feat(metadata): add metadata signature verification

Author: QaidVoid

Cargo.lock

@@ -356,6 +356,10 @@ pub enum Commands {
         #[arg(required = false, short, long)]
         yes: bool,
 
+        /// Skip checksum verification before running
+        #[arg(required = false, long)]
+        no_verify: bool,
+
         /// Command to execute
         #[arg(required = true)]
         command: Vec<String>,

crates/soar-cli/src/cli.rs

@@ -304,6 +304,7 @@ async fn handle_cli() -> SoarResult<()> {
                 } => inspect_log(&package, InspectType::BuildScript).await?,
                 cli::Commands::Run {
                     yes,
+                    no_verify,
                     command,
                     pkg_id,
                     repo_name,
@@ -312,6 +313,7 @@ async fn handle_cli() -> SoarResult<()> {
                         &ctx,
                         command.as_ref(),
                         yes,
+                        no_verify,
                         repo_name.as_deref(),
                         pkg_id.as_deref(),
                     )

crates/soar-cli/src/main.rs

@@ -7,6 +7,7 @@ pub async fn run_package(
     ctx: &SoarContext,
     command: &[String],
     yes: bool,
+    no_verify: bool,
     repo_name: Option<&str>,
     pkg_id: Option<&str>,
 ) -> SoarResult<i32> {
@@ -17,7 +18,7 @@ pub async fn run_package(
         &[]
     };
 
-    let result = run::prepare_run(ctx, package_name, repo_name, pkg_id).await?;
+    let result = run::prepare_run(ctx, package_name, repo_name, pkg_id, no_verify).await?;
 
     let output_path = match result {
         PrepareRunResult::Ready(path) => path,
@@ -33,9 +34,14 @@ pub async fn run_package(
             };
 
             // Re-run with selected package
-            let result =
-                run::prepare_run(ctx, package_name, Some(&pkg.repo_name), Some(&pkg.pkg_id))
-                    .await?;
+            let result = run::prepare_run(
+                ctx,
+                package_name,
+                Some(&pkg.repo_name),
+                Some(&pkg.pkg_id),
+                no_verify,
+            )
+            .await?;
 
             match result {
                 PrepareRunResult::Ready(path) => path,

crates/soar-cli/src/run.rs

@@ -440,6 +440,12 @@ impl Config {
             if repo.pubkey.is_none() && repo.name.as_str() == "soarpkgs" {
                 repo.pubkey = Some(SOARPKGS_PUBKEY.to_string())
             }
+
+            let explicitly_enabled = self.signature_verification == Some(true)
+                || repo.signature_verification == Some(true);
+            if explicitly_enabled && repo.pubkey.is_none() {
+                return Err(ConfigError::MissingPubkey(repo.name.clone()));
+            }
         }
 
         Ok(())
@@ -685,6 +691,23 @@ mod tests {
         assert!(matches!(result, Err(ConfigError::ReservedRepositoryName)));
     }
 
+    #[test]
+    fn test_config_resolve_signature_verification_without_pubkey() {
+        let mut config = Config::default_config::<&str>(&[]);
+        config.repositories.push(Repository {
+            name: "needs-key".to_string(),
+            url: "https://example.com".to_string(),
+            desktop_integration: None,
+            pubkey: None,
+            enabled: Some(true),
+            signature_verification: Some(true),
+            sync_interval: None,
+        });
+
+        let result = config.resolve();
+        assert!(matches!(result, Err(ConfigError::MissingPubkey(_))));
+    }
+
     #[test]
     fn test_config_resolve_duplicate_repo() {
         let mut config = Config::default_config::<&str>(&[]);

crates/soar-config/src/config.rs

@@ -82,6 +82,13 @@ pub enum ConfigError {
     )]
     DuplicateRepositoryName(String),
 
+    #[error("Repository '{0}' has signature verification enabled but no pubkey configured")]
+    #[diagnostic(
+        code(soar_config::missing_pubkey),
+        help("Provide a pubkey for the repository or disable signature_verification")
+    )]
+    MissingPubkey(String),
+
     #[error(transparent)]
     #[diagnostic(code(soar_config::io))]
     IoError(#[from] std::io::Error),

crates/soar-config/src/error.rs

@@ -9,7 +9,6 @@ use soar_core::{
 };
 use soar_db::repository::metadata::MetadataRepository;
 use soar_dl::{download::Download, oci::OciDownload, types::OverwriteMode};
-use soar_events::SoarEvent;
 use soar_utils::hash::calculate_checksum;
 use tracing::debug;
 
@@ -27,6 +26,7 @@ pub async fn prepare_run(
     package_name: &str,
     repo_name: Option<&str>,
     pkg_id: Option<&str>,
+    no_verify: bool,
 ) -> SoarResult<PrepareRunResult> {
     debug!(package_name = package_name, "preparing run");
     let config = ctx.config();
@@ -39,9 +39,6 @@ pub async fn prepare_run(
     let version = query.version.as_deref();
 
     let output_path = cache_bin.join(package_name);
-    if output_path.exists() {
-        return Ok(PrepareRunResult::Ready(output_path));
-    }
 
     let metadata_mgr = ctx.metadata_manager().await?;
 
@@ -108,6 +105,34 @@ pub async fn prepare_run(
 
     let package = packages.into_iter().next().unwrap().resolve(version);
 
+    // Refuse to execute a package whose integrity cannot be checked. OCI
+    // artifacts are digest-verified during download, so they are exempt.
+    if !no_verify && package.bsum.is_none() && package.ghcr_blob.is_none() {
+        return Err(SoarError::Custom(format!(
+            "Refusing to run {}#{}: no checksum to verify integrity (use --no-verify to override)",
+            package.pkg_name, package.pkg_id
+        )));
+    }
+
+    // Reuse a cached binary only after re-verifying it against the expected
+    // checksum, so a stale or tampered cache entry is never executed blindly.
+    if output_path.exists() {
+        match package.bsum {
+            Some(ref bsum) if !no_verify => {
+                let checksum = calculate_checksum(&output_path)?;
+                if checksum == *bsum {
+                    return Ok(PrepareRunResult::Ready(output_path));
+                }
+                debug!(
+                    package = %package.pkg_name,
+                    "cached binary checksum mismatch; re-downloading"
+                );
+                fs::remove_file(&output_path).ok();
+            }
+            _ => return Ok(PrepareRunResult::Ready(output_path)),
+        }
+    }
+
     fs::create_dir_all(&cache_bin)
         .with_context(|| format!("creating directory {}", cache_bin.display()))?;
 
@@ -119,22 +144,13 @@ pub async fn prepare_run(
         package.pkg_id.clone(),
     );
 
-    download_to_cache(&package, &output_path, &cache_bin, progress_callback)?;
-
-    // Checksum verification
-    let checksum = calculate_checksum(&output_path)?;
-    if let Some(ref bsum) = package.bsum {
-        if checksum != *bsum {
-            ctx.events().emit(SoarEvent::Log {
-                level: soar_events::LogLevel::Warning,
-                message: format!(
-                    "Checksum mismatch for {}: expected {}, got {}",
-                    package.pkg_name, bsum, checksum
-                ),
-            });
-            return Err(SoarError::InvalidChecksum);
-        }
-    }
+    download_to_cache(
+        &package,
+        &output_path,
+        &cache_bin,
+        no_verify,
+        progress_callback,
+    )?;
 
     Ok(PrepareRunResult::Ready(output_path))
 }
@@ -157,6 +173,7 @@ fn download_to_cache(
     package: &Package,
     output_path: &Path,
     cache_bin: &Path,
+    no_verify: bool,
     progress_callback: Arc<dyn Fn(soar_dl::types::Progress) + Send + Sync>,
 ) -> SoarResult<()> {
     if let Some(ref url) = package.ghcr_blob {
@@ -176,6 +193,11 @@ fn download_to_cache(
             .overwrite(OverwriteMode::Force)
             .extract(true)
             .extract_to(&extract_dir);
+        if !no_verify {
+            if let Some(ref bsum) = package.bsum {
+                dl = dl.checksum(bsum.clone());
+            }
+        }
         dl = dl.progress(move |p| {
             cb(p);
         });

crates/soar-operations/src/run.rs

@@ -11,6 +11,7 @@ categories.workspace = true
 
 [dependencies]
 miette = { workspace = true }
+minisign-verify = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
 soar-config = { workspace = true }

crates/soar-registry/Cargo.toml

@@ -69,6 +69,36 @@ pub enum RegistryError {
     )]
     MissingEtag,
 
+    #[error("Insecure repository URL: {0}")]
+    #[diagnostic(
+        code(soar_registry::insecure_url),
+        help("Repository metadata must be served over https")
+    )]
+    InsecureUrl(String),
+
+    #[error("Could not fetch metadata signature for {repo}: {reason}")]
+    #[diagnostic(
+        code(soar_registry::signature_missing),
+        help(
+            "Signature verification is enabled but the detached signature could not be retrieved"
+        )
+    )]
+    MetadataSignatureMissing { repo: String, reason: String },
+
+    #[error("Metadata signature verification failed for {repo}: {reason}")]
+    #[diagnostic(
+        code(soar_registry::signature_invalid),
+        help("The metadata may be tampered with or signed by a different key")
+    )]
+    MetadataSignatureInvalid { repo: String, reason: String },
+
+    #[error("Metadata exceeds the maximum decompressed size of {limit} bytes")]
+    #[diagnostic(
+        code(soar_registry::metadata_too_large),
+        help("The metadata file is unexpectedly large and may be a decompression bomb")
+    )]
+    MetadataTooLarge { limit: u64 },
+
     #[error("{0}")]
     #[diagnostic(code(soar_registry::custom))]
     Custom(String),