feat: add signtool to plugin repository

- Migrate signing tool from GoTunnel main project - Self-contained, no external dependencies - Updated CI workflow to build locally
2025-12-29 19:05:56 +08:00
parent 6b38f133f4
commit dd52c48351
7 changed files with 261 additions and 10 deletions
--- a/tools/signtool/sign/payload.go
+++ b/tools/signtool/sign/payload.go
@@ -0,0 +1,70 @@
+package sign
+
+import (
+	"crypto/ed25519"
+	"crypto/sha256"
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+	"strings"
+	"time"
+)
+
+// PluginPayload 插件签名载荷
+type PluginPayload struct {
+	Name       string `json:"name"`
+	Version    string `json:"version"`
+	SourceHash string `json:"source_hash"`
+	KeyID      string `json:"key_id"`
+	Timestamp  int64  `json:"timestamp"`
+}
+
+// SignedPlugin 已签名的插件
+type SignedPlugin struct {
+	Payload   PluginPayload `json:"payload"`
+	Signature string        `json:"signature"`
+}
+
+// NormalizeSource 规范化源码
+func NormalizeSource(source string) string {
+	normalized := strings.ReplaceAll(source, "\r\n", "\n")
+	normalized = strings.ReplaceAll(normalized, "\r", "\n")
+	return strings.TrimRight(normalized, " \t\n")
+}
+
+// HashSource 计算源码哈希
+func HashSource(source string) string {
+	normalized := NormalizeSource(source)
+	hash := sha256.Sum256([]byte(normalized))
+	return hex.EncodeToString(hash[:])
+}
+
+// CreatePayload 创建签名载荷
+func CreatePayload(name, version, source, keyID string) *PluginPayload {
+	return &PluginPayload{
+		Name:       name,
+		Version:    version,
+		SourceHash: HashSource(source),
+		KeyID:      keyID,
+		Timestamp:  time.Now().Unix(),
+	}
+}
+
+// SignPlugin 签名插件
+func SignPlugin(priv ed25519.PrivateKey, payload *PluginPayload) (*SignedPlugin, error) {
+	data, err := json.Marshal(payload)
+	if err != nil {
+		return nil, fmt.Errorf("marshal payload: %w", err)
+	}
+	sig := SignBase64(priv, data)
+	return &SignedPlugin{Payload: *payload, Signature: sig}, nil
+}
+
+// EncodeSignedPlugin 编码为 JSON
+func EncodeSignedPlugin(sp *SignedPlugin) (string, error) {
+	data, err := json.Marshal(sp)
+	if err != nil {
+		return "", err
+	}
+	return string(data), nil
+}
--- a/tools/signtool/sign/sign.go
+++ b/tools/signtool/sign/sign.go
@@ -0,0 +1,68 @@
+package sign
+
+import (
+	"crypto/ed25519"
+	"crypto/rand"
+	"encoding/base64"
+	"errors"
+	"fmt"
+)
+
+var (
+	ErrInvalidSignature  = errors.New("invalid signature")
+	ErrInvalidPublicKey  = errors.New("invalid public key")
+	ErrInvalidPrivateKey = errors.New("invalid private key")
+)
+
+// KeyPair Ed25519 密钥对
+type KeyPair struct {
+	PublicKey  ed25519.PublicKey
+	PrivateKey ed25519.PrivateKey
+}
+
+// GenerateKeyPair 生成新的密钥对
+func GenerateKeyPair() (*KeyPair, error) {
+	pub, priv, err := ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		return nil, fmt.Errorf("generate key: %w", err)
+	}
+	return &KeyPair{PublicKey: pub, PrivateKey: priv}, nil
+}
+
+// Sign 使用私钥签名数据
+func Sign(privateKey ed25519.PrivateKey, data []byte) []byte {
+	return ed25519.Sign(privateKey, data)
+}
+
+// Verify 使用公钥验证签名
+func Verify(publicKey ed25519.PublicKey, data, signature []byte) bool {
+	return ed25519.Verify(publicKey, data, signature)
+}
+
+// SignBase64 签名并返回 Base64 编码
+func SignBase64(privateKey ed25519.PrivateKey, data []byte) string {
+	sig := Sign(privateKey, data)
+	return base64.StdEncoding.EncodeToString(sig)
+}
+
+// EncodePublicKey 编码公钥为 Base64
+func EncodePublicKey(pub ed25519.PublicKey) string {
+	return base64.StdEncoding.EncodeToString(pub)
+}
+
+// EncodePrivateKey 编码私钥为 Base64
+func EncodePrivateKey(priv ed25519.PrivateKey) string {
+	return base64.StdEncoding.EncodeToString(priv)
+}
+
+// DecodePrivateKey 从 Base64 解码私钥
+func DecodePrivateKey(s string) (ed25519.PrivateKey, error) {
+	data, err := base64.StdEncoding.DecodeString(s)
+	if err != nil {
+		return nil, err
+	}
+	if len(data) != ed25519.PrivateKeySize {
+		return nil, ErrInvalidPrivateKey
+	}
+	return ed25519.PrivateKey(data), nil
+}