Verify file signatures

[Kijewski]

This work-in-progress PR implements signed ZIP files. I was hoping to attract a few more eyeballs before I invest more time. 👀

The idea is that even if your github credentials are compromised, and some evil actor can upload malicious releases in your name, then hopefully your private key was not compromised also. Without the private key an upload cannot be signed and the self update will intentionally fail.

The signature gets stored as the first 64 bytes of a ZIP file. This is possible because ZIP files have their "header" at the end of the file, and they can be prepended by any and all content. This feature is also used in e.g. self-extracting ZIP files.

The signatures use ed25519. In https://github.com/Kijewski/zipsign I am implementing a tool to craft signed ZIP files:

• install "zipsign"
• zipsign gen-key my-private.key my-public.key
• sign an archive of your program(s):
  • create a .zip and/or .tar.gz of your program(s) with whatever tool you are already using
  • zipsign sign zip my-program.zip my-private.key
  • zipsign sign tar my-program.tar.gz my-private.key
• verify that an archive is correctly signed
  • zipsign verify zip my-program.zip my-public.key
  • zipsign verify tar my-program.tar.gz my-public.key

Shortcomings:

• You cannot sign uncompressed .tar files, .tar.bz2, .tar.xz, .tar.zstd or .tar.Z.

So, what do y'all think? Is this PR on the right track?

Closes #85, closes #111. Cc @jqnatividad, @rbauduin.

[jqnatividad]

Hi @Kijewski ,
Thanks for looping me in on this. With my project's release tempo (165 releases in ~3 years), self-update is an essential part of qsv.

So long as zipsigned archive files can be unzipped by regular zip utilities, I'm all for it!

Right now, I use 7z with very aggressive compression settings for my release workflow:

https://github.com/jqnatividad/qsv/blob/master/.github/workflows/publish.yml

If I can just add zipsign to the workflow to sign the 7z-created zip file, it'd be a no-brainer for me.

You got my vote!

As for the implementation details, its LGTM, but I don't know enough about self-update's innards to offer any implementation advice.

So long as @jaemk blesses it, its good enough for me 😉

[Kijewski]

Thank you for providing me with your repo as an example! I was only looking at my own use case, and was missing the "bigger picture". You are packaging multiple files into one zip file, which is perfectly valid, but I still did not account for this event.

My current implementation adds a signature to the zip file that can be used to verify one unzipped file. I will change the implementation to cover the whole .zip file instead of its content. This has multiple advantages. First and foremost: You can have multiple files that all get signed. And you don't have to look inside the zip file to tell if it was tempered with, e.g. to reject zip bombs.

[Kijewski]

I think the PR is ready to be reviewed. It bumps the msrv to 1.64 (released on 2022-09-22), because it uses weak dependency features (msrv: 1.60) and workspace inheritance (msrv: 1.64). I hope that is okay.

[jaemk]

Sorry for the delay @Kijewski - This looks great, thanks!

[jaemk]

released in 0.39.0