+14 -1

src/main.rs

reviewed

··· 1 1 mod fingerprint; 2 2 mod raw; 3 3 - //mod sign; 3 3 + mod sign; 4 4 mod utils; 5 5 //mod verify; 6 6 ··· 28 28 /// The path to the base64 encoded key to hash 29 29 #[arg(short = 'k', long)] 30 30 key: PathBuf, 31 31 + }, 32 32 + /// Sign an arbitrary object 33 33 + Sign { 34 34 + /// The path to the base64 encoded secret key to sign with 35 35 + #[arg(short = 'k', long)] 36 36 + secret_key: PathBuf, 37 37 + 38 38 + /// The git revision to sign 39 39 + git_rev: String, 31 40 }, 32 41 } 33 42 ··· 71 80 git_tree: rev, 72 81 }) => raw::verify::command(public_key, recover, rev), 73 82 Action::Fingerprint { key } => fingerprint::command(key), 83 83 + Action::Sign { 84 84 + secret_key, 85 85 + git_rev: rev, 86 86 + } => sign::command(secret_key, rev), 74 87 } 75 88 }

+31

src/sign.rs

reviewed

··· 1 1 + //! Create signatures with [`libsignify`] and store references 2 2 + //! to them in git. 3 3 + 4 4 + use std::path::PathBuf; 5 5 + 6 6 + use anyhow::{Context, Result}; 7 7 + 8 8 + use crate::raw::sign::sign; 9 9 + use crate::utils; 10 10 + 11 11 + /// Execute the `sign` command. 12 12 + pub fn command(key_path: PathBuf, rev: String) -> Result<()> { 13 13 + let repo = utils::open_repository()?; 14 14 + let secret_key = utils::get_secret_key(key_path)?; 15 15 + let tree_oid = sign(&repo, &secret_key, &rev)?; 16 16 + let signed_object = { 17 17 + let tree_sig = utils::TreeSignature::load_oid(&repo, tree_oid)?; 18 18 + tree_sig.dereference()? 19 19 + }; 20 20 + let key_fingerprint = utils::hash_bytes(&secret_key.public().key()[..])?; 21 21 + let reference = format!("refs/signify/signatures/{key_fingerprint}/{signed_object}"); 22 22 + repo.reference( 23 23 + &reference, tree_oid, 24 24 + // references to signatures will never change, so it is 25 25 + // safe to force overwriting faulty references 26 26 + true, "", 27 27 + ) 28 28 + .context("Failed to store reference to signature")?; 29 29 + println!("Signature stored under: {reference}"); 30 30 + Ok(()) 31 31 + }