Bump sdk to v0.1.8 (#349)

* Bump sdk to v0.1.8 Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com> * Use new signing methods Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com> --------- Signed-off-by: Mauro Morales <mauro.morales@spectrocloud.com>
2025-06-03 01:44:53 +00:00 · 2024-05-23 16:06:30 +02:00 · 2024-05-23 16:06:30 +02:00 · 6dd5a18e96
commit 6dd5a18e96
parent 5e400ca4d7
3 changed files with 28 additions and 12 deletions
--- a/go.mod
+++ b/go.mod
@ -18,7 +18,7 @@ require (
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/jaypipes/ghw v0.12.0
 	github.com/joho/godotenv v1.5.1
-	github.com/kairos-io/kairos-sdk v0.1.7
+	github.com/kairos-io/kairos-sdk v0.1.8
 	github.com/kairos-io/kcrypt v0.11.1
 	github.com/labstack/echo/v4 v4.12.0
 	github.com/mitchellh/mapstructure v1.5.0
@ -44,7 +44,7 @@ require (

 require (
 	github.com/edsrzf/mmap-go v1.1.0
-	github.com/foxboron/go-uefi v0.0.0-20240128152106-48be911532c2
+	github.com/foxboron/go-uefi v0.0.0-20240522180132-205d5597883a
 	github.com/google/go-github/v40 v40.0.0
 	github.com/saferwall/pe v1.5.3
 	github.com/twpayne/go-vfs/v4 v4.3.0
--- a/go.sum
+++ b/go.sum
@ -152,8 +152,8 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/erikgeiser/promptkit v0.9.0 h1:3qL1mS/ntCrXdb8sTP/ka82CJ9kEQaGuYXNrYJkWYBc=
 github.com/erikgeiser/promptkit v0.9.0/go.mod h1:pU9dtogSe3Jlc2AY77EP7R4WFP/vgD4v+iImC83KsCo=
-github.com/foxboron/go-uefi v0.0.0-20240128152106-48be911532c2 h1:qGlg/7H49H30Eu7nkCBA7YxNmW30ephqBf7xIxlAGuQ=
-github.com/foxboron/go-uefi v0.0.0-20240128152106-48be911532c2/go.mod h1:ffg/fkDeOYicEQLoO2yFFGt00KUTYVXI+rfnc8il6vQ=
+github.com/foxboron/go-uefi v0.0.0-20240522180132-205d5597883a h1:Q/VIO3QAlaF95JqVVF39udInPR76lu02yrMDInavm8Q=
+github.com/foxboron/go-uefi v0.0.0-20240522180132-205d5597883a/go.mod h1:ffg/fkDeOYicEQLoO2yFFGt00KUTYVXI+rfnc8il6vQ=
 github.com/frankban/quicktest v1.13.0/go.mod h1:qLE0fzW0VuyUAJgPU19zByoIr0HtCHN/r/VLSOOIySU=
 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
@ -289,8 +289,8 @@ github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfV
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/jzelinskie/whirlpool v0.0.0-20201016144138-0675e54bb004 h1:G+9t9cEtnC9jFiTxyptEKuNIAbiN5ZCQzX2a74lj3xg=
 github.com/jzelinskie/whirlpool v0.0.0-20201016144138-0675e54bb004/go.mod h1:KmHnJWQrgEvbuy0vcvj00gtMqbvNn1L+3YUZLK/B92c=
-github.com/kairos-io/kairos-sdk v0.1.7 h1:h2H1/sG4+4xEPh0zMFFtl4yEgzrXI8IDdDiQZe4ib6g=
-github.com/kairos-io/kairos-sdk v0.1.7/go.mod h1:sR1X4B3F1nkaECQ1vdsJ78OIkfLfyB22/aIpdRQJ/Mo=
+github.com/kairos-io/kairos-sdk v0.1.8 h1:TKigA+3Nmzn/NLztbLVBLacpx0cK1oJl1AoZarohU98=
+github.com/kairos-io/kairos-sdk v0.1.8/go.mod h1:asSOyJanH10Cnxl9zx5RzyYNMhEworaiMh/7uRnS4GA=
 github.com/kairos-io/kcrypt v0.11.1 h1:azIX1QI5dEzVLvgftNleCY4AyklhTXewCoi4eTC7jhU=
 github.com/kairos-io/kcrypt v0.11.1/go.mod h1:Gz1izzOWwbnJwtq+XqiZQ8cPktWcDIKw03YM1PWAk4c=
 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs=
--- a/pkg/uki/common.go
+++ b/pkg/uki/common.go
@ -1,6 +1,7 @@
 package uki

 import (
+	"bytes"
 	"crypto/x509"
 	"encoding/hex"
 	"errors"
@ -10,10 +11,10 @@ import (
 	"strings"

 	"github.com/edsrzf/mmap-go"
+	"github.com/foxboron/go-uefi/authenticode"
 	"github.com/foxboron/go-uefi/efi"
-	"github.com/foxboron/go-uefi/efi/pecoff"
-	"github.com/foxboron/go-uefi/efi/pkcs7"
 	"github.com/foxboron/go-uefi/efi/signature"
+	"github.com/foxboron/go-uefi/pkcs7"
 	"github.com/kairos-io/kairos-agent/v2/pkg/constants"
 	v1 "github.com/kairos-io/kairos-agent/v2/pkg/types/v1"
 	fsutils "github.com/kairos-io/kairos-agent/v2/pkg/utils/fs"
@ -231,14 +232,19 @@ func checkArtifactSignatureIsValid(fs v1.FS, artifact string, logger sdkTypes.Ka

 	logger.Logger.Debug().Str("what", artifact).Msg("Getting signatures from artifact")
 	// Get signatures from the artifact
-	sigs, err := pecoff.GetSignatures(data)
+	binary, err := authenticode.Parse(bytes.NewReader(data))
 	if err != nil {
 		return fmt.Errorf("%s: %w", artifact, err)
 	}
-	if len(sigs) == 0 {
+	if binary.Datadir.Size == 0 {
 		return fmt.Errorf("no signatures in the file %s", artifact)
 	}

+	sigs, err := binary.Signatures()
+	if err != nil {
+		return fmt.Errorf("%s: %w", artifact, err)
+	}
+
 	logger.Logger.Debug().Str("what", artifact).Msg("Getting DBX certs")
 	dbx, err := efi.Getdbx()
 	if err != nil {
@ -271,7 +277,12 @@ func checkArtifactSignatureIsValid(fs v1.FS, artifact string, logger sdkTypes.Ka
 			for _, sig := range sigs {
 				for _, cert := range result {
 					logger.Logger.Debug().Str("what", artifact).Str("subject", cert.Subject.CommonName).Msg("checking signature")
-					ok, _ := pkcs7.VerifySignature(cert, sig.Certificate)
+					p, err := pkcs7.ParsePKCS7(sig.Certificate)
+					if err != nil {
+						logger.Logger.Info().Str("error", err.Error()).Msg("parsing signature")
+						return err
+					}
+					ok, _ := p.Verify(cert)
 					// If cert matches then it means its blacklisted so return error
 					if ok {
 						return fmt.Errorf("artifact is signed with a blacklisted cert")
@ -288,7 +299,12 @@ func checkArtifactSignatureIsValid(fs v1.FS, artifact string, logger sdkTypes.Ka
 	for _, sig := range sigs {
 		for _, cert := range dbCerts {
 			logger.Logger.Debug().Str("what", artifact).Str("subject", cert.Subject.CommonName).Msg("checking signature")
-			ok, _ := pkcs7.VerifySignature(cert, sig.Certificate)
+			p, err := pkcs7.ParsePKCS7(sig.Certificate)
+			if err != nil {
+				logger.Logger.Info().Str("error", err.Error()).Msg("parsing signature")
+				return err
+			}
+			ok, _ := p.Verify(cert)
 			if ok {
 				logger.Logger.Info().Str("what", artifact).Str("subject", cert.Subject.CommonName).Msg("verified")
 				return nil