-
Notifications
You must be signed in to change notification settings - Fork 11
Sign packages
RSA signing adds an additional security to your project.
If you are using the provider.Github then the connection is already secured using HTTPS. In this situation RSA signing can prevent some types of attacks: such as someone who hacked into your account from uploading a new update.
With this method your updates must be signed with your private key.
ALWAYS KEEP YOUR PRIVATE KEY IN A SAFE PLACE AND DO NOT SHARE IT
After installing this project you should have the rocket-update command which provides the following features:
- Generate private and public keys
- Sign packages
- Verify packages
$ rocket-update keygen
2021/01/17 10:39:02 Generating keys...
2021/01/17 10:39:04 Created private key: id_rsa
2021/01/17 10:39:04 Created public key: id_rsa.pub
It is very important that you keep your private key (id_rsa) in a secure place!
Example with your package folder being binaries_windows
$ rocket-update sign -key id_rsa -path binaries_windows
2021/01/17 12:05:01 Reading private key...
2021/01/17 12:05:01 Computing signatures...
2021/01/17 12:05:01 Writing binaries_windows\signatures.json ...
2021/01/17 12:05:01 Signed successfully! Don't forget to keep your private key in a safe place!
$ rocket-update verify -pubkey id_rsa.pub -path binaries_windows
2021/01/17 12:07:02 Reading public key...
2021/01/17 12:07:02 Reading binaries_windows\signatures.json ...
All files verified!
In order to verify files you just have to use provider.Secure which takes two arguments:
- A back-end provider which will be used to retrieve the updates
- A public key, which is going to be used for verifying files
Here is an example using provider.Github as a back-end provider
pubStr := `-----BEGIN RSA PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4L9SG+I23Rr3rCv8MUWb
XEF2/SfOQBoYM80pKv4Q6CDICH5wmmWWfTchAEbkKHp3Hx9qP2/aR3mg1qLqWrXZ
hrYMFKvQCuu+3qGU+KxZfb9qtwIyMSdQdw3yLo7dw/1Kvwcowu6m6OTt/0buF7mr
UQwDM3EhyOCfKDBOJ8+WbAevvpnCI4fcGT9mrEZ6S2wgIx+6Io5Bbre7+iQ7l9RO
kE1iKITwXbCtpU3VDRkjtIQ3O0LdGMifJ+DNNIogxiAUGpYZVYVXummX9vBU1whr
bd2lf9PUB0HLEZPtMFgR3FtQpGqGSi2LXH7C7YSQDHdX/VWRb5kfmjJA/M57tD55
oe2F3Cxeqi3TNQ/8d+9Ta/8TUCrthyd0dPe0F98HlkyqFh+aIWuaK9mdhh/rzOk8
on97gotr1tYOdFTK09KHnYrSdCmqfvByOyQnHYvzqN6qwmEI3ufY/i/KTe6QxtWL
J73aa5rBKLCE/TYT53R2ZhFCXYTPhzwl5LkwYKdKIQ55Z9TfYhjbArjCMTz19Akl
6qjQcxAmGK2mY2odUkHD/Rfqs02fQoQdnRoi3qhkDW4fDYfcqTnkfTkcEvvJJTuI
ylMx5Dy8lG6/J7zKWkV6S7h3+K11dWZn7toQVyVU3M2GpEng3b74Pp3Ma7ymoM8J
SZ5Uz050oR/PoLaSx3xdjFMCAwEAAQ==
-----END RSA PUBLIC KEY-----`
p := &provider.Secure{
BackendProvider: &provider.Github{
RepositoryURL: "github.com/mouuff/go-rocket-update-example",
ZipName: "binaries_" + runtime.GOOS + ".zip",
},
PublicKeyPEM: []byte(pubStr),
}
Then you just have to pass this provider to the updater.