npm - @trops/dash-core - Versions diffs - 0.1.601 → 0.1.602 - Mend

@trops/dash-core 0.1.601 → 0.1.602

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/electron/index.js +152 -1
package/dist/electron/index.js.map +1 -1
package/package.json +1 -1

package/dist/electron/index.js CHANGED Viewed

@@ -13232,6 +13232,51 @@ async function verifyBufferSignature({ bytes, signature, publicKey }) {
   return ed.verifyAsync(sigBytes, digest, pubBytes);
 }
+// --- Manifest body signature (Phase 5D, audit P1 #24) ---
+//
+// Mirror of dash-registry/src/lib/crypto.ts#signManifestBody /
+// verifyManifestSignature. The registry's `/download` response carries
+// `{manifest_signature, manifest_signature_keyid}` over the rest of
+// the body. The installer verifies before consuming `downloadUrl` so
+// a MITM that swaps any field is caught client-side.
+//
+// Both sides must canonicalize identically: strip the two signature
+// fields, sort remaining keys recursively, no whitespace.
+const CURRENT_MANIFEST_SIGNATURE_KEYID = "v1";
+function canonicalizeManifestBody(body) {
+  if (!body || typeof body !== "object") {
+    throw new Error("manifest body must be an object");
+  }
+  const stripped = { ...body };
+  delete stripped.manifest_signature;
+  delete stripped.manifest_signature_keyid;
+  return canonicalJsonStringify(stripped);
+}
+/**
+ * Verify a manifest signature against the registry root public key.
+ * Returns true/false; never throws on a bad signature — caller
+ * decides what to do based on mode (off/warn/strict).
+ *
+ * @param {object} args
+ * @param {object} args.body — full response body INCLUDING signature fields (ignored on canonicalize)
+ * @param {string} args.signature — base64 Ed25519 signature
+ * @param {string} args.registryRootPublicKey — base64
+ * @returns {Promise<boolean>}
+ */
+async function verifyManifestSignature({
+  body,
+  signature,
+  registryRootPublicKey,
+}) {
+  const message = new TextEncoder().encode(canonicalizeManifestBody(body));
+  const sigBytes = base64ToBytes(signature);
+  const rootPubBytes = base64ToBytes(registryRootPublicKey);
+  return ed.verifyAsync(sigBytes, message, rootPubBytes);
+}
 var publisherCrypto = {
   canonicalJsonStringify,
   computeFingerprint: computeFingerprint$1,
@@ -13239,8 +13284,16 @@ var publisherCrypto = {
   verifyPublisherCert: verifyPublisherCert$1,
   signBuffer,
   verifyBufferSignature,
+  verifyManifestSignature,
+  CURRENT_MANIFEST_SIGNATURE_KEYID,
   // internal helpers — exported for tests
-  _internal: { bytesToBase64, base64ToBytes, bytesToHex, sha256 },
+  _internal: {
+    bytesToBase64,
+    base64ToBytes,
+    bytesToHex,
+    sha256,
+    canonicalizeManifestBody,
+  },
 };
 /**
@@ -13320,6 +13373,8 @@ function requireVerifyRegistryInstall () {
 	const {
 	  verifyPublisherCert,
 	  verifyBufferSignature,
+	  verifyManifestSignature,
+	  CURRENT_MANIFEST_SIGNATURE_KEYID,
 	} = publisherCrypto;
 	const { getRegistryRootPublicKey } = registryRootPublicKey;
@@ -13486,8 +13541,83 @@ function requireVerifyRegistryInstall () {
 	  return { verified: true, reason: null, mode, warnings };
 	}
+	/**
+	 * Phase 5D (audit P1 #24): verify the signature on the /download
+	 * response BODY before the caller consumes downloadUrl / zipSignature /
+	 * publisherCert from it. Closes the MITM vector where a swapped
+	 * response could redirect the installer to a different ZIP signed by
+	 * an attacker-controlled (but still legitimate) publisher cert.
+	 *
+	 * Same off/warn/strict modes as the zip+cert verifier above — the
+	 * env var `DASH_REGISTRY_VERIFY_SIGNED_INSTALL` controls both.
+	 *
+	 * The signature is computed server-side over the canonical JSON of
+	 * the body minus the two signature fields themselves. Verification
+	 * here re-canonicalizes the same way and checks against the bundled
+	 * registry root public key.
+	 *
+	 * @param {object} args
+	 * @param {object} args.responseBody — the full parsed JSON body from /download
+	 * @returns {Promise<{verified, reason, mode, warnings}>}
+	 */
+	async function verifyDownloadManifest({ responseBody }) {
+	  const mode = readMode();
+	  const warnings = [];
+	  if (mode === "off") {
+	    return { verified: true, reason: null, mode, warnings };
+	  }
+	  if (!responseBody || typeof responseBody !== "object") {
+	    return applyMode(mode, "MANIFEST_BODY_MISSING", warnings);
+	  }
+	  const signature = responseBody.manifest_signature;
+	  const keyid = responseBody.manifest_signature_keyid;
+	  // Unsigned case: legacy registry deployments that haven't been
+	  // upgraded yet won't include these fields. In `warn` mode we log
+	  // + proceed so the rollout doesn't break existing installs; in
+	  // `strict` mode we refuse.
+	  if (!signature || !keyid) {
+	    return applyMode(mode, "UNSIGNED_MANIFEST", warnings);
+	  }
+	  // Today only one root key is bundled. When rotation lands, this
+	  // becomes a lookup over an array of trusted public keys keyed by
+	  // keyid; unknown keyid → fail closed.
+	  if (keyid !== CURRENT_MANIFEST_SIGNATURE_KEYID) {
+	    return applyMode(
+	      mode,
+	      `MANIFEST_SIGNATURE_UNKNOWN_KEYID: ${keyid}`,
+	      warnings,
+	    );
+	  }
+	  let ok = false;
+	  try {
+	    ok = await verifyManifestSignature({
+	      body: responseBody,
+	      signature,
+	      registryRootPublicKey: getRegistryRootPublicKey(),
+	    });
+	  } catch (err) {
+	    return applyMode(
+	      mode,
+	      `MANIFEST_SIGNATURE_ERROR: ${err.message || err}`,
+	      warnings,
+	    );
+	  }
+	  if (!ok) {
+	    return applyMode(mode, "MANIFEST_SIGNATURE_INVALID", warnings);
+	  }
+	  return { verified: true, reason: null, mode, warnings };
+	}
 	verifyRegistryInstall = {
 	  verifyDownloadedPackage,
+	  verifyDownloadManifest,
 	  _readMode: readMode,
 	};
 	return verifyRegistryInstall;
@@ -14842,6 +14972,27 @@ var schedulerController_1 = schedulerController$2;
 	        if (jsonData.error) {
 	          throw new Error(`Download failed: ${jsonData.error}`);
 	        }
+	        // Phase 5D (P1 #24): verify the manifest signature BEFORE
+	        // trusting any field in this response. A MITM that swapped
+	        // downloadUrl or any signing-metadata field gets caught here
+	        // because the signature won't verify against the bundled
+	        // registry root key. Mode is shared with the existing
+	        // zip+cert verifier — DASH_REGISTRY_VERIFY_SIGNED_INSTALL.
+	        const {
+	          verifyDownloadManifest,
+	        } = requireVerifyRegistryInstall();
+	        const manifestVerify = await verifyDownloadManifest({
+	          responseBody: jsonData,
+	        });
+	        if (!manifestVerify.verified && manifestVerify.mode === "warn") {
+	          console.warn(
+	            `[widgetRegistry] Installing with unverified download manifest ` +
+	              `for "${widgetName}" — reason: ${manifestVerify.reason}. Set ` +
+	              `DASH_REGISTRY_VERIFY_SIGNED_INSTALL=strict to refuse.`,
+	          );
+	        }
 	        if (jsonData.downloadUrl) {
 	          const zipResponse = await fetch(jsonData.downloadUrl);
 	          if (!zipResponse.ok) {