I have a similar script, and recently I realized I'd skipped one of the verification steps:
https://ziglang.org/download/community-mirrors/
After downloading a tarball, the following verification steps are required: (never skip these steps)
- ...
- To prevent downgrade attacks, a "file" field in the trusted comment is provided that must be verified to match the name of the requested tarball. The reference implementation, minisign, will verify the trusted comment but does not look for a "file" field, so this verification step must be implemented manually.
I fixed mine with this:
echo "verifying"
minisign -Vm "$filename" -P "$pubkey" || _fail 'minisign' || return 1
+ # check trusted comment; https://ziglang.org/download/community-mirrors/
+ trusted_comment="$(minisign -QVm "$filename" -P "$pubkey")"
+ trusted_filename="$(cut -d' ' -f 2 <<< "$trusted_comment")" # extract second field. brittle?
+ [[ "$trusted_filename" == "file:$filename" ]] || _fail 'trusted comment' || return 1
My implementation feels a bit gross (e.g. verifying a second time just to get the trusted comment), maybe you can find a nicer way to do it.
I have a similar script, and recently I realized I'd skipped one of the verification steps:
https://ziglang.org/download/community-mirrors/
> After downloading a tarball, the following verification steps are required: (never skip these steps)
> - ...
> - To prevent downgrade attacks, a "file" field in the [trusted comment](https://jedisct1.github.io/minisign/#:~:text=Trusted%20comments) is provided that must be verified to match the name of the requested tarball. The reference implementation, minisign, will verify the trusted comment but does not look for a "file" field, so this verification step must be implemented manually.
I fixed mine with this:
```diff
echo "verifying"
minisign -Vm "$filename" -P "$pubkey" || _fail 'minisign' || return 1
+ # check trusted comment; https://ziglang.org/download/community-mirrors/
+ trusted_comment="$(minisign -QVm "$filename" -P "$pubkey")"
+ trusted_filename="$(cut -d' ' -f 2 <<< "$trusted_comment")" # extract second field. brittle?
+ [[ "$trusted_filename" == "file:$filename" ]] || _fail 'trusted comment' || return 1
```
My implementation feels a bit gross (e.g. verifying a second time just to get the trusted comment), maybe you can find a nicer way to do it.