Our build system caches files locally and only updates them when something
changes. Since I need to integrate some distsign stuff into the build system
to validate our Windows 7 MSIs, I want to be able to check the cached copy
of a package before downloading a fresh copy from pkgs.
If the signature changes, then obviously the local copy is outdated and we
return an error, at which point we call Download to refresh the package.
Updates https://github.com/tailscale/corp/issues/14334
Signed-off-by: Aaron Klotz <aaron@tailscale.com>
Reimplement `downloadURLToFile` using `distsign.Download` and move all
of the progress reporting logic over there.
Updates #6995
Updates #755
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
Helper command to verify package signatures, mainly for debugging.
Also fix a copy-paste mistake in error message in distsign.
Updates #8760
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
Adding a root key that signs the current signing key on
pkgs.tailscale.com. This key is here purely for development and should
be replaced before 1.50 release.
Updates #8760
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
Now we have all the commands to generate the key hierarchy and verify
that signing keys were signed correctly:
```
$ ./tool/go run ./cmd/dist gen-key --priv-path root-priv.pem --pub-path root-pub.pem --root
wrote private key to root-priv.pem
wrote public key to root-pub.pem
$ ./tool/go run ./cmd/dist gen-key --priv-path signing-priv.pem --pub-path signing-pub.pem --signing
wrote private key to signing-priv.pem
wrote public key to signing-pub.pem
$ ./tool/go run ./cmd/dist sign-key --root-priv-path root-priv.pem --sign-pub-path signing-pub.pem
wrote signature to signature.bin
$ ./tool/go run ./cmd/dist verify-key-signature --root-pub-path root-pub.pem --sign-pub-path signing-pub.pem --sig-path signature.bin
signature ok
```
Updates #8760
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
To make key management less error-prone, use different PEM block types
for root and signing keys. As a result, separate out most of the Go code
between root/signing keys too.
Updates #8760
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
This library is intended for use during release to sign packages which
are then served from pkgs.tailscale.com.
The library is also then used by clients downloading packages for
`tailscale update` where OS package managers / app stores aren't used.
Updates https://github.com/tailscale/tailscale/issues/8760
Updates https://github.com/tailscale/tailscale/issues/6995
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>