/** * Verify the Ed25519 signature of the update file against the * supplier's public key. * * Dear future security auditors: This is important. * * @param UpdateInfo $info * @param UpdateFile $file * @return bool */ public function verifyUpdateSignature(UpdateInfo $info, UpdateFile $file) : bool { $debugArgs = ['path' => $file->getPath(), 'supplier' => $info->getSupplierName(), 'name' => $info->getPackageName()]; $this->log('Checking update signature...', LogLevel::DEBUG, $debugArgs); $ret = false; foreach ($this->supplier->getSigningKeys() as $key) { if ($key['type'] !== 'signing') { continue; } $ret = $ret || File::verify($file->getPath(), $key['key'], $info->getSignature(true)); } $this->log('Signature result: ' . ($ret ? 'true' : 'false'), LogLevel::DEBUG, $debugArgs); return $ret; }
/** * Check that the signature is valid for a given Phar * * @param string $path * @param array $manifest * @return bool */ protected function zipSignatureCheck(string $path, array $manifest = []) : bool { $supplier_name = $manifest['supplier']; $zipName = $supplier_name . '.' . $manifest['name'] . '.zip'; $signature = \file_get_contents($path . '/dist/' . $zipName . '.ed25519.sig'); $supplier =& $this->config['suppliers'][$supplier_name]; $numKeys = \count($supplier['signing_keys']); $verified = false; for ($i = 0; $i < $numKeys; ++$i) { // signing key $publicKey = new SignaturePublicKey(\Sodium\hex2bin($supplier['signing_keys'][$i]['public_key']), true); if (File::verify($path . '/dist/' . $zipName, $publicKey, $signature)) { $verified = true; } } return $verified; }