cmd/distsign: add CLI for verifying package signatures

Updates #35374 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2025-12-23 00:56:20 +00:00 · 2025-12-17 15:42:25 -08:00
parent 3e89068792
commit e093a20755
2 changed files with 49 additions and 1 deletions
--- a/clientupdate/distsign/distsign.go
+++ b/clientupdate/distsign/distsign.go
@@ -332,7 +332,13 @@ func (c *Client) download(ctx context.Context, url, dst string, limit int64) ([]
 	tr := http.DefaultTransport.(*http.Transport).Clone()
 	tr.Proxy = feature.HookProxyFromEnvironment.GetOrNil()
 	defer tr.CloseIdleConnections()
-	hc := &http.Client{Transport: tr}
+	hc := &http.Client{
 		Transport: tr,
 		CheckRedirect: func(r *http.Request, via []*http.Request) error {
 			c.logf("Download redirected to %q", r.URL)
 			return nil
 		},
 	}
 	quickCtx, cancel := context.WithTimeout(ctx, 30*time.Second)
 	defer cancel()
--- a/cmd/distsign/distsign.go
+++ b/cmd/distsign/distsign.go
@@ -0,0 +1,42 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 // Command distsign tests downloads and signature validating for packages
 // published by Tailscale on pkgs.tailscale.com.
 package main
 import (
 	"context"
 	"flag"
 	"log"
 	"os"
 	"path/filepath"
 	"tailscale.com/clientupdate/distsign"
 )
 var (
 	pkgsURL = flag.String("pkgs-url", "https://pkgs.tailscale.com/", "URL of the packages server")
 	pkgName = flag.String("pkg-name", "", "name of the package on the packages server, including the stable/unstable track prefix")
 )
 func main() {
 	flag.Parse()
 	if *pkgName == "" {
 		log.Fatalf("--pkg-name is required")
 	}
 	c, err := distsign.NewClient(log.Printf, *pkgsURL)
 	if err != nil {
 		log.Fatal(err)
 	}
 	tempDir := filepath.Join(os.TempDir(), "distsign")
 	if err := os.MkdirAll(tempDir, 0755); err != nil {
 		log.Fatal(err)
 	}
 	if err := c.Download(context.Background(), *pkgName, filepath.Join(os.TempDir(), "distsign", filepath.Base(*pkgName))); err != nil {
 		log.Fatal(err)
 	}
 	log.Printf("%q ok", *pkgName)
 }