(choria-io#2029) ensure signatures are correctly verified in plugins manager

Signed-off-by: R.I.Pienaar <rip@devco.net>

Author: ripienaar

aagent/watchers/pluginswatcher/plugins.go

@@ -248,7 +248,7 @@ func (w *Watcher) watch(ctx context.Context) (state State, err error) {
 			}
 		}
 
-		w.Warnf("Deploying plugin %s from %s info %s", m.Name, m.Source, targetDir)
+		w.Warnf("Deploying plugin %s from %s into %s", m.Name, m.Source, targetDir)
 
 		err = os.MkdirAll(targetDir, 0700)
 		if err != nil {

aagent/watchers/pluginswatcher/plugins_test.go

@@ -15,6 +15,7 @@ import (
 	"time"
 
 	"github.com/choria-io/go-choria/aagent/model"
+	iu "github.com/choria-io/go-choria/internal/util"
 	"github.com/ghodss/yaml"
 	"github.com/golang/mock/gomock"
 	. "github.com/onsi/ginkgo/v2"
@@ -56,6 +57,27 @@ var _ = Describe("AAgent/Watchers/PluginsWatcher", func() {
 		os.RemoveAll(td)
 	})
 
+	Describe("Specification/Encode", func() {
+		It("Should correctly encode the specification", func() {
+			pub, priv, err := iu.Ed25519KeyPair()
+			Expect(err).ToNot(HaveOccurred())
+
+			data, err := os.ReadFile("testdata/plugins.json")
+			Expect(err).ToNot(HaveOccurred())
+
+			spec := &Specification{Plugins: data}
+			_, err = spec.Encode(hex.EncodeToString(priv))
+			Expect(err).ToNot(HaveOccurred())
+
+			sig, err := hex.DecodeString(spec.Signature)
+			Expect(err).ToNot(HaveOccurred())
+
+			ok, err := iu.Ed25519Verify(pub, data, sig)
+			Expect(err).ToNot(HaveOccurred())
+			Expect(ok).To(BeTrue())
+		})
+	})
+
 	Describe("setProperties", func() {
 		It("Should support defaulting manager machine prefix", func() {
 			err = w.setProperties(map[string]any{})

aagent/watchers/pluginswatcher/specification.go

@@ -23,22 +23,17 @@ func (s *Specification) Encode(key string) ([]byte, error) {
 	var pk ed25519.PrivateKey
 	var err error
 
-	data, err := json.Marshal(s)
-	if err != nil {
-		return nil, err
-	}
-
 	if key != "" {
-		if iu.IsEncodedEd25519KeyString(key) {
-			pk, err = hex.DecodeString(key)
-		} else {
+		if iu.FileExist(key) {
 			_, pk, err = iu.Ed25519KeyPairFromSeedFile(key)
+		} else {
+			pk, err = hex.DecodeString(key)
 		}
 		if err != nil {
 			return nil, err
 		}
 
-		sig, err := iu.Ed25519Sign(pk, data)
+		sig, err := iu.Ed25519Sign(pk, s.Plugins)
 		if err != nil {
 			return nil, err
 		}

aagent/watchers/pluginswatcher/testdata/plugins.json

@@ -0,0 +1,9 @@
+[
+  {
+    "name": "requests",
+    "source": "http://plugins.choria.local/requests-agent_0.0.1_linux_amd64.tar.gz",
+    "verify": "SHA256SUMS",
+    "verify_checksum": "d3ebf8e4ae71245c051b9cb50f3712befbbc2c38c2cdf6e8e374eb7e613b1d11",
+    "checksum": "5e73881403990220ad5e63a971fb3b8fd8299087439843d38d856d3be053fdc0"
+  }
+]