fixups

cli/signature.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"crypto/x509"
 	"fmt"
-	"io"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -16,7 +15,6 @@ import (
 
 	"cdr.dev/slog"
 	"github.com/coder/code-marketplace/extensionsign"
-	"github.com/coder/code-marketplace/storage/easyzip"
 )
 
 func signature() *cobra.Command {
@@ -31,6 +29,10 @@ func signature() *cobra.Command {
 	return cmd
 }
 
+var (
+	localCA = false
+)
+
 func verifySig() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "verify <extension.vsix> <signature.p7s>",
@@ -40,6 +42,11 @@ func verifySig() *cobra.Command {
 			logger := cmdLogger(cmd)
 			ctx := cmd.Context()
 			extensionVsix := args[0]
+			msgData, err := os.ReadFile(extensionVsix)
+			if err != nil {
+				return xerrors.Errorf("read %q: %w", extensionVsix, err)
+			}
+
 			p7sFile := args[1]
 
 			logger.Info(ctx, fmt.Sprintf("Decoding %q", p7sFile))
@@ -49,14 +56,14 @@ func verifySig() *cobra.Command {
 				return xerrors.Errorf("read %q: %w", p7sFile, err)
 			}
 
-			msg, err := easyzip.GetZipFileReader(data, extensionVsix)
-			if err != nil {
-				return xerrors.Errorf("get manifest: %w", err)
-			}
-			msgData, err := io.ReadAll(msg)
-			if err != nil {
-				return xerrors.Errorf("read manifest: %w", err)
-			}
+			//msg, err := easyzip.GetZipFileReader(data, extensionVsix)
+			//if err != nil {
+			//	return xerrors.Errorf("get manifest: %w", err)
+			//}
+			//msgData, err := io.ReadAll(msg)
+			//if err != nil {
+			//	return xerrors.Errorf("read manifest: %w", err)
+			//}
 
 			signed, err := extensionsign.ExtractP7SSig(data)
 			if err != nil {
@@ -87,6 +94,7 @@ func verifySig() *cobra.Command {
 			return nil
 		},
 	}
+	cmd.Flags().BoolVar(&localCA, "local-ca", true, "Use the local CA for verification.")
 	return cmd
 }
 
@@ -153,12 +161,18 @@ func openSSLVerify(ctx context.Context, logger slog.Logger, message []byte, sign
 		return false, xerrors.Errorf("write signature: %w", err)
 	}
 
-	cmd := exec.CommandContext(ctx, "openssl", "smime", "-verify",
+	if localCA {
+
+	}
+
+	cmd := exec.CommandContext(ctx, "openssl", "cms", "-verify",
 		"-in", sigPath, "-content", msgPath, "-inform", "DER",
-		"-CAfile", "/home/steven/go/src/github.com/coder/code-marketplace/extensionsign/testdata/cert2.pem",
 	)
+	if localCA {
+		cmd.Args = append(cmd.Args, "-CAfile", "/home/steven/go/src/github.com/coder/code-marketplace/extensionsign/testdata/cert2.pem")
+	}
 	output := &strings.Builder{}
-	cmd.Stdout = output
+	//cmd.Stdout = output
 	cmd.Stderr = output
 	err = cmd.Run()
 	fmt.Println(output.String())

extensionsign/algo.go

@@ -13,7 +13,7 @@ import (
 	"golang.org/x/xerrors"
 )
 
-var SigningAlgorithm = OpenSSLSign
+var SigningAlgorithm = CMSAlgo
 
 func CMSAlgo(data []byte, certs []*x509.Certificate, signer crypto.Signer) (result []byte, err error) {
 	return cms.SignDetached(data, certs, signer)

extensionsign/sigzip.go

@@ -39,7 +39,7 @@ func ExtractP7SSig(zip []byte) ([]byte, error) {
 }
 
 // SignAndZipManifest signs a manifest and zips it up
-func SignAndZipManifest(certs []*x509.Certificate, secret crypto.Signer, manifest json.RawMessage) ([]byte, error) {
+func SignAndZipManifest(certs []*x509.Certificate, secret crypto.Signer, vsixData []byte, manifest json.RawMessage) ([]byte, error) {
 	var buf bytes.Buffer
 	w := zip.NewWriter(&buf)
 
@@ -53,19 +53,12 @@ func SignAndZipManifest(certs []*x509.Certificate, secret crypto.Signer, manifes
 		return nil, xerrors.Errorf("write manifest: %w", err)
 	}
 
-	// Empty file
 	p7sFile, err := w.Create(".signature.p7s")
 	if err != nil {
 		return nil, xerrors.Errorf("create empty p7s signature: %w", err)
 	}
 
-	// Actual sig
-	sigFile, err := w.Create(".signature.sig")
-	if err != nil {
-		return nil, xerrors.Errorf("create signature: %w", err)
-	}
-
-	signature, err := secret.Sign(rand.Reader, vsixData, crypto.Hash(0))
+	signature, err := SigningAlgorithm(vsixData, certs, secret)
 	if err != nil {
 		return nil, xerrors.Errorf("sign: %w", err)
 	}

storage/signature.go

@@ -14,10 +14,6 @@ import (
 	"golang.org/x/xerrors"
 
 	"cdr.dev/slog"
-<<<<<<< HEAD
-
-=======
->>>>>>> 13a5775 (chore: more work towards supporting p7s)
 	"github.com/coder/code-marketplace/extensionsign"
 )
 
@@ -208,7 +204,7 @@ func (s *Signature) Open(ctx context.Context, fp string) (fs.File, error) {
 }
 
 func (s *Signature) SigZip(ctx context.Context, vsix []byte, sigManifest []byte) ([]byte, error) {
-	signed, err := extensionsign.SignAndZipManifest(s.Signer, vsix, sigManifest)
+	signed, err := extensionsign.SignAndZipManifest(s.Certificates, s.Signer, vsix, sigManifest)
 	if err != nil {
 		s.Logger.Error(ctx, "signing manifest", slog.Error(err))
 		return nil, xerrors.Errorf("sign and zip manifest: %w", err)

storage/signature_test.go

@@ -5,6 +5,8 @@ import (
 	"crypto/x509"
 	"testing"
 
+	"github.com/stretchr/testify/require"
+
 	"cdr.dev/slog"
 	"github.com/coder/code-marketplace/extensionsign"
 	"github.com/coder/code-marketplace/storage"
@@ -32,7 +34,7 @@ func signed(signer bool, factory func(t *testing.T) testStorage) func(t *testing
 		sst, err := storage.NewSignatureStorage(slog.Make(), key, []*x509.Certificate{}, st.storage)
 		require.NoError(t, err)
 		return testStorage{
-			storage:          storage.NewSignatureStorage(slog.Make(), key, st.storage),
+			storage:          sst,
 			write:            st.write,
 			exists:           st.exists,
 			expectedManifest: exp,