Lib.rs

Cryptography
#verify #binaries #wasm #key #eddsa #symbol #to-from

bin+lib wasmsign

Add and verify digital signatures to/from WASM binaries

by Frank Denis

3 releases

0.1.2 Jan 25, 2019
0.1.1 Jan 25, 2019
0.1.0 Jan 24, 2019

#2234 in Cryptography

Custom license

190KB
829 lines

Build Status

Wasmsign

A tool to add and verify digital signatures to/from WASM binaries.

WASM signatures

Unlike typical desktop and mobile applications, WebAssembly binaries do not embed any kind of digital signatures to verify that they come from a trusted source, and haven't been tampered with.

Wasmsign takes an existing wasm binary, computes an EdDSA signature, and builds a new binary embedding that signature as a global, exported symbol.

The resulting binary remains a standalone, valid wasm binary, but its signature can be verified prior to executing it.

Installation

wasmsign requires rust-nightly, which can be installed using rustup.

cargo install is then all it takes to compile and install the command-line wasmsign tool.

Usage

    wasmsign [FLAGS] [OPTIONS] --symbol-name <symbol-name>

FLAGS:
    -h, --help       Prints help information
    -G, --keygen     Generate a key pair
    -S, --sign       Sign a file
        --version    Prints version information
    -V, --verify     Verify a file

OPTIONS:
    -a, --ad <ad>                      Additional content to authenticate
    -i, --input <input-path>           Path to the wasm input file
    -o, --output <output-path>         Path to the wasm output file
    -p, --pk-path <pk-path>            Path to the public key file
    -s, --sk-path <sk-path>            Path to the secret key file
    -n, --symbol-name <symbol-name>    Name of the exported symbol containing the signature [default: ___SIGNATURE]

Create a key pair

wasmsign --keygen --pk-path key.public --sk-path key.secret

Sign an existing wasm binary

wasmsign --sign --pk-path key.public --sk-path key.secret \
  --input unsigned.wasm --output signed.wasm

Additional data can be authenticated, so that the signature is only valid for a given user, group, or machine:

wasmsign --sign --pk-path key.public --sk-path key.secret \
  --input unsigned.wasm --output signed.wasm --ad user19238

Verify an existing wasm binary

wasmsign --verify --pk-path key.public --input signed.wasm

or with additional data:

wasmsign --verify --pk-path key.public --input signed.wasm --ad user19238

The command exits with 0 if the embedded signature is valid for the given public key, content and additional data, or with a non-0 value on error.

Dependencies

~5MB
~92K SLoC