Fix updater and signature verification

2024-10-27 15:00:50 +01:00 · 2024-10-27 15:00:50 +01:00 · bbf9277107
commit bbf9277107
parent c58cc133d1
4 changed files with 15 additions and 12 deletions
--- a/README.md
+++ b/README.md
@ -5,15 +5,7 @@ This plugin adds naturally spawning Giants with AI to your Minecraft server.
 ### Signing
 Public key goes into `resources/verifies_downloaded_jars.pem`

-A test (and default) keystore is provided:
- keystore: `testkeystore`
- storepass: `123456`
- alias: `testkey`
-
-When using `mvn`, override with `-Djarsigner.`
-```
-mvn clean package -Djarsigner.keystore=/home/user/mykeystore.jks -Djarsigner.alias=mykey
-```
+A default keystore is not provided.

 To create a keystore and export public key:
 ```
@ -21,3 +13,8 @@ keytool -keystore testkeystore2.jks -genkeypair -keyalg RSA -alias testkey -vali
 keytool -exportcert -alias testkey -keystore testkeystore2.jks -file cert.cer -rfc
 openssl x509 -inform pem -in cert.cer -pubkey -noout > public_key.pem
 ```
+
+When using `mvn`, override with `-Djarsigner.`
+```
+mvn clean package -Djarsigner.keystore=/home/user/mykeystore.jks -Djarsigner.alias=mykey
+```
--- a/pom.xml
+++ b/pom.xml
@ -6,8 +6,8 @@

  <properties>
    <maven.compiler.release>11</maven.compiler.release>
-    <jarsigner.keystore>${project.basedir}/testkeystore.jks</jarsigner.keystore>
-    <jarsigner.alias>testkey</jarsigner.alias>
+    <jarsigner.keystore>${project.basedir}/keystore.jks</jarsigner.keystore>
+    <jarsigner.alias>mykey</jarsigner.alias>
    <jarsigner.storepass>123456</jarsigner.storepass>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
--- a/src/main/java/eu/m724/giants/updater/JarVerifier.java
+++ b/src/main/java/eu/m724/giants/updater/JarVerifier.java
@ -7,10 +7,13 @@ import java.security.GeneralSecurityException;
 import java.security.KeyFactory;
 import java.security.PublicKey;
 import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
 import java.security.interfaces.RSAPublicKey;
 import java.security.spec.X509EncodedKeySpec;
+import java.util.ArrayList;
 import java.util.Base64;
 import java.util.Enumeration;
+import java.util.List;
 import java.util.jar.JarEntry;
 import java.util.jar.JarFile;
 import java.util.jar.Manifest;
@ -96,11 +99,14 @@ public class JarVerifier {

                    // Check if any signer's public key matches our RSA key
                    boolean keyMatch = false;
+                    List<String> signerPublicKeys = new ArrayList<>();
+
                    for (CodeSigner signer : signers) {
                        for (Certificate cert : signer.getSignerCertPath().getCertificates()) {
                            PublicKey certPublicKey = cert.getPublicKey();
                            if (certPublicKey instanceof RSAPublicKey) {
                                RSAPublicKey rsaKey = (RSAPublicKey) certPublicKey;
+                                signerPublicKeys.add(Base64.getEncoder().encodeToString(rsaKey.getEncoded()));
                                if (rsaKey.getModulus().equals(publicKey.getModulus()) &&
                                        rsaKey.getPublicExponent().equals(publicKey.getPublicExponent())) {
                                    keyMatch = true;
@ -112,7 +118,7 @@ public class JarVerifier {
                    }

                    if (!keyMatch) {
-                        throw new VerificationException("Entry not signed with matching RSA key: " + entry.getName());
+                        throw new VerificationException("Entry " + entry.getName() + " signed with " + String.join(", ", signerPublicKeys) + ", none of which match " + Base64.getEncoder().encodeToString(publicKey.getEncoded()));
                    }
                }
            }
--- a/testkeystore.jks
+++ b/testkeystore.jks