From dfd85f7ed309ff9e38de837c6a8efd4d74ed09bb Mon Sep 17 00:00:00 2001 From: Jakub Date: Thu, 11 May 2023 16:04:30 +0200 Subject: [PATCH] fix(GODT-2625): Update bridge pubkey and add option to verify in hasher. --- internal/updater/key_default.go | 52 ++++++++++++++++----------------- internal/updater/keyring.go | 40 +++++++++++++++++++++++++ internal/versioner/version.go | 10 +++++-- utils/hasher/main.go | 20 +++++++++++++ 4 files changed, 93 insertions(+), 29 deletions(-) create mode 100644 internal/updater/keyring.go diff --git a/internal/updater/key_default.go b/internal/updater/key_default.go index 8236116c..81baef8a 100644 --- a/internal/updater/key_default.go +++ b/internal/updater/key_default.go @@ -33,19 +33,19 @@ D8Gp19LnRtmqjVh2rVdr8yc5nAjoNOZwanMwD5vCWPUVELWXubNFBv8hqZMxHZqW GrB8x8hkdgiNmuyqsxzBmOEJHWLlvbFhvHhIedT8paU/spL/qJmWp3EB4QARAQAB tExQcm90b24gVGVjaG5vbG9naWVzIEFHIChQcm90b25NYWlsIEJyaWRnZSBkZXZl bG9wZXJzKSA8YnJpZGdlQHByb3Rvbm1haWwuY2g+iQJUBBMBCAA+AhsDBQsJCAcC -BhUICQoLAgQWAgMBAh4BAheAFiEE1R5k0+Y+3D7veGTO4sddaOYjSwcFAl432eEF -CQXb04AACgkQ4sddaOYjSwd9ww/9FmQa/Fh1lgE9Ug6zQMlr20UDxfCVvE+Hxn4V -OFSWLH+c491BWJMCSI/vm2XJSzjchoeYB+Ns5M/b1tC4orCzbUGb0INpcnNOZPYM -jcMlIqFlMdYzG7ZRFUX3BaMgpb0Xlyk4bLP0FcDIyJuO/53qsi4QNLNqIJOD2IDK -mG3z17GCZ+heJcttMzkzihYX6dBOeD2MUhSruTGLzGRstbVntthdpIs9u2jUCPuB -qZB2Dw2l1MtqB5UguE7Xxwz9R6xZ7a/P13wCXzVoA0Ud/pkyZ5UgAWapulBrjrCD -z4Oqa3DQpscVzex1bkj9Xd9duwBM4BbR5r5432sYiGYV1IByw8oeLQBz6APSIauN -LUxXRhKZQwqEVKigMkmofSHdQnoaEylDKKgBJRYhxpkIPY9BIup/83e8Q7wceIYM -hSJ5GvAPAMi+kWYrUgGqfUlSYNXTgswnvPWQXCHXsy9HCpFcSdsrXQr0kyZlxIGd -TSIV5hAZZL4cURXdDU+rrNJuA/Pjcebw9aTSNi/LYB+Dv4EsxIUND8d6H5bKCdeN -PFO1BXLkcwrTaOk+HNHYlwcM3H4p3MPRMCXaXXVRH1O60Rla2SGAOTuj/Xpv0Bo7 -2vfNSQAEk+yHTD1iMy9IxYy/xVHbExp7ErqYARLsmw1enKCdw4h5TbL2ThBTEmje -tNYOlVyJASIEEAECAAwFAlpcl/gFAwASdQAACgkQlxC4m8pXrXzF1ggAoS7luFCm +BhUICQoLAgQWAgMBAh4BAheAFiEE1R5k0+Y+3D7veGTO4sddaOYjSwcFAmH6ieIF +CQt/twEACgkQ4sddaOYjSwcP4BAAu48suXCbfyZ3RWXFfNZ0KfEjh6UtuIYvZ3qV +GfFSw8BLCNhNbGD/bw8+xDodJSDC1tsI8x08btoTH+zyTbrbvHjhC96fKV+DNonS +GEAPsnKqj/fl58WP67m0wxh8/pfwIsGbzXn03mwmvRNrVSRHW5CMuBsZPIHj4ATg +KKjmc/mY15b9zapk9l+bVCe47RsiM7ZbnD00d1erQu7/8LNAR2MCb0PgKrBT+6AS +UC1XTVc6IuEcIdaf3mLJ4iA5vnrFxtezXtTU7jX12sWEMZOADqf6aPj+U1i+loER +JN3Ry10OJnDJ+kWP7zwXFWcsaYDZbrI/Odt8PImDkxxTdTpGrvHsuDhbPKmlMHYd +A8cVlHmy3Pp0Tn5VpV22+CWSR6UQzd6dpPv+2Ekt2z6VMvWOjyujEfsTJWBPDU1i +slaQoRdchG2kxUEXdOKMTfGwIhNJaeIqvojx7IIxAcOy56KgMuRxmqSOJFuiMC0C +DcVrsg6FbrzQw1D1FhSZSdnu9Wv+pzjZ8zQnxSsMAYU9e9/3OjJ3/VHNpaGo3zUN +kTpYsHh3Y9LuVTFSNmGiBnpVg0hZ8aUipAfoiyyQj5QA8nZv0Pptp86+QS6AUkq7 +QvXg8yybYNxsJaxGC9Ea5K1ivAommes0SbzFLg5/3B84o27xeqMMevTMAKZ6txhC +vqagRLuJASIEEAECAAwFAlpcl/gFAwASdQAACgkQlxC4m8pXrXzF1ggAoS7luFCm S13Vv2w2GGpWOLcVh/RUcsTU8eUr9DY40rlrKVkX5MBL1yeD/XiIXY5aFlBaKxIq NPjqu0VBZhaYj6ZuGpAodpattzjNOXWxwFtz2JaUfn2VUrZMbDwY9AQMHab/xxir PmezHMee9Y56qnNPIHDh3pZZ18rHrwY4e1pVkR+N0xYTb4M0vw3AhHjboS8H9noq @@ -152,17 +152,17 @@ cS0BNvA+4Aip2hhFqWJAbUQXCyMaeU2WTWIzy0FQ6SEFFy/RM8O5O1HHsDYjtIic 9QJ/PqSD0qN7LMlkjR8AdWvAxm95i5GpxDZODldsOneeummvsn3I1jCoULTik7iJ VdRuY1V3vfsYAkefGN/n2ga3MvatCJipwoCGsMgUXGTdokXOqKBgMBuBLCkxj2wl ol2R9p8RABEBAAGJAjwEGAEIACYCGwwWIQTVHmTT5j7cPu94ZM7ix11o5iNLBwUC -XjfaBAUJBdvTowAKCRDix11o5iNLByTCD/oCRk97JjCqNb4B1Ed/G5tJ+w55cptq -1dBZOxvEf+ol/403Q+R5bRqun3vXYupzZyIEvi10OVZ/t3t/FboOAWwJ222o0Ivm -t6RhErlmF1dCsKILy5i0iLJexLFGJIiSh6Slr2BZoiqasrlCYStJE2hXhNjXOIiZ -76YsLed6b5MKBllsw4DGPgT9sECrWft935oGo9caVUTX5VsnoVvzxKQLYki8m1Et -Eki7M3MK2pPNpX6y1e862JvL0oUfjYjrn8ALrgTeNtx/oRDgMujD1UQd5kGdwzkG -ec1nB7T5Gdiyfd8unDvSd+Eg3UgF3eDgFA8ZDdO7yZlWv3aEeVUUAvEDT9/RgbnZ -a22GhGcCJ3mHBMbx2khLIorJq8C1ZkhzpKIWqmETgr3MvUo+iT9YsnuGd8qpl2JK -Ru2QuKZ0VTqLMuURMojMETiRbfxBg8uZMAxPr45Hqq2hj/8ooF/hYS/Y2oD+b8DM -7hSTTEXm14p3tp8BbFGdVq1jJn5Zsj7isLAzydlyWWKcfwcljpzLCOo/wME3zUVh -mDPZYW3/sexJl/ROUHXo8eqBEMUgNLjffiuymfh7L8RmVOcsJsS87nu+iVvR5CaJ -0VLGn+SuxFT09xhvM4NxQIgNgk+NuQeIcwOMd6vtvf0btSTflN3hRGhGzLcZWWww -m//Hk8dcT8vncg== -=G/D6 +YfqKGgUJC3+3OQAKCRDix11o5iNLB7puD/9TPP63NCPUvl2c2gO2G31YvK4XQvc8 +jSGGHkhDXWnC+QxgYLu6O/f/MNt0Hegve8FSDMlLoDrBy217Jsc4uzPpykzesI9Y +BimCDJGvcNgCnu6WoYM3tOZYY5NdmGs6w9Dyu8tTIB+/PVA0rnJc4LJSu01FIYkq +u7mAaF/PKa0lD9TF38axN2EvYTfGuukAHrYnqTxoxPkqJJ+F0MoLHuqEHL3/clgM +95OiC+d/L5xmWMs7+ux/lT81bivLVwtcMCqJoJYjjeN/++auTvK6DWnx5vbEstQR +6CFNWRsvqcT6pMB0xFZVAwz2fTfdkE4CNpxlrxwfxCDVPvYTUQPzAve+qRIarRx7 +K8npGSq2pMNBZLeaQXvZbslT9Scuu5NuHSCjrGQ5TpVg1yMpN39Pu3nnB0STwvOp +qcnaHGfvM0wURA7ValXh2xTLc6Oxe8hw+nAFFFXFBqou8qw1zD/DAQFUWGh+yu5q +9MxmtaewGA67fYf098EEqKql+sktYTa0cjDk6qdYkSO9clcLFkYZspmK04k2y1jO +7VYtlSdoeHH1ag+HWKx5KXdsWaE4dE+maUbcsRwc7UVC4111cv94mlOcSWpITxPG +kIV8ldNSpauzaAqHs3qaMO/5rBZbLMynvzjE30JFTdBiepvj88YeAPFols3qa8KO +00IsXQemR6I8Qw== +=QiAL -----END PGP PUBLIC KEY BLOCK-----` diff --git a/internal/updater/keyring.go b/internal/updater/keyring.go new file mode 100644 index 00000000..30740b1e --- /dev/null +++ b/internal/updater/keyring.go @@ -0,0 +1,40 @@ +// Copyright (c) 2023 Proton AG +// +// This file is part of Proton Mail Bridge. +// +// Proton Mail Bridge is free software: you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// Proton Mail Bridge is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License +// along with Proton Mail Bridge. If not, see . + +package updater + +import ( + "github.com/ProtonMail/gopenpgp/v2/crypto" + "github.com/sirupsen/logrus" +) + +func GetDefaultKeyring() (*crypto.KeyRing, error) { + l := logrus.WithField("pkg", "updater") + + key, err := crypto.NewKeyFromArmored(DefaultPublicKey) + if err != nil { + l.WithError(err).Error("Failed to create new verification key") + return nil, err + } + + kr, err := crypto.NewKeyRing(key) + if err != nil { + l.WithError(err).Fatal("Failed to create new verification keyring") + } + + return kr, nil +} diff --git a/internal/versioner/version.go b/internal/versioner/version.go index 863f6ab4..9f206e84 100644 --- a/internal/versioner/version.go +++ b/internal/versioner/version.go @@ -74,12 +74,16 @@ func (v *Version) SemVer() *semver.Version { // VerifyFiles verifies all files in the version directory. func (v *Version) VerifyFiles(kr *crypto.KeyRing) error { - fileBytes, err := os.ReadFile(filepath.Join(v.path, sumFile)) //nolint:gosec + return VerifyUpdateFolder(kr, v.path) +} + +func VerifyUpdateFolder(kr *crypto.KeyRing, path string) error { + fileBytes, err := os.ReadFile(filepath.Join(path, sumFile)) //nolint:gosec if err != nil { return err } - sigBytes, err := os.ReadFile(filepath.Join(v.path, sumFile+".sig")) //nolint:gosec + sigBytes, err := os.ReadFile(filepath.Join(path, sumFile+".sig")) //nolint:gosec if err != nil { return err } @@ -92,7 +96,7 @@ func (v *Version) VerifyFiles(kr *crypto.KeyRing) error { return err } - sum, err := sum.RecursiveSum(v.path, sumFile) + sum, err := sum.RecursiveSum(path, sumFile) if err != nil { return err } diff --git a/utils/hasher/main.go b/utils/hasher/main.go index 1b56df6e..342af40e 100644 --- a/utils/hasher/main.go +++ b/utils/hasher/main.go @@ -20,6 +20,8 @@ package main import ( "os" + "github.com/ProtonMail/proton-bridge/v3/internal/updater" + "github.com/ProtonMail/proton-bridge/v3/internal/versioner" "github.com/ProtonMail/proton-bridge/v3/pkg/sum" "github.com/sirupsen/logrus" "github.com/urfave/cli/v2" @@ -51,12 +53,30 @@ func createApp() *cli.App { Usage: "The file to save the sum in", Required: true, }, + &cli.BoolFlag{ + Name: "verify", + Aliases: []string{"v"}, + Usage: "Verify the update folder is properly hashed and signed.", + }, } return app } func computeSum(c *cli.Context) error { + if c.Bool("verify") { + kr, err := updater.GetDefaultKeyring() + if err != nil { + logrus.WithError(err).Fatal("Failed to load key before verify") + } + + if err := versioner.VerifyUpdateFolder(kr, c.String("root")); err != nil { + logrus.WithError(err).Fatal("Failed to verify") + } + + logrus.WithField("path", c.String("root")).Info("Signature OK") + } + b, err := sum.RecursiveSum(c.String("root"), c.String("output")) if err != nil { return err