cmd/distsign: add CLI for verifying package signatures

Updates #35374

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>

clientupdate/distsign/distsign.go

@@ -332,7 +332,13 @@ func (c *Client) download(ctx context.Context, url, dst string, limit int64) ([]
 	tr := http.DefaultTransport.(*http.Transport).Clone()
 	tr.Proxy = feature.HookProxyFromEnvironment.GetOrNil()
 	defer tr.CloseIdleConnections()
-	hc := &http.Client{Transport: tr}
+	hc := &http.Client{
+		Transport: tr,
+		CheckRedirect: func(r *http.Request, via []*http.Request) error {
+			c.logf("Download redirected to %q", r.URL)
+			return nil
+		},
+	}
 
 	quickCtx, cancel := context.WithTimeout(ctx, 30*time.Second)
 	defer cancel()

cmd/distsign/distsign.go

@@ -0,0 +1,39 @@
+// Command distsign tests downloads and signature validating for packages
+// published by Tailscale on pkgs.tailscale.com.
+package main
+
+import (
+	"context"
+	"flag"
+	"log"
+	"os"
+	"path/filepath"
+
+	"tailscale.com/clientupdate/distsign"
+)
+
+var (
+	pkgsURL = flag.String("pkgs-url", "https://pkgs.tailscale.com/", "URL of the packages server")
+	pkgName = flag.String("pkg-name", "", "name of the package on the packages server, including the stable/unstable track prefix")
+)
+
+func main() {
+	flag.Parse()
+
+	if *pkgName == "" {
+		log.Fatalf("--pkg-name is required")
+	}
+
+	c, err := distsign.NewClient(log.Printf, *pkgsURL)
+	if err != nil {
+		log.Fatal(err)
+	}
+	tempDir := filepath.Join(os.TempDir(), "distsign")
+	if err := os.MkdirAll(tempDir, 0755); err != nil {
+		log.Fatal(err)
+	}
+	if err := c.Download(context.Background(), *pkgName, filepath.Join(os.TempDir(), "distsign", filepath.Base(*pkgName))); err != nil {
+		log.Fatal(err)
+	}
+	log.Printf("%q ok", *pkgName)
+}