Example #1
0
 /**
  * Verify the Ed25519 signature of the update file against the
  * supplier's public key.
  *
  * Dear future security auditors: This is important.
  *
  * @param UpdateInfo $info
  * @param UpdateFile $file
  * @return bool
  */
 public function verifyUpdateSignature(UpdateInfo $info, UpdateFile $file) : bool
 {
     $debugArgs = ['path' => $file->getPath(), 'supplier' => $info->getSupplierName(), 'name' => $info->getPackageName()];
     $this->log('Checking update signature...', LogLevel::DEBUG, $debugArgs);
     $ret = false;
     foreach ($this->supplier->getSigningKeys() as $key) {
         if ($key['type'] !== 'signing') {
             continue;
         }
         $ret = $ret || File::verify($file->getPath(), $key['key'], $info->getSignature(true));
     }
     $this->log('Signature result: ' . ($ret ? 'true' : 'false'), LogLevel::DEBUG, $debugArgs);
     return $ret;
 }
Example #2
0
 /**
  * Check that the signature is valid for a given Phar
  *
  * @param string $path
  * @param array $manifest
  * @return bool
  */
 protected function zipSignatureCheck(string $path, array $manifest = []) : bool
 {
     $supplier_name = $manifest['supplier'];
     $zipName = $supplier_name . '.' . $manifest['name'] . '.zip';
     $signature = \file_get_contents($path . '/dist/' . $zipName . '.ed25519.sig');
     $supplier =& $this->config['suppliers'][$supplier_name];
     $numKeys = \count($supplier['signing_keys']);
     $verified = false;
     for ($i = 0; $i < $numKeys; ++$i) {
         // signing key
         $publicKey = new SignaturePublicKey(\Sodium\hex2bin($supplier['signing_keys'][$i]['public_key']), true);
         if (File::verify($path . '/dist/' . $zipName, $publicKey, $signature)) {
             $verified = true;
         }
     }
     return $verified;
 }