From e971a8f5395e6de8e2e7de9e733a4fa95a6446a5 Mon Sep 17 00:00:00 2001 From: Matt F <15720856+friedrichsenm@users.noreply.github.com> Date: Thu, 2 Jun 2022 09:48:04 -0500 Subject: [PATCH] bundle: dont sign manifest when empty Previously, when creating a signed bundle and either no `.manifest` file is present or when the contents are the defaults, no `.manifest` file would get written to the `.tar.gz` output but there would be an entry for the manifest in the `.signatures.json` file when trying to verify the bundle. Now, hashing/signing the manifest file is skipped when it is empty or not present. Fixes #4712 Signed-off-by: Matt F <15720856+friedrichsenm@users.noreply.github.com> --- bundle/bundle.go | 32 ++++++++++++++++++-------------- bundle/bundle_test.go | 4 ++-- 2 files changed, 20 insertions(+), 16 deletions(-) diff --git a/bundle/bundle.go b/bundle/bundle.go index 9ec1370099..cfa342df77 100644 --- a/bundle/bundle.go +++ b/bundle/bundle.go @@ -851,25 +851,29 @@ func hashBundleFiles(hash SignatureHasher, b *Bundle) ([]FileInfo, error) { files = append(files, NewFile(strings.TrimPrefix(planmodule.Path, "/"), hex.EncodeToString(bs), defaultHashingAlg)) } - // Parse the manifest into a JSON structure; + // If the manifest is essentially empty, don't add it to the signatures since it + // won't be written to the bundle. Otherwise: + // parse the manifest into a JSON structure; // then recursively order the fields of all objects alphabetically and then apply // the hash function to result to compute the hash. - mbs, err := json.Marshal(b.Manifest) - if err != nil { - return files, err - } + if !b.Manifest.Equal(Manifest{}) { + mbs, err := json.Marshal(b.Manifest) + if err != nil { + return files, err + } - var result map[string]interface{} - if err := util.Unmarshal(mbs, &result); err != nil { - return files, err - } + var result map[string]interface{} + if err := util.Unmarshal(mbs, &result); err != nil { + return files, err + } - bs, err = hash.HashFile(result) - if err != nil { - return files, err - } + bs, err = hash.HashFile(result) + if err != nil { + return files, err + } - files = append(files, NewFile(strings.TrimPrefix(ManifestExt, "/"), hex.EncodeToString(bs), defaultHashingAlg)) + files = append(files, NewFile(strings.TrimPrefix(ManifestExt, "/"), hex.EncodeToString(bs), defaultHashingAlg)) + } return files, err } diff --git a/bundle/bundle_test.go b/bundle/bundle_test.go index aaef8f0a32..8282bd94fa 100644 --- a/bundle/bundle_test.go +++ b/bundle/bundle_test.go @@ -1338,8 +1338,8 @@ func TestHashBundleFiles(t *testing.T) { plan []byte exp int }{ - "no_content": {map[string]interface{}{}, Manifest{}, nil, nil, 2}, - "data": {map[string]interface{}{"foo": "bar"}, Manifest{}, nil, nil, 2}, + "no_content": {map[string]interface{}{}, Manifest{}, nil, nil, 1}, + "data": {map[string]interface{}{"foo": "bar"}, Manifest{}, nil, nil, 1}, "data_and_manifest": {map[string]interface{}{"foo": "bar"}, Manifest{Revision: "quickbrownfaux"}, []byte{}, nil, 2}, "data_and_manifest_and_wasm": {map[string]interface{}{"foo": "bar"}, Manifest{Revision: "quickbrownfaux"}, []byte("modules-compiled-as-wasm-binary"), nil, 3}, "data_and_plan": {map[string]interface{}{"foo": "bar"}, Manifest{Revision: "quickbrownfaux"}, nil, []byte("not a plan but good enough"), 3},