@aryaminus/controlkeel 0.3.42 → 0.3.44
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/install.js +69 -6
- package/package.json +1 -1
- package/server.json +2 -2
package/lib/install.js
CHANGED
|
@@ -133,10 +133,11 @@ async function verifyChecksum(filePath, asset) {
|
|
|
133
133
|
let checksumText;
|
|
134
134
|
try {
|
|
135
135
|
checksumText = await downloadText(checksumUrl);
|
|
136
|
-
} catch {
|
|
137
|
-
|
|
138
|
-
|
|
139
|
-
|
|
136
|
+
} catch (err) {
|
|
137
|
+
throw new Error(
|
|
138
|
+
`[controlkeel] Failed to download checksum file from ${checksumUrl}. ` +
|
|
139
|
+
`Cannot verify binary integrity. Aborting installation. (${err.message})`
|
|
140
|
+
);
|
|
140
141
|
}
|
|
141
142
|
|
|
142
143
|
const expectedHash = checksumText
|
|
@@ -145,8 +146,10 @@ async function verifyChecksum(filePath, asset) {
|
|
|
145
146
|
.find(([, name]) => name === asset || name === `./${asset}`)?.[0];
|
|
146
147
|
|
|
147
148
|
if (!expectedHash) {
|
|
148
|
-
|
|
149
|
-
|
|
149
|
+
throw new Error(
|
|
150
|
+
`[controlkeel] No checksum entry found for ${asset} in checksums file. ` +
|
|
151
|
+
`Cannot verify binary integrity. Aborting installation.`
|
|
152
|
+
);
|
|
150
153
|
}
|
|
151
154
|
|
|
152
155
|
const actualHash = await sha256File(filePath);
|
|
@@ -160,6 +163,65 @@ async function verifyChecksum(filePath, asset) {
|
|
|
160
163
|
}
|
|
161
164
|
}
|
|
162
165
|
|
|
166
|
+
/**
|
|
167
|
+
* Verify a cosign keyless signature when cosign is available on PATH.
|
|
168
|
+
* Falls back gracefully when cosign is not installed.
|
|
169
|
+
*/
|
|
170
|
+
async function verifySignature(filePath, asset, baseUrl) {
|
|
171
|
+
if (process.env.CONTROLKEEL_SKIP_SIGNATURE === "1") return;
|
|
172
|
+
|
|
173
|
+
const { execFileSync } = require("node:child_process");
|
|
174
|
+
const lookupCommand = process.platform === "win32" ? "where" : "command";
|
|
175
|
+
const lookupArgs = process.platform === "win32" ? ["cosign"] : ["-v", "cosign"];
|
|
176
|
+
|
|
177
|
+
let cosignPath;
|
|
178
|
+
try {
|
|
179
|
+
cosignPath = execFileSync(lookupCommand, lookupArgs, { encoding: "utf8", shell: false }).split(/\r?\n/)[0].trim();
|
|
180
|
+
} catch {
|
|
181
|
+
// cosign not available — checksum-only mode
|
|
182
|
+
return;
|
|
183
|
+
}
|
|
184
|
+
|
|
185
|
+
if (!cosignPath) return;
|
|
186
|
+
|
|
187
|
+
const repo = `${Buffer.from("YXJ5YW1pbnVzL2NvbnRyb2xrZWVs", "base64")}`;
|
|
188
|
+
const sigUrl = `${baseUrl}/${asset}.sig`;
|
|
189
|
+
const certUrl = `${baseUrl}/${asset}.pem`;
|
|
190
|
+
const sigFile = path.join(os.tmpdir(), `${asset}.sig`);
|
|
191
|
+
const certFile = path.join(os.tmpdir(), `${asset}.pem`);
|
|
192
|
+
|
|
193
|
+
await download(sigUrl, sigFile).catch(() => null);
|
|
194
|
+
await download(certUrl, certFile).catch(() => null);
|
|
195
|
+
|
|
196
|
+
if (!fs.existsSync(sigFile) || !fs.existsSync(certFile)) {
|
|
197
|
+
fs.rmSync(sigFile, { force: true });
|
|
198
|
+
fs.rmSync(certFile, { force: true });
|
|
199
|
+
|
|
200
|
+
if (process.env.CONTROLKEEL_REQUIRE_SIGNATURE === "1") {
|
|
201
|
+
throw new Error(`[controlkeel] No cosign signature/certificate available for ${asset}`);
|
|
202
|
+
}
|
|
203
|
+
|
|
204
|
+
return;
|
|
205
|
+
}
|
|
206
|
+
|
|
207
|
+
try {
|
|
208
|
+
execFileSync(cosignPath, [
|
|
209
|
+
"verify-blob", filePath,
|
|
210
|
+
"--signature", sigFile,
|
|
211
|
+
"--certificate", certFile,
|
|
212
|
+
"--certificate-identity-regexp", `^https://github.com/${repo}/.github/workflows/release.yml@refs/tags/v[0-9].*`,
|
|
213
|
+
"--certificate-oidc-issuer", "https://token.actions.githubusercontent.com"
|
|
214
|
+
], { stdio: "pipe", timeout: 30000 });
|
|
215
|
+
|
|
216
|
+
console.log(`[controlkeel] Verified ${asset} signature (cosign keyless)`);
|
|
217
|
+
} catch (err) {
|
|
218
|
+
throw new Error(`[controlkeel] cosign signature verification failed for ${asset}`);
|
|
219
|
+
} finally {
|
|
220
|
+
fs.rmSync(sigFile, { force: true });
|
|
221
|
+
fs.rmSync(certFile, { force: true });
|
|
222
|
+
}
|
|
223
|
+
}
|
|
224
|
+
|
|
163
225
|
async function ensureBinary({ forceDownload = false } = {}) {
|
|
164
226
|
const destination = binaryPath();
|
|
165
227
|
|
|
@@ -174,6 +236,7 @@ async function ensureBinary({ forceDownload = false } = {}) {
|
|
|
174
236
|
|
|
175
237
|
await download(url, tempPath);
|
|
176
238
|
await verifyChecksum(tempPath, asset);
|
|
239
|
+
await verifySignature(tempPath, asset, releaseBaseUrl());
|
|
177
240
|
|
|
178
241
|
fs.copyFileSync(tempPath, destination);
|
|
179
242
|
fs.rmSync(tempPath, { force: true });
|
package/package.json
CHANGED
package/server.json
CHANGED
|
@@ -7,12 +7,12 @@
|
|
|
7
7
|
"url": "https://github.com/aryaminus/controlkeel.git",
|
|
8
8
|
"source": "github"
|
|
9
9
|
},
|
|
10
|
-
"version": "0.3.
|
|
10
|
+
"version": "0.3.44",
|
|
11
11
|
"packages": [
|
|
12
12
|
{
|
|
13
13
|
"registryType": "npm",
|
|
14
14
|
"identifier": "@aryaminus/controlkeel",
|
|
15
|
-
"version": "0.3.
|
|
15
|
+
"version": "0.3.44",
|
|
16
16
|
"runtimeHint": "npx",
|
|
17
17
|
"transport": {
|
|
18
18
|
"type": "stdio"
|