mirror of
https://github.com/tailscale/tailscale.git
synced 2024-11-26 11:35:35 +00:00
7364c6beec
This library is intended for use during release to sign packages which are then served from pkgs.tailscale.com. The library is also then used by clients downloading packages for `tailscale update` where OS package managers / app stores aren't used. Updates https://github.com/tailscale/tailscale/issues/8760 Updates https://github.com/tailscale/tailscale/issues/6995 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
55 lines
1.0 KiB
Go
55 lines
1.0 KiB
Go
// Copyright (c) Tailscale Inc & AUTHORS
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
package distsign
|
|
|
|
import (
|
|
"crypto/ed25519"
|
|
"embed"
|
|
"errors"
|
|
"fmt"
|
|
"path"
|
|
"path/filepath"
|
|
"sync"
|
|
)
|
|
|
|
//go:embed roots
|
|
var rootsFS embed.FS
|
|
|
|
var roots = sync.OnceValue(func() []ed25519.PublicKey {
|
|
roots, err := parseRoots()
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
return roots
|
|
})
|
|
|
|
func parseRoots() ([]ed25519.PublicKey, error) {
|
|
files, err := rootsFS.ReadDir("roots")
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
var keys []ed25519.PublicKey
|
|
for _, f := range files {
|
|
if !f.Type().IsRegular() {
|
|
continue
|
|
}
|
|
if filepath.Ext(f.Name()) != ".pub" {
|
|
continue
|
|
}
|
|
raw, err := rootsFS.ReadFile(path.Join("roots", f.Name()))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
key, err := parseSinglePublicKey(raw)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("parsing root key %q: %w", f.Name(), err)
|
|
}
|
|
keys = append(keys, key)
|
|
}
|
|
if len(keys) == 0 {
|
|
return nil, errors.New("no embedded root keys, please check clientupdate/distsign/roots/")
|
|
}
|
|
return keys, nil
|
|
}
|