From 32155a659fbd3d6a5818b6fb3ee46a54b32a334f Mon Sep 17 00:00:00 2001 From: Joel Natividad <1980690+jqnatividad@users.noreply.github.com> Date: Thu, 26 Oct 2023 07:45:06 -0400 Subject: [PATCH 1/5] sign prebuilt archives with zipsign for self-update verification --- .../workflows/macOS-arm64-selfhosted-publish.yml | 13 +++++++++++++ .github/workflows/publish.yml | 13 +++++++++++++ 2 files changed, 26 insertions(+) diff --git a/.github/workflows/macOS-arm64-selfhosted-publish.yml b/.github/workflows/macOS-arm64-selfhosted-publish.yml index c13116c6d..befdf75c1 100644 --- a/.github/workflows/macOS-arm64-selfhosted-publish.yml +++ b/.github/workflows/macOS-arm64-selfhosted-publish.yml @@ -94,6 +94,19 @@ jobs: cat docs/publishing_assets/README.txt docs/publishing_assets/qsv-${{ matrix.job.target }}.txt > qsv-${{ needs.analyze-tags.outputs.previous-tag }}/README - name: zip up binaries run: 7zz a -tzip qsv-${{ needs.analyze-tags.outputs.previous-tag }}-${{ matrix.job.target }}.zip ./qsv-${{ needs.analyze-tags.outputs.previous-tag }}/* -mx=9 -mmt=on + - name: install zipsign + run: | + cargo install zipsign + - name: Fetch zipsign private key + uses: mobiledevops/secret-to-file-action@v1 + with: + base64-encoded-secret: ${{ secrets.QSV_ZIPSIGN_PRIV_KEY }} + filename: "qsvpriv.key" + is-executable: false + working-directory: "." + - name: zipsign binary + run: | + zipsign sign zip qsv-${{ needs.analyze-tags.outputs.previous-tag }}-${{ matrix.job.target }}.zip qsvpriv.key - name: Upload zipped binaries to release uses: svenstaro/upload-release-action@v2 with: diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 68cb897d6..2c2351100 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -196,6 +196,19 @@ jobs: cat docs/publishing_assets/README.txt docs/publishing_assets/qsv-${{ matrix.job.target }}.txt > qsv-${{ needs.analyze-tags.outputs.previous-tag }}/README - name: zip up binaries run: 7z a -tzip qsv-${{ needs.analyze-tags.outputs.previous-tag }}-${{ matrix.job.target }}.zip ./qsv-${{ needs.analyze-tags.outputs.previous-tag }}/* -mx=9 -mmt=on + - name: install zipsign + run: | + cargo install zipsign + - name: Fetch zipsign private key + uses: mobiledevops/secret-to-file-action@v1 + with: + base64-encoded-secret: ${{ secrets.QSV_ZIPSIGN_PRIV_KEY }} + filename: "qsvpriv.key" + is-executable: false + working-directory: "." + - name: zipsign binary + run: | + zipsign sign zip qsv-${{ needs.analyze-tags.outputs.previous-tag }}-${{ matrix.job.target }}.zip qsvpriv.key - name: Upload zipped binaries to release uses: svenstaro/upload-release-action@v2 with: From 112ba1b489e4005c6d6e70cf5e526b234d671cf5 Mon Sep 17 00:00:00 2001 From: Joel Natividad <1980690+jqnatividad@users.noreply.github.com> Date: Thu, 26 Oct 2023 07:45:44 -0400 Subject: [PATCH 2/5] enable `signatures` option in self_update --- Cargo.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/Cargo.toml b/Cargo.toml index 18a59ba54..6b23b94e0 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -181,6 +181,7 @@ self_update = { version = "0.39", features = [ "archive-zip", "compression-zip-deflate", "rustls", + "signatures", ], default-features = false, optional = true } semver = "1" serde = { version = "1", features = ["derive"] } From cfcf7214834e5ac4bd4067de60dfae3eeeca429a Mon Sep 17 00:00:00 2001 From: Joel Natividad <1980690+jqnatividad@users.noreply.github.com> Date: Thu, 26 Oct 2023 07:46:11 -0400 Subject: [PATCH 3/5] `deps`: cargo update bump zerocopy from 0.7.14 to 0.7.15 --- Cargo.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 52cc76904..808ecce27 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -5956,18 +5956,18 @@ dependencies = [ [[package]] name = "zerocopy" -version = "0.7.14" +version = "0.7.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "69c48d63854f77746c68a5fbb4aa17f3997ece1cb301689a257af8cb80610d21" +checksum = "81ba595b9f2772fbee2312de30eeb80ec773b4cb2f1e8098db024afadda6c06f" dependencies = [ "zerocopy-derive", ] [[package]] name = "zerocopy-derive" -version = "0.7.14" +version = "0.7.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c258c1040279e4f88763a113de72ce32dde2d50e2a94573f15dd534cea36a16d" +checksum = "772666c41fb6dceaf520b564b962d738a8e1a83b41bd48945f50837aed78bb1d" dependencies = [ "proc-macro2", "quote", From fdee23c9a6c95ac0336641f4c69eda524f1a8706 Mon Sep 17 00:00:00 2001 From: Joel Natividad <1980690+jqnatividad@users.noreply.github.com> Date: Thu, 26 Oct 2023 07:47:52 -0400 Subject: [PATCH 4/5] add qsv-zipsign-public.key --- src/qsv-zipsign-public.key | Bin 0 -> 32 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 src/qsv-zipsign-public.key diff --git a/src/qsv-zipsign-public.key b/src/qsv-zipsign-public.key new file mode 100644 index 0000000000000000000000000000000000000000..058255be25e17638e83ebc37390324c0da161b8f GIT binary patch literal 32 ocmeCFtQL8eKS$uYys}Ptx}aHi>XXwCe6<+1PZcR!<5`#o0N}$7pa1{> literal 0 HcmV?d00001 From 41231ec831a9ac378809ea5e314a0f6d30302ccf Mon Sep 17 00:00:00 2001 From: Joel Natividad <1980690+jqnatividad@users.noreply.github.com> Date: Thu, 26 Oct 2023 07:48:31 -0400 Subject: [PATCH 5/5] add zipsign verification to self-update --- src/util.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/src/util.rs b/src/util.rs index db527a67d..346acfd3b 100644 --- a/src/util.rs +++ b/src/util.rs @@ -785,6 +785,7 @@ pub fn qsv_check_for_update(check_only: bool, no_confirm: bool) -> Result match update_job.update() {