Merge pull request #1389 from jqnatividad/1379-zipsign-self-update

add zipsign signature verification to self-update
jqnatividad · Oct 26, 2023 · 40f28bf · 40f28bf
2 parents 25585b7 + 41231ec
commit 40f28bf
Show file tree

Hide file tree

Showing 6 changed files with 32 additions and 4 deletions.
diff --git a/.github/workflows/macOS-arm64-selfhosted-publish.yml b/.github/workflows/macOS-arm64-selfhosted-publish.yml
@@ -94,6 +94,19 @@ jobs:
         cat docs/publishing_assets/README.txt docs/publishing_assets/qsv-${{ matrix.job.target }}.txt > qsv-${{ needs.analyze-tags.outputs.previous-tag }}/README
     - name: zip up binaries
       run: 7zz a -tzip qsv-${{ needs.analyze-tags.outputs.previous-tag }}-${{ matrix.job.target }}.zip ./qsv-${{ needs.analyze-tags.outputs.previous-tag }}/* -mx=9 -mmt=on
+    - name: install zipsign
+      run: |
+        cargo install zipsign
+    - name: Fetch zipsign private key
+      uses: mobiledevops/secret-to-file-action@v1
+      with:
+        base64-encoded-secret: ${{ secrets.QSV_ZIPSIGN_PRIV_KEY }}
+        filename: "qsvpriv.key"
+        is-executable: false
+        working-directory: "."
+    - name: zipsign binary
+      run: |
+        zipsign sign zip qsv-${{ needs.analyze-tags.outputs.previous-tag }}-${{ matrix.job.target }}.zip qsvpriv.key      
     - name: Upload zipped binaries to release
       uses: svenstaro/upload-release-action@v2
       with:

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -196,6 +196,19 @@ jobs:
         cat docs/publishing_assets/README.txt docs/publishing_assets/qsv-${{ matrix.job.target }}.txt > qsv-${{ needs.analyze-tags.outputs.previous-tag }}/README
     - name: zip up binaries
       run: 7z a -tzip qsv-${{ needs.analyze-tags.outputs.previous-tag }}-${{ matrix.job.target }}.zip ./qsv-${{ needs.analyze-tags.outputs.previous-tag }}/* -mx=9 -mmt=on
+    - name: install zipsign
+      run: |
+        cargo install zipsign
+    - name: Fetch zipsign private key
+      uses: mobiledevops/secret-to-file-action@v1
+      with:
+        base64-encoded-secret: ${{ secrets.QSV_ZIPSIGN_PRIV_KEY }}
+        filename: "qsvpriv.key"
+        is-executable: false
+        working-directory: "."        
+    - name: zipsign binary
+      run: |
+        zipsign sign zip qsv-${{ needs.analyze-tags.outputs.previous-tag }}-${{ matrix.job.target }}.zip qsvpriv.key
     - name: Upload zipped binaries to release
       uses: svenstaro/upload-release-action@v2
       with:

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -181,6 +181,7 @@ self_update = { version = "0.39", features = [
     "archive-zip",
     "compression-zip-deflate",
     "rustls",
+    "signatures",
 ], default-features = false, optional = true }
 semver = "1"
 serde = { version = "1", features = ["derive"] }

diff --git a/src/qsv-zipsign-public.key b/src/qsv-zipsign-public.key
diff --git a/src/util.rs b/src/util.rs
@@ -785,6 +785,7 @@ pub fn qsv_check_for_update(check_only: bool, no_confirm: bool) -> Result<bool,
                 .show_output(false)
                 .no_confirm(no_confirm)
                 .current_version(curr_version)
+                .verifying_keys([*include_bytes!("qsv-zipsign-public.key")])
                 .build()
             {
                 Ok(update_job) => match update_job.update() {