefaultClient, r.Runtime)
+	ctrl, err := controller.InitializeUpdateAquaCommandController(c.Context, param, http.DefaultClient, r.Runtime)
+	if err != nil {
+		return fmt.Errorf("initialize a UpdateAquaController: %w", err)
+	}
 	return ctrl.UpdateAqua(c.Context, r.LogE, param) //nolint:wrapcheck
 }
diff --git a/pkg/config/registry/minisign.go b/pkg/config/registry/minisign.go
@@ -0,0 +1,41 @@
+package registry
+
+type Minisign struct {
+	Enabled   *bool   `json:"enabled,omitempty"`
+	Type      string  `json:"type,omitempty"  jsonschema:"enum=github_release,enum=http"`
+	RepoOwner string  `yaml:"repo_owner,omitempty" json:"repo_owner,omitempty"`
+	RepoName  string  `yaml:"repo_name,omitempty" json:"repo_name,omitempty"`
+	Asset     *string `json:"asset,omitempty" yaml:",omitempty"`
+	URL       *string `json:"url,omitempty" yaml:",omitempty"`
+	PublicKey string  `json:"public_key,omitempty" yaml:"public_key,omitempty"`
+}
+
+func (m *Minisign) ToDownloadedFile() *DownloadedFile {
+	return &DownloadedFile{
+		Type:      m.Type,
+		RepoOwner: m.RepoOwner,
+		RepoName:  m.RepoName,
+		Asset:     m.Asset,
+		URL:       m.URL,
+	}
+}
+
+func (m *Minisign) GetEnabled() bool {
+	if m == nil {
+		return false
+	}
+	if m.Enabled != nil {
+		return *m.Enabled
+	}
+	return true
+}
+
+func (m *Minisign) GetDownloadedFile() *DownloadedFile {
+	return &DownloadedFile{
+		Type:      m.Type,
+		RepoOwner: m.RepoOwner,
+		RepoName:  m.RepoName,
+		Asset:     m.Asset,
+		URL:       m.URL,
+	}
+}
diff --git a/pkg/config/registry/package_info.go b/pkg/config/registry/package_info.go
@@ -56,6 +56,7 @@ type PackageInfo struct {
 	Checksum            *Checksum          `json:"checksum,omitempty"`
 	Cosign              *Cosign            `json:"cosign,omitempty"`
 	SLSAProvenance      *SLSAProvenance    `json:"slsa_provenance,omitempty" yaml:"slsa_provenance,omitempty"`
+	Minisign            *Minisign          `json:"minisign,omitempty" yaml:",omitempty"`
 	VersionConstraints  string             `yaml:"version_constraint,omitempty" json:"version_constraint,omitempty"`
 	VersionOverrides    []*VersionOverride `yaml:"version_overrides,omitempty" json:"version_overrides,omitempty"`
 }
@@ -112,6 +113,7 @@ type VersionOverride struct {
 	Checksum            *Checksum       `json:"checksum,omitempty"`
 	Cosign              *Cosign         `json:"cosign,omitempty"`
 	SLSAProvenance      *SLSAProvenance `json:"slsa_provenance,omitempty" yaml:"slsa_provenance,omitempty"`
+	Minisign            *Minisign       `json:"minisign,omitempty" yaml:",omitempty"`
 	Build               *Build          `json:"build,omitempty" yaml:",omitempty"`
 	Overrides           Overrides       `yaml:",omitempty" json:"overrides,omitempty"`
 	SupportedEnvs       SupportedEnvs   `yaml:"supported_envs,omitempty" json:"supported_envs,omitempty"`
@@ -135,6 +137,7 @@ type Override struct {
 	Checksum           *Checksum       `json:"checksum,omitempty"`
 	Cosign             *Cosign         `json:"cosign,omitempty"`
 	SLSAProvenance     *SLSAProvenance `json:"slsa_provenance,omitempty" yaml:"slsa_provenance,omitempty"`
+	Minisign           *Minisign       `json:"minisign,omitempty" yaml:",omitempty"`
 	Envs               SupportedEnvs   `yaml:",omitempty" json:"envs,omitempty"`
 }
 
@@ -170,6 +173,7 @@ func (p *PackageInfo) Copy() *PackageInfo {
 		Checksum:            p.Checksum,
 		Cosign:              p.Cosign,
 		SLSAProvenance:      p.SLSAProvenance,
+		Minisign:            p.Minisign,
 		Private:             p.Private,
 		ErrorMessage:        p.ErrorMessage,
 		NoAsset:             p.NoAsset,
@@ -210,6 +214,7 @@ func (p *PackageInfo) resetByPkgType(typ string) { //nolint:funlen
 		p.CompleteWindowsExt = nil
 		p.Cosign = nil
 		p.SLSAProvenance = nil
+		p.Minisign = nil
 		p.Format = ""
 		p.Rosetta2 = false
 		p.WindowsARMEmulation = false
@@ -223,6 +228,7 @@ func (p *PackageInfo) resetByPkgType(typ string) { //nolint:funlen
 		p.CompleteWindowsExt = nil
 		p.Cosign = nil
 		p.SLSAProvenance = nil
+		p.Minisign = nil
 		p.Format = ""
 		p.Rosetta2 = false
 		p.WindowsARMEmulation = false
@@ -235,6 +241,7 @@ func (p *PackageInfo) resetByPkgType(typ string) { //nolint:funlen
 		p.CompleteWindowsExt = nil
 		p.Cosign = nil
 		p.SLSAProvenance = nil
+		p.Minisign = nil
 		p.Format = ""
 		p.Rosetta2 = false
 		p.WindowsARMEmulation = false
@@ -317,6 +324,9 @@ func (p *PackageInfo) overrideVersion(child *VersionOverride) *PackageInfo { //n
 	if child.SLSAProvenance != nil {
 		pkg.SLSAProvenance = child.SLSAProvenance
 	}
+	if child.Minisign != nil {
+		pkg.Minisign = child.Minisign
+	}
 	if child.ErrorMessage != nil {
 		pkg.ErrorMessage = *child.ErrorMessage
 	}
@@ -411,6 +421,10 @@ func (p *PackageInfo) OverrideByRuntime(rt *runtime.Runtime) { //nolint:cyclop,f
 		p.SLSAProvenance = ov.SLSAProvenance
 	}
 
+	if ov.Minisign != nil {
+		p.Minisign = ov.Minisign
+	}
+
 	if ov.AppendExt != nil {
 		p.AppendExt = ov.AppendExt
 	}

diff --git a/pkg/controller/exec/exec_test.go b/pkg/controller/exec/exec_test.go
@@ -20,6 +20,7 @@ import (
 	"github.com/aquaproj/aqua/v2/pkg/exec"
 	registry "github.com/aquaproj/aqua/v2/pkg/install-registry"
 	"github.com/aquaproj/aqua/v2/pkg/installpackage"
+	"github.com/aquaproj/aqua/v2/pkg/minisign"
 	"github.com/aquaproj/aqua/v2/pkg/policy"
 	"github.com/aquaproj/aqua/v2/pkg/runtime"
 	"github.com/aquaproj/aqua/v2/pkg/slsa"
@@ -150,7 +151,7 @@ packages:
 			whichCtrl := which.New(d.param, finder.NewConfigFinder(fs), reader.New(fs, d.param), registry.New(d.param, ghDownloader, fs, d.rt, &cosign.MockVerifier{}, &slsa.MockVerifier{}), d.rt, osEnv, fs, linker)
 			downloader := download.NewDownloader(nil, download.NewHTTPDownloader(http.DefaultClient))
 			executor := &exec.Mock{}
-			pkgInstaller := installpackage.New(d.param, downloader, d.rt, fs, linker, nil, &checksum.Calculator{}, unarchive.New(executor, fs), &cosign.MockVerifier{}, &slsa.MockVerifier{}, &installpackage.MockGoInstallInstaller{}, &installpackage.MockGoBuildInstaller{}, &installpackage.MockCargoPackageInstaller{})
+			pkgInstaller := installpackage.New(d.param, downloader, d.rt, fs, linker, nil, &checksum.Calculator{}, unarchive.New(executor, fs), &cosign.MockVerifier{}, &slsa.MockVerifier{}, &minisign.MockVerifier{}, &installpackage.MockGoInstallInstaller{}, &installpackage.MockGoBuildInstaller{}, &installpackage.MockCargoPackageInstaller{})
 			policyFinder := policy.NewConfigFinder(fs)
 			ctrl := execCtrl.New(pkgInstaller, whichCtrl, executor, osEnv, fs, policy.NewReader(fs, policy.NewValidator(d.param, fs), policyFinder, policy.NewConfigReader(fs)))
 			if err := ctrl.Exec(ctx, logE, d.param, d.exeName, d.args...); err != nil {
@@ -245,7 +246,7 @@ packages:
 			whichCtrl := which.New(d.param, finder.NewConfigFinder(fs), reader.New(fs, d.param), registry.New(d.param, ghDownloader, afero.NewOsFs(), d.rt, &cosign.MockVerifier{}, &slsa.MockVerifier{}), d.rt, osEnv, fs, linker)
 			downloader := download.NewDownloader(nil, download.NewHTTPDownloader(http.DefaultClient))
 			executor := &exec.Mock{}
-			pkgInstaller := installpackage.New(d.param, downloader, d.rt, fs, linker, nil, &checksum.Calculator{}, unarchive.New(executor, fs), &cosign.MockVerifier{}, &slsa.MockVerifier{}, &installpackage.MockGoInstallInstaller{}, &installpackage.MockGoBuildInstaller{}, &installpackage.MockCargoPackageInstaller{})
+			pkgInstaller := installpackage.New(d.param, downloader, d.rt, fs, linker, nil, &checksum.Calculator{}, unarchive.New(executor, fs), &cosign.MockVerifier{}, &slsa.MockVerifier{}, &minisign.MockVerifier{}, &installpackage.MockGoInstallInstaller{}, &installpackage.MockGoBuildInstaller{}, &installpackage.MockCargoPackageInstaller{})
 			ctrl := execCtrl.New(pkgInstaller, whichCtrl, executor, osEnv, fs, &policy.MockReader{})
 			b.ResetTimer()
 			for i := 0; i < b.N; i++ {

diff --git a/pkg/controller/install/install_test.go b/pkg/controller/install/install_test.go
@@ -16,6 +16,7 @@ import (
 	"github.com/aquaproj/aqua/v2/pkg/exec"
 	registry "github.com/aquaproj/aqua/v2/pkg/install-registry"
 	"github.com/aquaproj/aqua/v2/pkg/installpackage"
+	"github.com/aquaproj/aqua/v2/pkg/minisign"
 	"github.com/aquaproj/aqua/v2/pkg/policy"
 	"github.com/aquaproj/aqua/v2/pkg/runtime"
 	"github.com/aquaproj/aqua/v2/pkg/slsa"
@@ -101,7 +102,7 @@ packages:
 			}
 			downloader := download.NewDownloader(nil, download.NewHTTPDownloader(http.DefaultClient))
 			executor := &exec.Mock{}
-			pkgInstaller := installpackage.New(d.param, downloader, d.rt, fs, linker, nil, &checksum.Calculator{}, unarchive.New(executor, fs), &cosign.MockVerifier{}, &slsa.MockVerifier{}, &installpackage.MockGoInstallInstaller{}, &installpackage.MockGoBuildInstaller{}, &installpackage.MockCargoPackageInstaller{})
+			pkgInstaller := installpackage.New(d.param, downloader, d.rt, fs, linker, nil, &checksum.Calculator{}, unarchive.New(executor, fs), &cosign.MockVerifier{}, &slsa.MockVerifier{}, &minisign.MockVerifier{}, &installpackage.MockGoInstallInstaller{}, &installpackage.MockGoBuildInstaller{}, &installpackage.MockCargoPackageInstaller{})
 			policyFinder := policy.NewConfigFinder(fs)
 			policyReader := policy.NewReader(fs, &policy.MockValidator{}, policyFinder, policy.NewConfigReader(fs))
 			ctrl := install.New(d.param, finder.NewConfigFinder(fs), reader.New(fs, d.param), registry.New(d.param, registryDownloader, fs, d.rt, &cosign.MockVerifier{}, &slsa.MockVerifier{}), pkgInstaller, fs, d.rt, policyReader)