chore: implement signing of extensions (#79)

* chore: begin work implementing vsix signatures, manifest matching

Based on https://github.com/filiptronicek/node-ovsx-sign

Author: Emyrk

.github/workflows/build.yaml

@@ -16,7 +16,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
-          go-version: "~1.19"
+          go-version: "~1.22"
 
       - name: Get Go cache paths
         id: go-cache-paths

.github/workflows/lint.yaml

@@ -29,8 +29,8 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
-          go-version: "~1.19"
+          go-version: "~1.22"
       - name: golangci-lint
         uses: golangci/[email protected]
         with:
-          version: v1.48.0
+          version: v1.58.0

.github/workflows/test.yaml

@@ -35,7 +35,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
-          go-version: "~1.19"
+          go-version: "~1.22"
 
       - name: Echo Go Cache Paths
         id: go-cache-paths

.gitignore

@@ -2,4 +2,4 @@
 bin
 coverage
 extensions
-.idea
+.idea

api/api.go

@@ -112,7 +112,7 @@ func New(options *Options) *API {
 	r.Post("/api/extensionquery", api.extensionQuery)
 
 	// Endpoint for getting an extension's files or the extension zip.
-	r.Mount("/files", http.StripPrefix("/files", options.Storage.FileServer()))
+	r.Mount("/files", http.StripPrefix("/files", storage.HTTPFileServer(options.Storage)))
 
 	// VS Code can use the files in the response to get file paths but it will
 	// sometimes ignore that and use requests to /assets with hardcoded types to

api/api_test.go

@@ -171,7 +171,7 @@ func TestAPI(t *testing.T) {
 			Response: "foobar",
 		},
 		{
-			Name:   "FileAPI",
+			Name:   "FileAPINotExists",
 			Path:   "/files/nonexistent",
 			Status: http.StatusNotFound,
 		},

cli/add.go

@@ -10,20 +10,12 @@ import (
 	"github.com/spf13/cobra"
 	"golang.org/x/xerrors"
 
-	"cdr.dev/slog"
-	"cdr.dev/slog/sloggers/sloghuman"
-
 	"github.com/coder/code-marketplace/storage"
 	"github.com/coder/code-marketplace/util"
 )
 
 func add() *cobra.Command {
-	var (
-		artifactory string
-		extdir      string
-		repo        string
-	)
-
+	addFlags, opts := serverFlags()
 	cmd := &cobra.Command{
 		Use:   "add <source>",
 		Short: "Add an extension to the marketplace",
@@ -37,21 +29,7 @@ func add() *cobra.Command {
 			ctx, cancel := context.WithCancel(cmd.Context())
 			defer cancel()
 
-			verbose, err := cmd.Flags().GetBool("verbose")
-			if err != nil {
-				return err
-			}
-			logger := slog.Make(sloghuman.Sink(cmd.ErrOrStderr()))
-			if verbose {
-				logger = logger.Leveled(slog.LevelDebug)
-			}
-
-			store, err := storage.NewStorage(ctx, &storage.Options{
-				Artifactory: artifactory,
-				ExtDir:      extdir,
-				Logger:      logger,
-				Repo:        repo,
-			})
+			store, err := storage.NewStorage(ctx, opts)
 			if err != nil {
 				return err
 			}
@@ -98,10 +76,7 @@ func add() *cobra.Command {
 			return nil
 		},
 	}
-
-	cmd.Flags().StringVar(&extdir, "extensions-dir", "", "The path to extensions.")
-	cmd.Flags().StringVar(&artifactory, "artifactory", "", "Artifactory server URL.")
-	cmd.Flags().StringVar(&repo, "repo", "", "Artifactory repository.")
+	addFlags(cmd)
 
 	return cmd
 }

cli/remove.go

@@ -10,20 +10,15 @@ import (
 	"github.com/spf13/cobra"
 	"golang.org/x/xerrors"
 
-	"cdr.dev/slog"
-	"cdr.dev/slog/sloggers/sloghuman"
-
 	"github.com/coder/code-marketplace/storage"
 	"github.com/coder/code-marketplace/util"
 )
 
 func remove() *cobra.Command {
 	var (
-		all         bool
-		artifactory string
-		extdir      string
-		repo        string
+		all bool
 	)
+	addFlags, opts := serverFlags()
 
 	cmd := &cobra.Command{
 		Use:   "remove <id>",
@@ -37,21 +32,7 @@ func remove() *cobra.Command {
 			ctx, cancel := context.WithCancel(cmd.Context())
 			defer cancel()
 
-			verbose, err := cmd.Flags().GetBool("verbose")
-			if err != nil {
-				return err
-			}
-			logger := slog.Make(sloghuman.Sink(cmd.ErrOrStderr()))
-			if verbose {
-				logger = logger.Leveled(slog.LevelDebug)
-			}
-
-			store, err := storage.NewStorage(ctx, &storage.Options{
-				Artifactory: artifactory,
-				ExtDir:      extdir,
-				Logger:      logger,
-				Repo:        repo,
-			})
+			store, err := storage.NewStorage(ctx, opts)
 			if err != nil {
 				return err
 			}
@@ -120,9 +101,7 @@ func remove() *cobra.Command {
 	}
 
 	cmd.Flags().BoolVar(&all, "all", false, "Whether to delete all versions of the extension.")
-	cmd.Flags().StringVar(&extdir, "extensions-dir", "", "The path to extensions.")
-	cmd.Flags().StringVar(&artifactory, "artifactory", "", "Artifactory server URL.")
-	cmd.Flags().StringVar(&repo, "repo", "", "Artifactory repository.")
+	addFlags(cmd)
 
 	return cmd
 }

cli/root.go

@@ -1,8 +1,9 @@
 package cli
 
 import (
-	"github.com/spf13/cobra"
 	"strings"
+
+	"github.com/spf13/cobra"
 )
 
 func Root() *cobra.Command {
@@ -16,7 +17,7 @@ func Root() *cobra.Command {
 		}, "\n"),
 	}
 
-	cmd.AddCommand(add(), remove(), server(), version())
+	cmd.AddCommand(add(), remove(), server(), version(), signature())
 
 	cmd.PersistentFlags().BoolP("verbose", "v", false, "Enable verbose output")
 

cli/server.go

@@ -15,21 +15,68 @@ import (
 
 	"cdr.dev/slog"
 	"cdr.dev/slog/sloggers/sloghuman"
+	"github.com/coder/code-marketplace/extensionsign"
 
 	"github.com/coder/code-marketplace/api"
 	"github.com/coder/code-marketplace/database"
 	"github.com/coder/code-marketplace/storage"
 )
 
+func serverFlags() (addFlags func(cmd *cobra.Command), opts *storage.Options) {
+	opts = &storage.Options{}
+	var sign bool
+	return func(cmd *cobra.Command) {
+		cmd.Flags().StringVar(&opts.ExtDir, "extensions-dir", "", "The path to extensions.")
+		cmd.Flags().StringVar(&opts.Artifactory, "artifactory", "", "Artifactory server URL.")
+		cmd.Flags().StringVar(&opts.Repo, "repo", "", "Artifactory repository.")
+		cmd.Flags().BoolVar(&sign, "sign", false, "Sign extensions.")
+		_ = cmd.Flags().MarkHidden("sign") // This flag needs to import a key, not just be a bool
+
+		if cmd.Use == "server" {
+			// Server only flags
+			cmd.Flags().DurationVar(&opts.ListCacheDuration, "list-cache-duration", time.Minute, "The duration of the extension cache.")
+		}
+
+		var before func(cmd *cobra.Command, args []string) error
+		if cmd.PreRunE != nil {
+			before = cmd.PreRunE
+		}
+		if cmd.PreRun != nil {
+			beforeNoE := cmd.PreRun
+			before = func(cmd *cobra.Command, args []string) error {
+				beforeNoE(cmd, args)
+				return nil
+			}
+		}
+
+		cmd.PreRunE = func(cmd *cobra.Command, args []string) error {
+			opts.Logger = cmdLogger(cmd)
+			if before != nil {
+				return before(cmd, args)
+			}
+			if sign { // TODO: Remove this for an actual key import
+				opts.Signer, _ = extensionsign.GenerateKey()
+			}
+			return nil
+		}
+	}, opts
+}
+
+func cmdLogger(cmd *cobra.Command) slog.Logger {
+	verbose, _ := cmd.Flags().GetBool("verbose")
+	logger := slog.Make(sloghuman.Sink(cmd.ErrOrStderr()))
+	if verbose {
+		logger = logger.Leveled(slog.LevelDebug)
+	}
+	return logger
+}
+
 func server() *cobra.Command {
 	var (
-		address           string
-		artifactory       string
-		extdir            string
-		repo              string
-		listcacheduration time.Duration
-		maxpagesize       int
+		address     string
+		maxpagesize int
 	)
+	addFlags, opts := serverFlags()
 
 	cmd := &cobra.Command{
 		Use:   "server",
@@ -41,26 +88,12 @@ func server() *cobra.Command {
 		RunE: func(cmd *cobra.Command, args []string) error {
 			ctx, cancel := context.WithCancel(cmd.Context())
 			defer cancel()
+			logger := opts.Logger
 
 			notifyCtx, notifyStop := signal.NotifyContext(ctx, interruptSignals...)
 			defer notifyStop()
 
-			verbose, err := cmd.Flags().GetBool("verbose")
-			if err != nil {
-				return err
-			}
-			logger := slog.Make(sloghuman.Sink(cmd.ErrOrStderr()))
-			if verbose {
-				logger = logger.Leveled(slog.LevelDebug)
-			}
-
-			store, err := storage.NewStorage(ctx, &storage.Options{
-				Artifactory:       artifactory,
-				ExtDir:            extdir,
-				Logger:            logger,
-				Repo:              repo,
-				ListCacheDuration: listcacheduration,
-			})
+			store, err := storage.NewStorage(ctx, opts)
 			if err != nil {
 				return err
 			}
@@ -137,12 +170,9 @@ func server() *cobra.Command {
 		},
 	}
 
-	cmd.Flags().StringVar(&extdir, "extensions-dir", "", "The path to extensions.")
 	cmd.Flags().IntVar(&maxpagesize, "max-page-size", api.MaxPageSizeDefault, "The maximum number of pages to request")
-	cmd.Flags().StringVar(&artifactory, "artifactory", "", "Artifactory server URL.")
-	cmd.Flags().StringVar(&repo, "repo", "", "Artifactory repository.")
 	cmd.Flags().StringVar(&address, "address", "127.0.0.1:3001", "The address on which to serve the marketplace API.")
-	cmd.Flags().DurationVar(&listcacheduration, "list-cache-duration", time.Minute, "The duration of the extension cache.")
+	addFlags(cmd)
 
 	return cmd
 }

cli/signature.go

@@ -0,0 +1,63 @@
+package cli
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/spf13/cobra"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/code-marketplace/extensionsign"
+)
+
+func signature() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:     "signature",
+		Short:   "Commands for debugging and working with signatures.",
+		Hidden:  true, // Debugging tools
+		Aliases: []string{"sig", "sigs", "signatures"},
+	}
+	cmd.AddCommand(compareSignatureSigZips())
+	return cmd
+}
+
+func compareSignatureSigZips() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:  "compare",
+		Args: cobra.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			decode := func(path string) (extensionsign.SignatureManifest, error) {
+				data, err := os.ReadFile(path)
+				if err != nil {
+					return extensionsign.SignatureManifest{}, xerrors.Errorf("read %q: %w", args[0], err)
+				}
+
+				sig, err := extensionsign.ExtractSignatureManifest(data)
+				if err != nil {
+					return extensionsign.SignatureManifest{}, xerrors.Errorf("unmarshal %q: %w", path, err)
+				}
+				return sig, nil
+			}
+
+			a, err := decode(args[0])
+			if err != nil {
+				return err
+			}
+			b, err := decode(args[1])
+			if err != nil {
+				return err
+			}
+
+			_, _ = fmt.Fprintf(os.Stdout, "Signature A:%s\n", a)
+			_, _ = fmt.Fprintf(os.Stdout, "Signature B:%s\n", b)
+			err = a.Equal(b)
+			if err != nil {
+				return err
+			}
+
+			_, _ = fmt.Fprintf(os.Stdout, "Signatures are equal\n")
+			return nil
+		},
+	}
+	return cmd
+}

extensionsign/doc.go

@@ -0,0 +1,2 @@
+// Package extensionsign is a Go implementation of https://github.com/filiptronicek/node-ovsx-sign
+package extensionsign

extensionsign/key.go

@@ -0,0 +1,14 @@
+package extensionsign
+
+import (
+	"crypto/ed25519"
+	"crypto/rand"
+)
+
+func GenerateKey() (ed25519.PrivateKey, error) {
+	_, private, err := ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		return nil, err
+	}
+	return private, nil
+}