sherpack 0.4.0

The Kubernetes package manager with Jinja2 templates
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149

//! Verify command - verify archive integrity and signature

use console::style;
use miette::{IntoDiagnostic, Result};
use minisign::{PublicKeyBox, SignatureBox};
use std::io::{Cursor, Read};
use std::path::Path;

use super::keygen::default_key_dir;
use crate::util::truncate_hash;

pub fn run(archive_path: &Path, key_path: Option<&Path>, require_signature: bool) -> Result<()> {
    if !archive_path.exists() {
        return Err(miette::miette!(
            "Archive not found: {}",
            archive_path.display()
        ));
    }

    println!(
        "{} {}",
        style("Verifying").cyan().bold(),
        archive_path.display()
    );
    println!();

    // Step 1: Verify manifest checksums
    println!("{}:", style("Integrity check").bold());

    let verification_result = sherpack_core::verify_archive(archive_path).into_diagnostic()?;

    if verification_result.valid {
        println!(
            "  {} All file checksums match",
            style("[OK]").green().bold()
        );
    } else {
        println!(
            "  {} Checksum verification failed",
            style("[FAIL]").red().bold()
        );

        for mismatch in &verification_result.mismatched {
            println!(
                "    {} {}: expected {}, got {}",
                style("-").red(),
                mismatch.path,
                truncate_hash(&mismatch.expected, 16),
                truncate_hash(&mismatch.actual, 16)
            );
        }

        for missing in &verification_result.missing {
            println!("    {} {}: missing from archive", style("-").red(), missing);
        }

        return Err(miette::miette!("Archive integrity check failed"));
    }

    // Step 2: Check signature (if present or required)
    let sig_path = format!("{}.minisig", archive_path.display());
    let sig_exists = Path::new(&sig_path).exists();

    println!();
    println!("{}:", style("Signature check").bold());

    if !sig_exists {
        if require_signature {
            println!("  {} No signature found", style("[FAIL]").red().bold());
            return Err(miette::miette!(
                "Signature required but not found: {}",
                sig_path
            ));
        } else {
            println!(
                "  {} No signature file ({})",
                style("[SKIP]").yellow().bold(),
                sig_path
            );
            println!();
            println!(
                "{}",
                style("Archive integrity verified (no signature).").green()
            );
            return Ok(());
        }
    }

    // Find public key
    let key_path = key_path
        .map(|p| p.to_path_buf())
        .unwrap_or_else(|| default_key_dir().join("sherpack.pub"));

    if !key_path.exists() {
        println!(
            "  {} Public key not found at {}",
            style("[FAIL]").red().bold(),
            key_path.display()
        );
        return Err(miette::miette!(
            "Public key required for signature verification.\n\
             Use --key to specify a public key file."
        ));
    }

    // Read public key
    let pk_content = std::fs::read_to_string(&key_path).into_diagnostic()?;
    let pk_box = PublicKeyBox::from_string(&pk_content)
        .map_err(|e| miette::miette!("Failed to parse public key: {}", e))?;
    let pk = pk_box
        .into_public_key()
        .map_err(|e| miette::miette!("Invalid public key: {}", e))?;

    // Read signature
    let sig_content = std::fs::read_to_string(&sig_path).into_diagnostic()?;
    let sig_box = SignatureBox::from_string(&sig_content)
        .map_err(|e| miette::miette!("Failed to parse signature: {}", e))?;

    // Read archive data
    let mut file = std::fs::File::open(archive_path).into_diagnostic()?;
    let mut data = Vec::new();
    file.read_to_end(&mut data).into_diagnostic()?;

    // Verify signature using Cursor for Read + Seek
    let mut cursor = Cursor::new(&data);
    match minisign::verify(&pk, &sig_box, &mut cursor, true, false, false) {
        Ok(()) => {
            println!("  {} Signature valid", style("[OK]").green().bold());

            // Show trusted comment if available
            if let Ok(trusted_comment) = sig_box.trusted_comment() {
                println!("  {}: {}", style("Signed by").dim(), trusted_comment);
            }
        }
        Err(e) => {
            println!(
                "  {} Signature verification failed: {}",
                style("[FAIL]").red().bold(),
                e
            );
            return Err(miette::miette!("Signature verification failed"));
        }
    }

    println!();
    println!("{}", style("Archive verified successfully.").green().bold());

    Ok(())
}