3
26
Fork
You've already forked mere
1

Verify manifest signature before parsing it in mere dev import #98

Merged
jhuntwork merged 1 commit from import-verify-before-parse into main 2026年07月09日 04:30:38 +02:00

prepareVerifiedImport built a Package struct from the manifest before
checking its signature at all: readManifestAndCreatePackage decoded
and used manifest.v1 first, and verifyManifestSignatureAndGetSigner
only checked the signature afterward against a separate fresh read.
Untrusted content got parsed (and used to populate package metadata)
regardless of whether it was ever validly signed.

Signature verification now runs first; createPackageFromManifest
decodes directly from the verified bytes instead of reading the file
again. A malformed manifest with no valid signature is now rejected
as SignatureInvalid rather than leaking InvalidInput from decoding
untrusted bytes before the signature was ever checked.

prepareVerifiedImport built a Package struct from the manifest before checking its signature at all: readManifestAndCreatePackage decoded and used manifest.v1 first, and verifyManifestSignatureAndGetSigner only checked the signature afterward against a separate fresh read. Untrusted content got parsed (and used to populate package metadata) regardless of whether it was ever validly signed. Signature verification now runs first; createPackageFromManifest decodes directly from the verified bytes instead of reading the file again. A malformed manifest with no valid signature is now rejected as SignatureInvalid rather than leaking InvalidInput from decoding untrusted bytes before the signature was ever checked.
Verify manifest signature before parsing it in mere dev import
All checks were successful
/ test (pull_request) Successful in 6m37s
fe17e83066
prepareVerifiedImport built a Package struct from the manifest before
checking its signature at all: readManifestAndCreatePackage decoded
and used manifest.v1 first, and verifyManifestSignatureAndGetSigner
only checked the signature afterward against a separate fresh read.
Untrusted content got parsed (and used to populate package metadata)
regardless of whether it was ever validly signed.
Signature verification now runs first; createPackageFromManifest
decodes directly from the verified bytes instead of reading the file
again. A malformed manifest with no valid signature is now rejected
as SignatureInvalid rather than leaking InvalidInput from decoding
untrusted bytes before the signature was ever checked.
jhuntwork deleted branch import-verify-before-parse 2026年07月09日 04:30:39 +02:00
Sign in to join this conversation.
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
merelinux/mere!98
Reference in a new issue
merelinux/mere
No description provided.
Delete branch "import-verify-before-parse"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?