minisign 0.0.5 → 0.0.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. checksums.yaml +4 -4
  2. data/lib/minisign.rb +51 -16
  3. metadata +4 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 43e641548c51311a548098b0102d122dfd770db04384fc905d8fb133e0d90feb
4
- data.tar.gz: 157e8e96644b65392e1f4f20f06976ec093ab275c2c2b83a2e4ec85b57282884
3
+ metadata.gz: 8dd11c61143149fd612a6c08a084a4e5831ec66f860c6a706edea18fc53bec00
4
+ data.tar.gz: f7b6013996e7e72b35ad8c500e2bf5d24ebc2a9abe0d1d09bda86cfaca2d4ba8
5
5
  SHA512:
6
- metadata.gz: 3fda3b616d567b60fbd35e9fdb825bf6ac659a0cd93c80379a8c61004d7d6e3a02dbb05cddc76db7eef046224bad82a10e335c979d574f971ea7d89c945a65be
7
- data.tar.gz: 45605deb3b08e44a9f49ffd7f64aea6c511c7e24dc6fef9951bb816ce08480ab8a6ef4041b1634cd910933f2b4b84e272207249b0a0d238e9ce17d7bd82da020
6
+ metadata.gz: 615740c7d8fde14c2de494b2f7f9d28ebfaff2cb583210e29ee18573b97180d2a3d1ff3631085cdb53803d35a08cd31d01457c321a45d6d8b684849bcf69cb08
7
+ data.tar.gz: d89f2cace36de94f4909420161a120888a929b3a097b00cbfa33e7081f7dcb15bacd93ca21be52df9f36009c5b3f1455b75dd49c29c99c3299d6130c8561a8b7
data/lib/minisign.rb CHANGED
@@ -9,23 +9,42 @@ require 'openssl'
9
9
  module Minisign
10
10
  # Parse a .minisig file's contents
11
11
  class Signature
12
- attr_reader :signature, :comment, :comment_signature
13
-
14
- # @!attribute [r] signature
15
- # @return [String] the ed25519 verify key
16
- # @!attribute [r] comment_signature
17
- # @return [String] the signature for the trusted comment
18
- # @!attribute [r] comment
19
- # @return [String] the trusted comment
20
-
21
12
  # @param str [String] The contents of the .minisig file
22
13
  # @example
23
14
  # Minisign::Signature.new(File.read('test/example.txt.minisig'))
24
15
  def initialize(str)
25
- lines = str.split("\n")
26
- @signature = Base64.decode64(lines[1])[10..]
27
- @comment = lines[2].split('trusted comment: ')[1]
28
- @comment_signature = Base64.decode64(lines[3])
16
+ @lines = str.split("\n")
17
+ end
18
+
19
+ # @return [String] the key id
20
+ # @example
21
+ # Minisign::Signature.new(File.read('test/example.txt.minisig')).key_id
22
+ # #=> "E86FECED695E8E0"
23
+ def key_id
24
+ encoded_signature[2..9].bytes.map { |c| c.to_s(16) }.reverse.join.upcase
25
+ end
26
+
27
+ # @return [String] the trusted comment
28
+ # @example
29
+ # Minisign::Signature.new(File.read('test/example.txt.minisig')).trusted_comment
30
+ # #=> "timestamp:1653934067\tfile:example.txt\thashed"
31
+ def trusted_comment
32
+ @lines[2].split('trusted comment: ')[1]
33
+ end
34
+
35
+ def trusted_comment_signature
36
+ Base64.decode64(@lines[3])
37
+ end
38
+
39
+ # @return [String] the signature
40
+ def signature
41
+ encoded_signature[10..]
42
+ end
43
+
44
+ private
45
+
46
+ def encoded_signature
47
+ Base64.decode64(@lines[1])
29
48
  end
30
49
  end
31
50
 
@@ -37,10 +56,19 @@ module Minisign
37
56
  # @example
38
57
  # Minisign::PublicKey.new('RWTg6JXWzv6GDtDphRQ/x7eg0LaWBcTxPZ7i49xEeiqXVcR+r79OZRWM')
39
58
  def initialize(str)
40
- @public_key = Base64.strict_decode64(str)[10..]
59
+ @decoded = Base64.strict_decode64(str)
60
+ @public_key = @decoded[10..]
41
61
  @verify_key = Ed25519::VerifyKey.new(@public_key)
42
62
  end
43
63
 
64
+ # @return [String] the key id
65
+ # @example
66
+ # Minisign::PublicKey.new('RWTg6JXWzv6GDtDphRQ/x7eg0LaWBcTxPZ7i49xEeiqXVcR+r79OZRWM').key_id
67
+ # #=> "E86FECED695E8E0"
68
+ def key_id
69
+ @decoded[2..9].bytes.map { |c| c.to_s(16) }.reverse.join.upcase
70
+ end
71
+
44
72
  # Verify a message's signature
45
73
  #
46
74
  # @param sig [Minisign::Signature]
@@ -50,13 +78,20 @@ module Minisign
50
78
  # @raise RuntimeError on tampered trusted comments
51
79
  def verify(sig, message)
52
80
  blake = OpenSSL::Digest.new('BLAKE2b512')
81
+ ensure_matching_key_ids(sig.key_id, key_id)
53
82
  @verify_key.verify(sig.signature, blake.digest(message))
54
83
  begin
55
- @verify_key.verify(sig.comment_signature, sig.signature + sig.comment)
84
+ @verify_key.verify(sig.trusted_comment_signature, sig.signature + sig.trusted_comment)
56
85
  rescue Ed25519::VerifyError
57
86
  raise 'Comment signature verification failed'
58
87
  end
59
- "Signature and comment signature verified\nTrusted comment: #{sig.comment}"
88
+ "Signature and comment signature verified\nTrusted comment: #{sig.trusted_comment}"
89
+ end
90
+
91
+ private
92
+
93
+ def ensure_matching_key_ids(key_id1, key_id2)
94
+ raise "Signature key id is #{key_id1}\nbut the key id in the public key is #{key_id2}" unless key_id1 == key_id2
60
95
  end
61
96
  end
62
97
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: minisign
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.5
4
+ version: 0.0.7
5
5
  platform: ruby
6
6
  authors:
7
7
  - Jesse Shawl
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-05-30 00:00:00.000000000 Z
11
+ date: 2022-06-22 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: ed25519
@@ -34,7 +34,8 @@ files:
34
34
  homepage: https://rubygems.org/gems/minisign
35
35
  licenses:
36
36
  - MIT
37
- metadata: {}
37
+ metadata:
38
+ rubygems_mfa_required: 'true'
38
39
  post_install_message:
39
40
  rdoc_options: []
40
41
  require_paths: