setup signer opts pass through

Author: Emyrk

cli/server.go

@@ -15,6 +15,7 @@ import (
 
 	"cdr.dev/slog"
 	"cdr.dev/slog/sloggers/sloghuman"
+	"github.com/coder/code-marketplace/extensionsign"
 
 	"github.com/coder/code-marketplace/api"
 	"github.com/coder/code-marketplace/database"
@@ -23,12 +24,14 @@ import (
 
 func serverFlags() (addFlags func(cmd *cobra.Command), opts *storage.Options) {
 	opts = &storage.Options{}
+	var sign bool
 	return func(cmd *cobra.Command) {
 		cmd.Flags().StringVar(&opts.ExtDir, "extensions-dir", "", "The path to extensions.")
 		cmd.Flags().StringVar(&opts.Artifactory, "artifactory", "", "Artifactory server URL.")
 		cmd.Flags().StringVar(&opts.Repo, "repo", "", "Artifactory repository.")
 		cmd.Flags().DurationVar(&opts.ListCacheDuration, "list-cache-duration", time.Minute, "The duration of the extension cache.")
-		cmd.Flags().BoolVar(&opts.SignExtensions, "sign", false, "Sign extensions.")
+		cmd.Flags().BoolVar(&sign, "sign", false, "Sign extensions.")
+		_ = cmd.Flags().MarkHidden("sign") // This flag needs to import a key, not just be a bool
 
 		var before func(cmd *cobra.Command, args []string) error
 		if cmd.PreRunE != nil {
@@ -47,6 +50,9 @@ func serverFlags() (addFlags func(cmd *cobra.Command), opts *storage.Options) {
 			if before != nil {
 				return before(cmd, args)
 			}
+			if sign { // TODO: Remove this for an actual key import
+				opts.Signer, _ = extensionsign.GenerateKey()
+			}
 			return nil
 		}
 	}, opts

storage/signature.go

@@ -2,6 +2,7 @@ package storage
 
 import (
 	"context"
+	"crypto"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -22,19 +23,23 @@ const (
 )
 
 type Signature struct {
-	// SignDesignExtensions is a flag that determines if the signature should
-	// include the extension payloads.
-	signExtensions bool
+	// Signer if provided, will be used to sign extensions. If not provided,
+	// no extensions will be signed.
+	Signer crypto.Signer
 	Storage
 }
 
-func NewSignatureStorage(signExtensions bool, s Storage) *Signature {
+func NewSignatureStorage(signer crypto.Signer, s Storage) *Signature {
 	return &Signature{
-		signExtensions: signExtensions,
-		Storage:        s,
+		Signer:  signer,
+		Storage: s,
 	}
 }
 
+func (s *Signature) SigningEnabled() bool {
+	return s.Signer != nil
+}
+
 // AddExtension includes the signature manifest of the vsix. Signing happens on
 // demand, so leave the manifest unsigned. This is safe to do even if
 // 'signExtensions' is disabled, as these files lay dormant until signed.
@@ -61,7 +66,7 @@ func (s *Signature) Manifest(ctx context.Context, publisher, name string, versio
 		return nil, err
 	}
 
-	if s.signExtensions {
+	if s.SigningEnabled() {
 		manifest.Assets.Asset = append(manifest.Assets.Asset, VSIXAsset{
 			Type:        VSIXSignatureType,
 			Path:        sigzipFilename,
@@ -72,11 +77,11 @@ func (s *Signature) Manifest(ctx context.Context, publisher, name string, versio
 }
 
 func (s *Signature) Open(ctx context.Context, fp string) (fs.File, error) {
-	if s.signExtensions && filepath.Base(fp) == "p7s.sig" {
+	if s.SigningEnabled() && filepath.Base(fp) == "p7s.sig" {
 		// This file must exist, and it is always empty
 		return mem.NewFileHandle(mem.CreateFile("p7s.sig")), nil
 	}
-	if s.signExtensions && filepath.Base(fp) == sigzipFilename {
+	if s.SigningEnabled() && filepath.Base(fp) == sigzipFilename {
 		// hijack this request, sign the sig manifest
 		manifest, err := s.Storage.Open(ctx, filepath.Join(filepath.Dir(fp), sigManifestName))
 		if err != nil {
@@ -85,13 +90,12 @@ func (s *Signature) Open(ctx context.Context, fp string) (fs.File, error) {
 		}
 		defer manifest.Close()
 
-		key, _ := extensionsign.GenerateKey()
 		manifestData, err := io.ReadAll(manifest)
 		if err != nil {
 			return nil, xerrors.Errorf("read signature manifest: %w", err)
 		}
 
-		signed, err := extensionsign.SignAndZipManifest(key, manifestData)
+		signed, err := extensionsign.SignAndZipManifest(s.Signer, manifestData)
 		if err != nil {
 			return nil, xerrors.Errorf("sign and zip manifest: %w", err)
 		}

storage/storage.go

@@ -2,6 +2,7 @@ package storage
 
 import (
 	"context"
+	"crypto"
 	"encoding/json"
 	"encoding/xml"
 	"fmt"
@@ -127,7 +128,7 @@ type VSIXAsset struct {
 }
 
 type Options struct {
-	SignExtensions    bool
+	Signer            crypto.Signer
 	Artifactory       string
 	ExtDir            string
 	Repo              string
@@ -292,7 +293,7 @@ func NewStorage(ctx context.Context, options *Options) (Storage, error) {
 		return nil, err
 	}
 
-	return NewSignatureStorage(options.SignExtensions, store), nil
+	return NewSignatureStorage(options.Signer, store), nil
 }
 
 // ReadVSIXManifest reads and parses an extension manifest from a vsix file.  If