feat: v1.1.1, add runrs verification

2025-01-23 23:42:05 +08:00
parent 11b4e6c005
commit 35a7972673
6 changed files with 397 additions and 3 deletions
--- a/src/main.rs
+++ b/src/main.rs
@@ -10,6 +10,7 @@ mod list;
 mod run_rs;
 mod template;
 mod util;
+mod verify;

 #[derive(FromArgs, PartialEq, Debug)]
 /// Run script
--- a/src/run_rs.rs
+++ b/src/run_rs.rs
@@ -1,4 +1,5 @@
-use crate::{util, RunScriptArgs};
+use rust_util::util_env::is_env_on;
+use crate::{util, verify, RunScriptArgs};
 use rust_util::util_os::get_user_home;

 pub fn do_run_script(rs_args: &RunScriptArgs) {
@@ -6,6 +7,8 @@ pub fn do_run_script(rs_args: &RunScriptArgs) {
        failure_and_exit!("Must assign a script file name");
    }
    let script_file = &rs_args.arguments[0];
+    verify::verify_script(script_file, is_env_on("RUNRS_SKIP_VERIFY"));
+
    let (_, script_sha256) = util::read_file_and_digest(script_file);
    debugging!("File {} -> sha256: {}", script_file, script_sha256);

--- a/src/script.help.rs.txt
+++ b/src/script.help.rs.txt
@@ -26,6 +26,7 @@ Environment variables:
 │ RUNRS_SKIP_CACHE     │ Skip compiled cached file, `bool`              │
 │ RUNRS_REBUILD        │ Force rebuild, `bool`                          │
 │ RUNRS_SILENT_BUILD   │ Build new binary in silent mode, `bool`        │
+│ RUNRS_SKIP_VERIFY    │ Skip script verification, `bool`               │
 │ RUNRS_RUST_SCRIPT    │ `rust_script` command line bin file            │
 │ RUNRS_MAX_SCRIPT_LEN │ Max script length, default 1MB                 │
 └──────────────────────┴────────────────────────────────────────────────┘
--- a/src/verify.rs
+++ b/src/verify.rs
@@ -0,0 +1,20 @@
+use script_sign::Script;
+
+pub fn verify_script(file: &str, skip_verify: bool) {
+    if skip_verify {
+        debugging!("Script {file} verification skipped");
+        return;
+    }
+    match Script::verify_script_file_with_system_key_map(file) {
+        Ok(true) => {
+            debugging!("Script {file} verification success");
+            // Verify file ok!
+        }
+        Ok(false) => {
+            failure_and_exit!("Verify script {file} failed, no signature or bad signature");
+        }
+        Err(e) => {
+            failure_and_exit!("Verify script {file} failed, error: {e}");
+        }
+    }
+}