add untrusted comments to signatures

jshawl · Feb 16, 2024 · e9d704c · e9d704c
1 parent 3c81e26
commit e9d704c
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 8 deletions.
diff --git a/lib/minisign/private_key.rb b/lib/minisign/private_key.rb
@@ -35,19 +35,19 @@ def public_key
     #
     # @param filename [String] The filename to be used in the trusted comment section
     # @param message [String] The file's contents
-    # @param comment [String] An optional trusted comment to be included in the signature
+    # @param trusted_comment [String] An optional trusted comment to be included in the signature
+    # @param untrusted_comment [String] An optional untrusted comment
     # @return [Minisign::Signature]
-    def sign(filename, message, comment = nil)
+    def sign(filename, message, trusted_comment = nil, untrusted_comment = nil)
       signature = ed25519_signing_key.sign(blake2b512(message))
-      trusted_comment = comment || "timestamp:#{Time.now.to_i}\tfile:#{filename}\thashed"
+      trusted_comment ||= "timestamp:#{Time.now.to_i}\tfile:#{filename}\thashed"
+      untrusted_comment ||= 'signature from minisign secret key'
       global_signature = ed25519_signing_key.sign("#{signature}#{trusted_comment}")
-      # TODO: allow setting an untrusted comment, too
       Minisign::Signature.new([
-        'untrusted comment: signature from minisign secret key',
+        "untrusted comment: #{untrusted_comment}",
         Base64.strict_encode64("ED#{@key_id.pack('C*')}#{signature}"),
         "trusted comment: #{trusted_comment}",
-        Base64.strict_encode64(global_signature),
-        ''
+        "#{Base64.strict_encode64(global_signature)}\n"
       ].join("\n"))
     end
 

diff --git a/spec/minisign/private_key_spec.rb b/spec/minisign/private_key_spec.rb
@@ -78,7 +78,11 @@
     it 'signs a file' do
       @filename = 'encrypted-key.txt'
       @message = SecureRandom.uuid
-      signature = @private_key.sign(@filename, @message, 'this is a trusted comment')
+      trusted_comment = 'this is a trusted comment'
+      untrusted_comment = 'this is an untrusted comment'
+      signature = @private_key.sign(@filename, @message, trusted_comment, untrusted_comment)
+      expect(signature.to_s).to match(trusted_comment)
+      expect(signature.to_s).to match(untrusted_comment)
       @public_key = Minisign::PublicKey.new('RWSmKaOrT6m3TGwjwBovgOmlhSbyBUw3hyhnSOYruHXbJa36xHr8rq2M')
       expect(@public_key.verify(signature, @message)).to match('Signature and comment signature verified')
       File.write("test/generated/#{@filename}", @message)