chore: begin work implementing vsix signatures, manifest matching

Author: Emyrk

cli/add.go

@@ -2,6 +2,7 @@ package cli
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -12,6 +13,7 @@ import (
 
 	"cdr.dev/slog"
 	"cdr.dev/slog/sloggers/sloghuman"
+	"github.com/coder/code-marketplace/internal/extensionsign"
 
 	"github.com/coder/code-marketplace/storage"
 	"github.com/coder/code-marketplace/util"
@@ -22,6 +24,7 @@ func add() *cobra.Command {
 		artifactory string
 		extdir      string
 		repo        string
+		signature   bool
 	)
 
 	cmd := &cobra.Command{
@@ -73,7 +76,7 @@ func add() *cobra.Command {
 					return err
 				}
 				for _, file := range files {
-					s, err := doAdd(ctx, filepath.Join(args[0], file.Name()), store)
+					s, err := doAdd(ctx, filepath.Join(args[0], file.Name()), signature, store)
 					if err != nil {
 						_, _ = fmt.Fprintf(cmd.OutOrStdout(), "Failed to unpack %s: %s\n", file.Name(), err.Error())
 						failed = append(failed, file.Name())
@@ -82,7 +85,7 @@ func add() *cobra.Command {
 					}
 				}
 			} else {
-				s, err := doAdd(ctx, args[0], store)
+				s, err := doAdd(ctx, args[0], signature, store)
 				if err != nil {
 					return err
 				}
@@ -102,11 +105,12 @@ func add() *cobra.Command {
 	cmd.Flags().StringVar(&extdir, "extensions-dir", "", "The path to extensions.")
 	cmd.Flags().StringVar(&artifactory, "artifactory", "", "Artifactory server URL.")
 	cmd.Flags().StringVar(&repo, "repo", "", "Artifactory repository.")
+	cmd.Flags().BoolVar(&signature, "signature", true, "Include signature")
 
 	return cmd
 }
 
-func doAdd(ctx context.Context, source string, store storage.Storage) ([]string, error) {
+func doAdd(ctx context.Context, source string, includeSignature bool, store storage.Storage) ([]string, error) {
 	// Read in the extension.  In the future we might support stdin as well.
 	vsix, err := storage.ReadVSIX(ctx, source)
 	if err != nil {
@@ -120,7 +124,31 @@ func doAdd(ctx context.Context, source string, store storage.Storage) ([]string,
 		return nil, err
 	}
 
-	location, err := store.AddExtension(ctx, manifest, vsix)
+	var extra []storage.File
+	if includeSignature {
+		sigManifest, err := extensionsign.GenerateSignatureManifest(vsix)
+		if err != nil {
+			return nil, xerrors.Errorf("generate signature manifest: %w", err)
+		}
+
+		data, err := json.Marshal(sigManifest)
+		if err != nil {
+			return nil, xerrors.Errorf("marshal signature manifest: %w", err)
+		}
+
+		extra = append(extra, storage.File{
+			RelativePath: "extension.sigzip",
+			Content:      data,
+		})
+
+		manifest.Assets.Asset = append(manifest.Assets.Asset, storage.VSIXAsset{
+			Type:        storage.VSIXSignatureType,
+			Path:        "extension.sigzip",
+			Addressable: "true", // TODO: Idk if this is right
+		})
+	}
+
+	location, err := store.AddExtension(ctx, manifest, vsix, extra...)
 	if err != nil {
 		return nil, err
 	}

cli/root.go

@@ -1,8 +1,9 @@
 package cli
 
 import (
-	"github.com/spf13/cobra"
 	"strings"
+
+	"github.com/spf13/cobra"
 )
 
 func Root() *cobra.Command {
@@ -16,7 +17,7 @@ func Root() *cobra.Command {
 		}, "\n"),
 	}
 
-	cmd.AddCommand(add(), remove(), server(), version())
+	cmd.AddCommand(add(), remove(), server(), version(), signature())
 
 	cmd.PersistentFlags().BoolP("verbose", "v", false, "Enable verbose output")
 

storage/artifactory.go

@@ -213,7 +213,7 @@ func (s *Artifactory) upload(ctx context.Context, endpoint string, r io.Reader)
 	return code, nil
 }
 
-func (s *Artifactory) AddExtension(ctx context.Context, manifest *VSIXManifest, vsix []byte) (string, error) {
+func (s *Artifactory) AddExtension(ctx context.Context, manifest *VSIXManifest, vsix []byte, extra ...File) (string, error) {
 	// Extract the zip to the correct path.
 	identity := manifest.Metadata.Identity
 	dir := path.Join(identity.Publisher, identity.ID, Version{

storage/local.go

@@ -11,6 +11,8 @@ import (
 	"sync"
 	"time"
 
+	"golang.org/x/xerrors"
+
 	"cdr.dev/slog"
 )
 
@@ -89,7 +91,7 @@ func (s *Local) list(ctx context.Context) []extension {
 	return list
 }
 
-func (s *Local) AddExtension(ctx context.Context, manifest *VSIXManifest, vsix []byte) (string, error) {
+func (s *Local) AddExtension(ctx context.Context, manifest *VSIXManifest, vsix []byte, extra ...File) (string, error) {
 	// Extract the zip to the correct path.
 	identity := manifest.Metadata.Identity
 	dir := filepath.Join(s.extdir, identity.Publisher, identity.ID, Version{
@@ -121,6 +123,18 @@ func (s *Local) AddExtension(ctx context.Context, manifest *VSIXManifest, vsix [
 		return "", err
 	}
 
+	for _, file := range extra {
+		path := filepath.Join(dir, file.RelativePath)
+		err := os.MkdirAll(filepath.Dir(path), 0o644)
+		if err != nil {
+			return "", err
+		}
+		err = os.WriteFile(path, file.Content, 0o644)
+		if err != nil {
+			return dir, xerrors.Errorf("write extra file %q: %w", path, err)
+		}
+	}
+
 	return dir, nil
 }
 

storage/storage.go

@@ -112,6 +112,7 @@ type AssetType string
 const (
 	ManifestAssetType AssetType = "Microsoft.VisualStudio.Code.Manifest" // This is the package.json.
 	VSIXAssetType     AssetType = "Microsoft.VisualStudio.Services.VSIXPackage"
+	VSIXSignatureType AssetType = "Microsoft.VisualStudio.Services.VsixSignature"
 )
 
 // VSIXAsset implements XMLManifest.PackageManifest.Assets.Asset.
@@ -203,8 +204,8 @@ func (vs ByVersion) Less(i, j int) bool {
 
 type Storage interface {
 	// AddExtension adds the provided VSIX into storage and returns the location
-	// for verification purposes.
-	AddExtension(ctx context.Context, manifest *VSIXManifest, vsix []byte) (string, error)
+	// for verification purposes. Extra files can be included, but not required.
+	AddExtension(ctx context.Context, manifest *VSIXManifest, vsix []byte, extra ...File) (string, error)
 	// FileServer provides a handler for fetching extension repository files from
 	// a client.
 	FileServer() http.Handler
@@ -230,6 +231,11 @@ type Storage interface {
 	WalkExtensions(ctx context.Context, fn func(manifest *VSIXManifest, versions []Version) error) error
 }
 
+type File struct {
+	RelativePath string
+	Content      []byte
+}
+
 const ArtifactoryTokenEnvKey = "ARTIFACTORY_TOKEN"
 
 // NewStorage returns a storage instance based on the provided extension

testutil/mockstorage.go

@@ -17,7 +17,7 @@ func NewMockStorage() *MockStorage {
 	return &MockStorage{}
 }
 
-func (s *MockStorage) AddExtension(ctx context.Context, manifest *storage.VSIXManifest, vsix []byte) (string, error) {
+func (s *MockStorage) AddExtension(ctx context.Context, manifest *storage.VSIXManifest, vsix []byte, extra ...storage.File) (string, error) {
 	return "", errors.New("not implemented")
 }