Can't verify NuGet binaries with minisign-net

[danielcrenna]

Based on the integrity checking documentation (https://libsodium.gitbook.io/doc/installation#integrity-checking), I want to verify at runtime that the NuGet package binaries, which are copied to the runtime folders on build, hasn't been tampered with prior to executed them via P/Invoke.

To do that, I'm using https://github.com/bitbeans/minisign-net and hooking the native library loading event to resolve and load the library directly. I have the public key and I have the verified location of the native binary.

Unfortunately, I can't load a signature to verify with the public key in the documentation, as the signature is invalid when attempting to load any of the binaries provided in the NuGet package (I tried .dll, .so, and .dylib).

Is this distribution signed?

[jedisct1]

These are not signed.

This is apparently the way to sign Nuget packages, but I haven't looked at all how to make it part of the CI release process.

[jedisct1]

Visual Studio builds are signed, though, and are updated after each stable update. So you may want to use these.

[danielcrenna]

@jedisct1 Thanks for the background. My understanding is that "official" NuGet package signing is through the bulky digital authority process. I was hoping that it was possible for you to sign the binaries with Minisign, so that they could be verified the way the libsodium docs describe. It's not a big deal if they aren't signed at the NuGet level, the concern here is checking at runtime whether the binary about to execute is signed by you with Minisign.

[danielcrenna]

@jedisct1 What I've resorted to doing is using Minisign to sign my whole NuGet package before pushing it using GitHub Actions. Since you're also using GitHub Actions for CI, this is something that could be incorporated without the heavyweight "official" method of signing packages.

I assume you'd not want to put the master key in GitHub secrets but instead use a derived key for this purpose.

Here's a quick pseudo snippet for running after the pack step:

    - name: Sign NuGet Package w/ Minisign
      uses: thomaso-mirodin/minisign-action@master
      with:
        args: -Sm .libsodium-pack/libsodium.1.0.18.nupkg
        minisign_key: ${{ secrets.MINISIGN_KEY }}
        password: ${{ secrets.MINISIGN_PASSWORD }}
    
    - name: Upload NuGet Package signature  
    - uses: actions/upload-artifact@v1
      with:
        name: nuget-package-signature
        path: .libsodium-pack/libsodium.1.0.18.nupkg.minisig

[jmanico]

I would love to see signed NuGET's as well. Any progress here?

[danielcrenna]

I created my own CI workflow that downloads minisign and its signature, verifies it, and then uses minisign itself to sign my own NuGet package directly. Could be adapted to sign the official NuGets themselves, but, this works well enough for me. You can find my script here: https://github.com/egregore-project/egregore/blob/master/.github/workflows/dist.yml

…

On Thu, Apr 8, 2021 at 4:44 PM Jim Manico ***@***.***> wrote: I would love to see signed NuGET's as well. Any progress here? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#971 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAA7USWB56DCLDNXFFUAHGTTHYIUFANCNFSM4OBIECJQ> .

-- Daniel Crenna Conatus Creative Inc. cell:613.400.4286