repofence 0.1.7 → 0.1.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -142,6 +142,19 @@ const installPack = async (pack, options = {}, baseDir) => {
|
|
|
142
142
|
exports.installPack = installPack;
|
|
143
143
|
const manifestFilePath = (baseDir) => manifestPath(baseDir);
|
|
144
144
|
exports.manifestFilePath = manifestFilePath;
|
|
145
|
+
/** Standard base64 or base64url (some APIs / env pastes). */
|
|
146
|
+
const decodeBase64Flexible = (input) => {
|
|
147
|
+
const trimmed = input.trim().replace(/\s/g, '');
|
|
148
|
+
if (!trimmed) {
|
|
149
|
+
throw new Error('Cadena vacía.');
|
|
150
|
+
}
|
|
151
|
+
const b64 = trimmed.includes('-') || trimmed.includes('_')
|
|
152
|
+
? trimmed.replace(/-/g, '+').replace(/_/g, '/')
|
|
153
|
+
: trimmed;
|
|
154
|
+
const pad = b64.length % 4;
|
|
155
|
+
const padded = pad ? b64 + '='.repeat(4 - pad) : b64;
|
|
156
|
+
return Buffer.from(padded, 'base64');
|
|
157
|
+
};
|
|
145
158
|
const validateSignature = async (_pack) => {
|
|
146
159
|
const pack = _pack;
|
|
147
160
|
// Si no hay firma ni hashes, no validamos (modo demo/mock).
|
|
@@ -158,7 +171,24 @@ const validateSignature = async (_pack) => {
|
|
|
158
171
|
: Buffer.from(rawKey, 'base64').toString('utf8');
|
|
159
172
|
try {
|
|
160
173
|
const keyObject = crypto_1.default.createPublicKey(publicKeyPem);
|
|
161
|
-
const
|
|
174
|
+
const sigBuf = decodeBase64Flexible(pack.signature);
|
|
175
|
+
const dataBuf = Buffer.from(payloadToVerify, 'utf8');
|
|
176
|
+
const keyType = keyObject.asymmetricKeyType;
|
|
177
|
+
let isValid;
|
|
178
|
+
if (keyType === 'ed25519') {
|
|
179
|
+
if (sigBuf.length !== 64) {
|
|
180
|
+
throw new Error(`Firma Ed25519: tras decodificar se esperaban 64 bytes, hay ${sigBuf.length}. ` +
|
|
181
|
+
'Suele indicar que el API firmó con otro algoritmo (p. ej. RSA) o la firma está corrupta. ' +
|
|
182
|
+
'El servidor debe usar el par Ed25519 que corresponde a la clave pública del CLI.');
|
|
183
|
+
}
|
|
184
|
+
isValid = crypto_1.default.verify(null, dataBuf, keyObject, sigBuf);
|
|
185
|
+
}
|
|
186
|
+
else if (keyType === 'rsa') {
|
|
187
|
+
isValid = crypto_1.default.verify('sha256', dataBuf, keyObject, sigBuf);
|
|
188
|
+
}
|
|
189
|
+
else {
|
|
190
|
+
throw new Error(`Tipo de clave pública no soportado: ${String(keyType)}`);
|
|
191
|
+
}
|
|
162
192
|
if (!isValid) {
|
|
163
193
|
throw new Error('Firma de pack inválida.');
|
|
164
194
|
}
|
|
@@ -166,6 +196,10 @@ const validateSignature = async (_pack) => {
|
|
|
166
196
|
}
|
|
167
197
|
catch (error) {
|
|
168
198
|
const msg = error instanceof Error ? error.message : 'error_validando_firma';
|
|
199
|
+
if (msg.includes('asn1') || msg.includes('DECODER') || msg.includes('wrong tag')) {
|
|
200
|
+
throw new Error(`${msg}. Comprueba que REPOFENCE_SIGNING_KEY en el API sea el par Ed25519 de public_key.pem ` +
|
|
201
|
+
'(o que REPOFENCE_PUBLIC_KEY en el cliente sea la clave pública que corresponde a la privada del servidor).');
|
|
202
|
+
}
|
|
169
203
|
throw new Error(msg);
|
|
170
204
|
}
|
|
171
205
|
};
|
|
@@ -3,11 +3,11 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
3
3
|
exports.EMBEDDED_PACK_PUBLIC_KEY_PEM = void 0;
|
|
4
4
|
/**
|
|
5
5
|
* Default Ed25519 public key for verifying signed packs from the Repofence API.
|
|
6
|
-
*
|
|
6
|
+
* Must match `public_key.pem` in the repo (copy PEM lines verbatim from that file).
|
|
7
7
|
* Override with env REPOFENCE_PUBLIC_KEY for testing or key rotation.
|
|
8
8
|
*/
|
|
9
9
|
exports.EMBEDDED_PACK_PUBLIC_KEY_PEM = `-----BEGIN PUBLIC KEY-----
|
|
10
|
-
|
|
10
|
+
MCowBQYDK2VwAyEAJTfxc7baW85w7r3uxbYNuaZRMoe1e2lcva2l7MO0iak=
|
|
11
11
|
-----END PUBLIC KEY-----
|
|
12
12
|
`;
|
|
13
13
|
//# sourceMappingURL=pack-public-key.js.map
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "repofence",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.8",
|
|
4
4
|
"description": "Repofence CLI (packs + backend auth)",
|
|
5
5
|
"main": "dist/cli.js",
|
|
6
6
|
"bin": {
|
|
@@ -20,7 +20,9 @@
|
|
|
20
20
|
"start:cli": "node dist/cli.js",
|
|
21
21
|
"dev": "ts-node src/cli.ts",
|
|
22
22
|
"backend": "ts-node backend/server.ts",
|
|
23
|
-
"backend:start": "node backend-dist/server.js"
|
|
23
|
+
"backend:start": "node backend-dist/server.js",
|
|
24
|
+
"inspect:signing": "ts-node scripts/inspect-signing-key.ts",
|
|
25
|
+
"verify:pack-sig": "ts-node scripts/verify-pack-signature-files.ts"
|
|
24
26
|
},
|
|
25
27
|
"keywords": [
|
|
26
28
|
"sdd",
|