narinfo: add Nix signature verification (ParsePublicKey, Fingerprint, Verify)

Signed-off-by: NotAShelf <raf@notashelf.dev> Change-Id: I831978224aea4ef56c2e7c499e125a906a6a6964
2026-03-06 18:01:30 +03:00 · 2026-03-06 18:01:30 +03:00 · 2da17e456f
commit 2da17e456f
parent d290bcf4ad
1 changed files with 58 additions and 0 deletions
--- a/internal/narinfo/narinfo.go
+++ b/internal/narinfo/narinfo.go
@ -2,6 +2,8 @@ package narinfo

 import (
 	"bufio"
+	"crypto/ed25519"
+	"encoding/base64"
 	"fmt"
 	"io"
 	"strconv"
@ -23,6 +25,62 @@ type NarInfo struct {
 	CA          string
 }

+// ParsePublicKey parses a Nix public key in "name:base64(key)" format.
+func ParsePublicKey(s string) (name string, key ed25519.PublicKey, err error) {
+	name, b64, ok := strings.Cut(s, ":")
+	if !ok || name == "" {
+		return "", nil, fmt.Errorf("invalid public key %q: missing ':'", s)
+	}
+	raw, err := base64.StdEncoding.DecodeString(b64)
+	if err != nil {
+		return "", nil, fmt.Errorf("invalid public key %q: %w", s, err)
+	}
+	if len(raw) != ed25519.PublicKeySize {
+		return "", nil, fmt.Errorf("invalid public key size %d, want %d", len(raw), ed25519.PublicKeySize)
+	}
+	return name, ed25519.PublicKey(raw), nil
+}
+
+// Fingerprint returns the canonical signing input for this narinfo.
+// Format: 1;<storePath>;<narHash>;<narSize>;<comma-separated-full-ref-paths>
+func (ni *NarInfo) Fingerprint() string {
+	refs := make([]string, len(ni.References))
+	for i, r := range ni.References {
+		if strings.HasPrefix(r, "/nix/store/") {
+			refs[i] = r
+		} else {
+			refs[i] = "/nix/store/" + r
+		}
+	}
+	return fmt.Sprintf("1;%s;%s;%d;%s",
+		ni.StorePath, ni.NarHash, ni.NarSize, strings.Join(refs, ","))
+}
+
+// Verify checks that at least one Sig line is a valid signature for pubKeyStr.
+// pubKeyStr must be in "name:base64(key)" Nix format.
+// Returns false (not an error) when no matching Sig line is found.
+func (ni *NarInfo) Verify(pubKeyStr string) (bool, error) {
+	keyName, key, err := ParsePublicKey(pubKeyStr)
+	if err != nil {
+		return false, err
+	}
+	fp := []byte(ni.Fingerprint())
+	for _, sigLine := range ni.Sig {
+		name, b64, ok := strings.Cut(sigLine, ":")
+		if !ok || name != keyName {
+			continue
+		}
+		sig, err := base64.StdEncoding.DecodeString(b64)
+		if err != nil || len(sig) != ed25519.SignatureSize {
+			continue
+		}
+		if ed25519.Verify(key, fp, sig) {
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
 // Parses a narinfo from r. Returns error on malformed input or missing StorePath.
 func Parse(r io.Reader) (*NarInfo, error) {
 	ni := &NarInfo{}