Release 2.19.0

Update changelog
Support signature verification (minisign)
2026-05-01 03:00:26 +00:00 · 2023-09-28 12:03:42 +09:00 · 2023-09-28 12:03:24 +09:00 · 2023-09-28 12:01:51 +09:00 · 2023-09-28 08:07:28 +10:00 · 2023-09-27 21:35:58 +09:00
16 changed files with 479 additions and 110 deletions
--- a/.github/.cspell/project-dictionary.txt
+++ b/.github/.cspell/project-dictionary.txt
@@ -14,6 +14,7 @@ mdbook
 microdnf
 nextest
 protoc
+pubkey
 pwsh
 quickinstall
 shellcheck
--- a/.github/.cspell/rust-dependencies.txt
+++ b/.github/.cspell/rust-dependencies.txt
@@ -1,4 +1,6 @@
 // This file is @generated by tidy.sh.
 // It is not intended for manual editing.

+flate
+minisign
 ureq
--- a/.rustfmt.toml
+++ b/.rustfmt.toml
@@ -1 +1,32 @@
-edition = "2021"
+# Rustfmt configuration
+# https://github.com/rust-lang/rustfmt/blob/HEAD/Configurations.md
+
+# Rustfmt cannot format long lines inside macros, but this option detects this.
+# This is unstable (tracking issue: https://github.com/rust-lang/rustfmt/issues/3391)
+error_on_line_overflow = true
+
+# Override the default formatting style.
+# See https://internals.rust-lang.org/t/running-rustfmt-on-rust-lang-rust-and-other-rust-lang-repositories/8732/81.
+use_small_heuristics = "Max"
+# See https://github.com/rust-dev-tools/fmt-rfcs/issues/149.
+# This is unstable (tracking issue: https://github.com/rust-lang/rustfmt/issues/3370)
+overflow_delimited_expr = true
+# This is unstable (tracking issue: none).
+imports_granularity = "Crate"
+# This is unstable (tracking issue: none).
+group_imports = "StdExternalCrate"
+
+# Apply rustfmt to more places.
+# This is unstable (tracking issue: https://github.com/rust-lang/rustfmt/issues/3348).
+format_code_in_doc_comments = true
+
+# Automatically fix deprecated style.
+use_field_init_shorthand = true
+use_try_shorthand = true
+
+# Set the default settings again to always apply the proper formatting without
+# being affected by the editor settings.
+edition = "2018"
+hard_tabs = false
+newline_style = "Unix"
+tab_spaces = 4
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,44 @@ Note: In this file, do not use the hard wrap in the middle of a sentence for com

 ## [Unreleased]

+## [2.19.0] - 2023-09-28
+
+- Support signature verification. ([#237](https://github.com/taiki-e/install-action/pull/237))
+
+- Update `cargo-binstall@latest` to 1.4.1. This includes support for signature verification.
+
+- Update `syft@latest` to 0.92.0.
+
+- Update `cargo-make@latest` to 0.37.2.
+
+## [2.18.17] - 2023-09-26
+
+- Update `cargo-llvm-cov@latest` to 0.5.33.
+
+## [2.18.16] - 2023-09-23
+
+- Update `cargo-machete@latest` to 0.6.0.
+
+- Update `cargo-llvm-cov@latest` to 0.5.32.
+
+## [2.18.15] - 2023-09-22
+
+- Update `cargo-careful@latest` to 0.4.0.
+
+## [2.18.14] - 2023-09-21
+
+- Update `syft@latest` to 0.91.0.
+
+- Update `wasmtime@latest` to 13.0.0.
+
+## [2.18.13] - 2023-09-17
+
+- Update `cargo-tarpaulin@latest` to 0.27.0.
+
+- Update `cargo-make@latest` to 0.37.1.
+
+- Update `cargo-binstall@latest` to 1.3.1.
+
 ## [2.18.12] - 2023-09-16

 - Fix some bugs on Windows.
@@ -1225,7 +1263,13 @@ Note: This release is considered a breaking change because installing on version

 Initial release

-[Unreleased]: https://github.com/taiki-e/install-action/compare/v2.18.12...HEAD
+[Unreleased]: https://github.com/taiki-e/install-action/compare/v2.19.0...HEAD
+[2.19.0]: https://github.com/taiki-e/install-action/compare/v2.18.17...v2.19.0
+[2.18.17]: https://github.com/taiki-e/install-action/compare/v2.18.16...v2.18.17
+[2.18.16]: https://github.com/taiki-e/install-action/compare/v2.18.15...v2.18.16
+[2.18.15]: https://github.com/taiki-e/install-action/compare/v2.18.14...v2.18.15
+[2.18.14]: https://github.com/taiki-e/install-action/compare/v2.18.13...v2.18.14
+[2.18.13]: https://github.com/taiki-e/install-action/compare/v2.18.12...v2.18.13
 [2.18.12]: https://github.com/taiki-e/install-action/compare/v2.18.11...v2.18.12
 [2.18.11]: https://github.com/taiki-e/install-action/compare/v2.18.10...v2.18.11
 [2.18.10]: https://github.com/taiki-e/install-action/compare/v2.18.9...v2.18.10
--- a/README.md
+++ b/README.md
@@ -88,7 +88,7 @@ https://spdx.org/licenses
 | [**cargo-hack**](https://github.com/taiki-e/cargo-hack) | `$CARGO_HOME/bin` | [GitHub Releases](https://github.com/taiki-e/cargo-hack/releases) | Linux, macOS, Windows | [Apache-2.0](https://github.com/taiki-e/cargo-hack/blob/HEAD/LICENSE-APACHE) OR [MIT](https://github.com/taiki-e/cargo-hack/blob/HEAD/LICENSE-MIT) |
 | [**cargo-llvm-cov**](https://github.com/taiki-e/cargo-llvm-cov) | `$CARGO_HOME/bin` | [GitHub Releases](https://github.com/taiki-e/cargo-llvm-cov/releases) | Linux, macOS, Windows | [Apache-2.0](https://github.com/taiki-e/cargo-llvm-cov/blob/HEAD/LICENSE-APACHE) OR [MIT](https://github.com/taiki-e/cargo-llvm-cov/blob/HEAD/LICENSE-MIT) |
 | [**cargo-machete**](https://github.com/bnjbvr/cargo-machete) | `$CARGO_HOME/bin` | [GitHub Releases](https://github.com/bnjbvr/cargo-machete/releases) | Linux, macOS, Windows | [MIT](https://github.com/bnjbvr/cargo-machete/blob/HEAD/LICENSE.md) |
-| [**cargo-make**](https://github.com/sagiegurari/cargo-make) | `$CARGO_HOME/bin` | [GitHub Releases](https://github.com/sagiegurari/cargo-make/releases) | Linux, macOS, Windows | [Apache-2.0](https://github.com/sagiegurari/cargo-make/blob/master/LICENSE) |
+| [**cargo-make**](https://github.com/sagiegurari/cargo-make) | `$CARGO_HOME/bin` | [GitHub Releases](https://github.com/sagiegurari/cargo-make/releases) | Linux, macOS, Windows | [Apache-2.0](https://github.com/sagiegurari/cargo-make/blob/HEAD/LICENSE) |
 | [**cargo-minimal-versions**](https://github.com/taiki-e/cargo-minimal-versions) | `$CARGO_HOME/bin` | [GitHub Releases](https://github.com/taiki-e/cargo-minimal-versions/releases) | Linux, macOS, Windows | [Apache-2.0](https://github.com/taiki-e/cargo-minimal-versions/blob/HEAD/LICENSE-APACHE) OR [MIT](https://github.com/taiki-e/cargo-minimal-versions/blob/HEAD/LICENSE-MIT) |
 | [**cargo-no-dev-deps**](https://github.com/taiki-e/cargo-no-dev-deps) | `$CARGO_HOME/bin` | [GitHub Releases](https://github.com/taiki-e/cargo-no-dev-deps/releases) | Linux, macOS, Windows | [Apache-2.0](https://github.com/taiki-e/cargo-no-dev-deps/blob/HEAD/LICENSE-APACHE) OR [MIT](https://github.com/taiki-e/cargo-no-dev-deps/blob/HEAD/LICENSE-MIT) |
 | [**cargo-tarpaulin**](https://github.com/xd009642/tarpaulin) | `$CARGO_HOME/bin` | [GitHub Releases](https://github.com/xd009642/tarpaulin/releases) | Linux, macOS, Windows | [Apache-2.0](https://github.com/xd009642/tarpaulin/blob/develop/LICENSE-APACHE) OR [MIT](https://github.com/xd009642/tarpaulin/blob/develop/LICENSE-MIT) |
@@ -128,6 +128,8 @@ When installing the tool from GitHub Releases, this action will download the too

 Additionally, this action will also verify SHA256 checksums for downloaded files in all tools installed from GitHub Releases. This is enabled by default and can be disabled by setting the `checksum` input option to `false`.

+Additionally, we also verify signature if the tool distributes signed archives. Signature verification is done at the stage of getting the checksum, so disabling the checksum will also disable signature verification.
+
 See the linked documentation for information on security when installed using [snap](https://snapcraft.io/docs) or [cargo-binstall](https://github.com/cargo-bins/cargo-binstall#faq).

 ## Compatibility
--- a/manifests/cargo-binstall.json
+++ b/manifests/cargo-binstall.json
@@ -21,26 +21,26 @@
    }
  },
  "latest": {
-    "version": "1.3.0"
+    "version": "1.4.1"
  },
-  "1.3.0": {
+  "1.4.1": {
    "x86_64_linux_musl": {
-      "checksum": "c6b61f091191e0444f1a503ac8fa8ce53ae7cf77c9472d9e725e9bae099f36d6"
+      "checksum": "382c45dfbdbcaee37f10cb37d6e519c75d174622cab9e287521eaa3b5f71e162"
    },
    "x86_64_macos": {
-      "checksum": "fb4feeb108fb1133efa402677d202dffcd9dff7956ebae645a442fce0dfd923a"
+      "checksum": "1a553c56353ce90f5d785a1258de5c49ba1fd55d5fb7bda73a94d951b6b5637c"
    },
    "x86_64_windows": {
-      "checksum": "14fac83eb6f03159c4b495a0dc8bb338d88b0b3139d45a2fe1be1b0cc5259186"
+      "checksum": "851ec021dd1941bd7e29145bfd913296bd69df7394a5e4872c07ae42028f5137"
    },
    "aarch64_linux_musl": {
-      "checksum": "59183aae6e296cbaef4bae4e74ef0ddbced3cb52cadff236b8b729d1492cde05"
+      "checksum": "471f47fec2e92bbdeea4466f57e6340fd2c596d5429c1c348329634be706eb7b"
    },
    "aarch64_macos": {
-      "checksum": "fbfeab286b70b4874563dbaa3630379ee5f4020562d00f67b116baee0ebc83eb"
+      "checksum": "871fe09b21ae666352f909ee5be53b7eb118471342ab6275e932700c004d2359"
    },
    "aarch64_windows": {
-      "checksum": "30e325fa2da8e47d350237c5bc231f6eb916a3c7202f4b6fc22eeba848a331f1"
+      "checksum": "f306e459de20a555acdffa97b6fce367c8d433228785f0d66f995a1f4e63a722"
    }
  }
 }
--- a/manifests/cargo-careful.json
+++ b/manifests/cargo-careful.json
@@ -12,7 +12,21 @@
    }
  },
  "latest": {
-    "version": "0.3.4"
+    "version": "0.4.0"
+  },
+  "0.4": {
+    "version": "0.4.0"
+  },
+  "0.4.0": {
+    "x86_64_linux_musl": {
+      "checksum": "54cd7e1972e9faf085e3d0798c02054d064bc72de051a2636ece6f5b0ce0176d"
+    },
+    "x86_64_macos": {
+      "checksum": "70d92ad8adf84192caa2066ba981780df926c8aa6cbd398fe489f87af336fe61"
+    },
+    "x86_64_windows": {
+      "checksum": "01ebcae79d9ba0cbb56e5c6bb5757d9cd074a3635704d15b0ef62a000c5d03a8"
+    }
  },
  "0.3": {
    "version": "0.3.4"
--- a/manifests/cargo-llvm-cov.json
+++ b/manifests/cargo-llvm-cov.json
@@ -18,10 +18,44 @@
    }
  },
  "latest": {
-    "version": "0.5.31"
+    "version": "0.5.33"
  },
  "0.5": {
-    "version": "0.5.31"
+    "version": "0.5.33"
+  },
+  "0.5.33": {
+    "x86_64_linux_musl": {
+      "checksum": "3274fb95c5d7ab7dd37db6b75e77b666c6fc06b0bd0172e7923af95fe77711da"
+    },
+    "x86_64_macos": {
+      "checksum": "e890a29534e8a10439bd8c8fccd39867d2cb016f82d7b51e615c60caf67491b7"
+    },
+    "x86_64_windows": {
+      "checksum": "332004d47ad0259fbc077c3dde2fe7f7b51dadcea859ccc33759bc149a38b777"
+    },
+    "aarch64_linux_musl": {
+      "checksum": "dd6deacc791de61dc31e45537bf2e7c9c8c652f51e06357d4a700ec7e81188c9"
+    },
+    "aarch64_macos": {
+      "checksum": "8bc5722370884500381eae586910b633f2a215cd5b5feed31d67682e90bd8412"
+    }
+  },
+  "0.5.32": {
+    "x86_64_linux_musl": {
+      "checksum": "2709f1c132eac8c3e1e98f658e2f8fd79f71f0a72b373491aad9e92df3b6684c"
+    },
+    "x86_64_macos": {
+      "checksum": "d56c7b8d5ea02196b8682d242440a400566583f724dee9c9832a99ed9734fa0e"
+    },
+    "x86_64_windows": {
+      "checksum": "194ec6f3657edab3c5f9a4d7a5bb2ab614084d7484f69274d02798fcd2dbea0c"
+    },
+    "aarch64_linux_musl": {
+      "checksum": "2274d691284e4de55fa0a0fd4e7b5003db21f7c62d72986586a81a169cafd7ee"
+    },
+    "aarch64_macos": {
+      "checksum": "7893b26db568ce0c606c0b07cad52659abf2ee488d385581e166fa20924168e5"
+    }
  },
  "0.5.31": {
    "x86_64_linux_musl": {
--- a/manifests/cargo-machete.json
+++ b/manifests/cargo-machete.json
@@ -2,7 +2,32 @@
  "rust_crate": "cargo-machete",
  "template": null,
  "latest": {
-    "version": "0.5.0"
+    "version": "0.6.0"
+  },
+  "0.6": {
+    "version": "0.6.0"
+  },
+  "0.6.0": {
+    "x86_64_linux_musl": {
+      "url": "https://github.com/bnjbvr/cargo-machete/releases/download/v0.6.0/cargo-machete-v0.6.0-x86_64-unknown-linux-musl.tar.gz",
+      "checksum": "8f7f67f87c80d8ee331857e61c03762b71f9e68266a9193f4934cef1c8ccb449",
+      "bin": "cargo-machete-v0.6.0-x86_64-unknown-linux-musl/cargo-machete"
+    },
+    "x86_64_macos": {
+      "url": "https://github.com/bnjbvr/cargo-machete/releases/download/v0.6.0/cargo-machete-v0.6.0-x86_64-apple-darwin.tar.gz",
+      "checksum": "dab6a9127166b8889a1933864014664288e16a211a2e3de65585d69b18b84bbf",
+      "bin": "cargo-machete-v0.6.0-x86_64-apple-darwin/cargo-machete"
+    },
+    "x86_64_windows": {
+      "url": "https://github.com/bnjbvr/cargo-machete/releases/download/v0.6.0/cargo-machete-v0.6.0-x86_64-pc-windows-msvc.tar.gz",
+      "checksum": "4e3369fea5e87bdab2d4219dd07b69fa562a7b0081433464ead82dced36f3af1",
+      "bin": "cargo-machete-v0.6.0-x86_64-pc-windows-msvc/cargo-machete.exe"
+    },
+    "aarch64_macos": {
+      "url": "https://github.com/bnjbvr/cargo-machete/releases/download/v0.6.0/cargo-machete-v0.6.0-aarch64-apple-darwin.tar.gz",
+      "checksum": "c4957bade3109f147ebe1598fa8f0b555713bbe83310cd99c927fa25398ae847",
+      "bin": "cargo-machete-v0.6.0-aarch64-apple-darwin/cargo-machete"
+    }
  },
  "0.5": {
    "version": "0.5.0"
--- a/manifests/cargo-make.json
+++ b/manifests/cargo-make.json
@@ -19,10 +19,38 @@
    }
  },
  "latest": {
-    "version": "0.37.0"
+    "version": "0.37.2"
  },
  "0.37": {
-    "version": "0.37.0"
+    "version": "0.37.2"
+  },
+  "0.37.2": {
+    "x86_64_linux_musl": {
+      "checksum": "6413e92bbeab0e43aa933a2843cb7abfc087dee7a076f3b367d2b7a0054f1c88"
+    },
+    "x86_64_macos": {
+      "checksum": "265125172bf82d985bb71974b576a763c7da34ed7f6889ea324ca4910f728b54"
+    },
+    "x86_64_windows": {
+      "checksum": "5f20ef9b30620113d2b8c4c0663f4ba219afd8e01868774702889abe4ac75843"
+    },
+    "aarch64_macos": {
+      "checksum": "0cb0ad856383162cf2e3634e6264f096b420694bf78c224afc999d8033186eb1"
+    }
+  },
+  "0.37.1": {
+    "x86_64_linux_musl": {
+      "checksum": "6a4fbad3d519e6189772dd0b0d16aa137c8208e7492576ff11497645588459c0"
+    },
+    "x86_64_macos": {
+      "checksum": "a8dea1a7f8bc1e7e35bc14dc1cde15a2e122db1ee2ed8dbb787b5d4e33a19f12"
+    },
+    "x86_64_windows": {
+      "checksum": "531677bf6322139e694da4f37c5df722566675b32a020b7e0f37d4ec5d456052"
+    },
+    "aarch64_macos": {
+      "checksum": "b074fedfb6282b846e047a6336920d2d1bb65c6aa25ce03aa4465615e83a407d"
+    }
  },
  "0.37.0": {
    "x86_64_linux_musl": {
--- a/manifests/cargo-tarpaulin.json
+++ b/manifests/cargo-tarpaulin.json
@@ -18,7 +18,27 @@
    }
  },
  "latest": {
-    "version": "0.26.1"
+    "version": "0.27.0"
+  },
+  "0.27": {
+    "version": "0.27.0"
+  },
+  "0.27.0": {
+    "x86_64_linux_musl": {
+      "checksum": "b0cfcb086131773fb8a6a2cf8090c9416a8f233c2ae4bb887500f4e17d39fe7b"
+    },
+    "x86_64_macos": {
+      "checksum": "84c77137ca762c0cda3d4e8330ef3312efe72220da6470e8d657e5e545a11d2b"
+    },
+    "x86_64_windows": {
+      "checksum": "0114eef8cdb3c8466861dd64d7e16fd430cc0380406f230e16aa9e9c32af45e4"
+    },
+    "aarch64_linux_musl": {
+      "checksum": "6e4f5bc5adafd1730c82ec816b89279d5cdb8255180488fc560e646bef624687"
+    },
+    "aarch64_macos": {
+      "checksum": "375e7969d10faf76ec2ec29d11cbfa266e268357514cd05ed2a24554df7a8183"
+    }
  },
  "0.26": {
    "version": "0.26.1"
--- a/manifests/syft.json
+++ b/manifests/syft.json
@@ -23,7 +23,47 @@
    }
  },
  "latest": {
-    "version": "0.90.0"
+    "version": "0.92.0"
+  },
+  "0.92": {
+    "version": "0.92.0"
+  },
+  "0.92.0": {
+    "x86_64_linux_musl": {
+      "checksum": "42159b11660fba22a12f8acad87022987337c0725b99d9cf645b690163d5bfce"
+    },
+    "x86_64_macos": {
+      "checksum": "ac6097010cbba3e0300672868d54670ff514458c6784683172680c47ba1696de"
+    },
+    "x86_64_windows": {
+      "checksum": "071135f3ddff00edd7c21663a08d8c8e1a9d199f55bb0f3cd36aaeb1e186875d"
+    },
+    "aarch64_linux_musl": {
+      "checksum": "33f6636e54eb1731b137c43257d8de8025282ca3570f307f3249ba7d5757ce10"
+    },
+    "aarch64_macos": {
+      "checksum": "8518d8682b5fe287caaabf3584331074220ab3f588ed3d47badf8428af87c320"
+    }
+  },
+  "0.91": {
+    "version": "0.91.0"
+  },
+  "0.91.0": {
+    "x86_64_linux_musl": {
+      "checksum": "51188401eb2a2425db1155ba18cb64db8275491a1e1049690fe6e8a371ff222a"
+    },
+    "x86_64_macos": {
+      "checksum": "724e6864a356834d8f3a40a3db2216884fc2c4cf69b67baa03cd08466e80fca9"
+    },
+    "x86_64_windows": {
+      "checksum": "9189e2246b5b649f8f09eb6d7500ee5f698253e94ebb34fab06ea6910489bcdc"
+    },
+    "aarch64_linux_musl": {
+      "checksum": "e9d3eb8120438325b79a8bf2a994692a111e5a47c63bbdf7762f7e9fb5a12f4a"
+    },
+    "aarch64_macos": {
+      "checksum": "d53362e44322e81015c9fa17f2254f2fa3d55dc04f18c1e0bc8891705aaf4696"
+    }
  },
  "0.90": {
    "version": "0.90.0"
--- a/manifests/wasmtime.json
+++ b/manifests/wasmtime.json
@@ -2,7 +2,40 @@
  "rust_crate": "wasmtime-cli",
  "template": null,
  "latest": {
-    "version": "12.0.2"
+    "version": "13.0.0"
+  },
+  "13": {
+    "version": "13.0.0"
+  },
+  "13.0": {
+    "version": "13.0.0"
+  },
+  "13.0.0": {
+    "x86_64_linux_gnu": {
+      "url": "https://github.com/bytecodealliance/wasmtime/releases/download/v13.0.0/wasmtime-v13.0.0-x86_64-linux.tar.xz",
+      "checksum": "af14e310a27d28e07675bb5d5254adee1cfddfeab0d9541e68b074f6263f4c2d",
+      "bin": "wasmtime-v13.0.0-x86_64-linux/wasmtime"
+    },
+    "x86_64_macos": {
+      "url": "https://github.com/bytecodealliance/wasmtime/releases/download/v13.0.0/wasmtime-v13.0.0-x86_64-macos.tar.xz",
+      "checksum": "a68023cd806de4432a102f24b07b204c8f83f8ce626c5ac4f248faa0807d0f49",
+      "bin": "wasmtime-v13.0.0-x86_64-macos/wasmtime"
+    },
+    "x86_64_windows": {
+      "url": "https://github.com/bytecodealliance/wasmtime/releases/download/v13.0.0/wasmtime-v13.0.0-x86_64-windows.zip",
+      "checksum": "ad1dea7c069eeda2432d4344221b05c46d146aaa7f5b16cbd468932e9fdaac76",
+      "bin": "wasmtime-v13.0.0-x86_64-windows/wasmtime.exe"
+    },
+    "aarch64_linux_gnu": {
+      "url": "https://github.com/bytecodealliance/wasmtime/releases/download/v13.0.0/wasmtime-v13.0.0-aarch64-linux.tar.xz",
+      "checksum": "2422b7c6c0d60bcfbab7d098ead0e120e24971525521a7758ea1a1db5ce57395",
+      "bin": "wasmtime-v13.0.0-aarch64-linux/wasmtime"
+    },
+    "aarch64_macos": {
+      "url": "https://github.com/bytecodealliance/wasmtime/releases/download/v13.0.0/wasmtime-v13.0.0-aarch64-macos.tar.xz",
+      "checksum": "12b32b91e07f53ea363505530b6fb3312a7ac1e71ae38957bb545011f10dbaab",
+      "bin": "wasmtime-v13.0.0-aarch64-macos/wasmtime"
+    }
  },
  "12": {
    "version": "12.0.2"
--- a/tools/codegen/Cargo.toml
+++ b/tools/codegen/Cargo.toml
@@ -6,9 +6,13 @@ publish = false

 [dependencies]
 anyhow = "1"
+flate2 = "1"
 fs-err = "2"
+minisign-verify = "0.2"
 semver = { version = "1", features = ["serde"] }
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 sha2 = "0.10"
+tar = "0.4"
+toml = "0.8"
 ureq = { version = "2", features = ["json"] }
--- a/tools/codegen/base/cargo-binstall.json
+++ b/tools/codegen/base/cargo-binstall.json
@@ -4,6 +4,9 @@
  "rust_crate": "${package}",
  "asset_name": "${package}-${rust_target}.tgz",
  "version_range": "latest",
+  "signing": {
+    "kind": "minisign-binstall"
+  },
  "platform": {
    "x86_64_linux_musl": {},
    "x86_64_macos": {
--- a/tools/codegen/src/main.rs
+++ b/tools/codegen/src/main.rs
@@ -1,13 +1,13 @@
 // SPDX-License-Identifier: Apache-2.0 OR MIT

-use anyhow::{bail, Context as _, Result};
-use fs_err as fs;
-use serde::{Deserialize, Serialize};
-use sha2::{Digest, Sha256};
+#![allow(clippy::single_match)]
+
 use std::{
    cmp::Reverse,
    collections::{BTreeMap, BTreeSet},
-    env, fmt,
+    env,
+    ffi::OsStr,
+    fmt,
    io::Read,
    path::{Path, PathBuf},
    slice,
@@ -15,6 +15,11 @@ use std::{
    time::Duration,
 };

+use anyhow::{bail, Context as _, Result};
+use fs_err as fs;
+use serde::{Deserialize, Serialize};
+use sha2::{Digest, Sha256};
+
 fn main() -> Result<()> {
    let args: Vec<_> = env::args().skip(1).collect();
    if args.is_empty() || args.iter().any(|arg| arg.starts_with('-')) {
@@ -26,17 +31,13 @@ fn main() -> Result<()> {
    let package = &args[0];

    let workspace_root = &workspace_root();
-    let manifest_path = &workspace_root
-        .join("manifests")
-        .join(format!("{package}.json"));
+    let manifest_path = &workspace_root.join("manifests").join(format!("{package}.json"));
    let download_cache_dir = &workspace_root.join("tools/codegen/tmp/cache").join(package);
    fs::create_dir_all(manifest_path.parent().unwrap())?;
    fs::create_dir_all(download_cache_dir)?;

    let mut base_info: BaseManifest = serde_json::from_slice(&fs::read(
-        workspace_root
-            .join("tools/codegen/base")
-            .join(format!("{package}.json")),
+        workspace_root.join("tools/codegen/base").join(format!("{package}.json")),
    )?)?;
    let repo = base_info
        .repository
@@ -77,11 +78,8 @@ fn main() -> Result<()> {
        .collect();

    let mut crates_io_info = None;
-    base_info.rust_crate = base_info
-        .rust_crate
-        .as_ref()
-        .map(|s| replace_vars(s, package, None, None))
-        .transpose()?;
+    base_info.rust_crate =
+        base_info.rust_crate.as_ref().map(|s| replace_vars(s, package, None, None)).transpose()?;
    if let Some(crate_name) = &base_info.rust_crate {
        eprintln!("downloading crate info from https://crates.io/api/v1/crates/{crate_name}");
        crates_io_info = Some(
@@ -113,10 +111,7 @@ fn main() -> Result<()> {
                        for (platform, d) in &mut manifest.download_info {
                            let template = &template.download_info[platform];
                            d.url = Some(template.url.replace("${version}", version));
-                            d.bin = template
-                                .bin
-                                .as_ref()
-                                .map(|s| s.replace("${version}", version));
+                            d.bin = template.bin.as_ref().map(|s| s.replace("${version}", version));
                        }
                    }
                }
@@ -127,19 +122,6 @@ fn main() -> Result<()> {
    }
    let version_req: Option<semver::VersionReq> = match args.get(1) {
        _ if latest_only => {
-            if args.get(1).map(String::as_str) == Some("latest") {
-                if let Some(m) = manifests.map.first_key_value() {
-                    let version = match m.1 {
-                        ManifestRef::Ref { version } => version,
-                        ManifestRef::Real(_) => &m.0 .0,
-                    };
-                    if !manifests.map.is_empty()
-                        && *version >= releases.first_key_value().unwrap().0 .0.clone().into()
-                    {
-                        return Ok(());
-                    }
-                }
-            }
            let req = format!("={}", releases.first_key_value().unwrap().0 .0).parse()?;
            eprintln!("update manifest for versions '{req}'");
            Some(req)
@@ -163,7 +145,7 @@ fn main() -> Result<()> {
                if manifests.map.is_empty() {
                    format!("={}", releases.first_key_value().unwrap().0 .0).parse()?
                } else {
-                    format!(">{}", semver_versions.last().unwrap()).parse()?
+                    format!(">={}", semver_versions.last().unwrap()).parse()?
                }
            } else {
                version_req.parse()?
@@ -174,6 +156,7 @@ fn main() -> Result<()> {
    };

    let mut buf = vec![];
+    let mut buf2 = vec![];
    for (Reverse(semver_version), (version, release)) in &releases {
        if let Some(version_req) = &version_req {
            if !version_req.matches(semver_version) {
@@ -187,6 +170,7 @@ fn main() -> Result<()> {
        }

        let mut download_info = BTreeMap::new();
+        let mut pubkey = None;
        for (&platform, base_download_info) in &base_info.platform {
            let asset_names = base_download_info
                .asset_name
@@ -213,37 +197,112 @@ fn main() -> Result<()> {
                }
            };

-            eprintln!("downloading {url} for checksum...");
-            let download_cache = download_cache_dir.join(format!(
+            eprint!("downloading {url} for checksum ... ");
+            let download_cache = &download_cache_dir.join(format!(
                "{version}-{platform:?}-{}",
                Path::new(&url).file_name().unwrap().to_str().unwrap()
            ));
            if download_cache.is_file() {
-                eprintln!(" already downloaded");
+                eprintln!("already downloaded");
                fs::File::open(download_cache)?.read_to_end(&mut buf)?;
            } else {
                download(&url)?.into_reader().read_to_end(&mut buf)?;
-                eprintln!(" download complete");
+                eprintln!("download complete");
                fs::write(download_cache, &buf)?;
            }
            eprintln!("getting sha256 hash for {url}");
            let hash = Sha256::digest(&buf);
            let hash = format!("{hash:x}");
            eprintln!("{hash} *{asset_name}");
+            let bin_url = &url;

-            download_info.insert(
-                platform,
-                ManifestDownloadInfo {
-                    url: Some(url),
-                    checksum: hash,
-                    bin: base_download_info
-                        .bin
-                        .as_ref()
-                        .or(base_info.bin.as_ref())
-                        .map(|s| replace_vars(s, package, Some(version), Some(platform)))
-                        .transpose()?,
-                },
-            );
+            match base_info.signing {
+                Some(Signing { kind: SigningKind::MinisignBinstall }) => {
+                    let url = url.clone() + ".sig";
+                    let sig_download_cache = &download_cache.with_extension(format!(
+                        "{}.sig",
+                        download_cache.extension().unwrap_or_default().to_str().unwrap()
+                    ));
+                    eprint!("downloading {url} for signature validation ... ");
+                    let sig = if sig_download_cache.is_file() {
+                        eprintln!("already downloaded");
+                        minisign_verify::Signature::from_file(sig_download_cache)?
+                    } else {
+                        let buf = download(&url)?.into_string()?;
+                        eprintln!("download complete");
+                        fs::write(sig_download_cache, &buf)?;
+                        minisign_verify::Signature::decode(&buf)?
+                    };
+
+                    let Some(crates_io_info) = &crates_io_info else {
+                        bail!("signing kind minisign-binstall is supported only for rust crate");
+                    };
+                    let v =
+                        crates_io_info.versions.iter().find(|v| v.num == *semver_version).unwrap();
+                    let url = format!("https://crates.io{}", v.dl_path);
+                    let crate_download_cache =
+                        &download_cache_dir.join(format!("{version}-Cargo.toml"));
+                    eprint!("downloading {url} for signature verification ... ");
+                    if crate_download_cache.is_file() {
+                        eprintln!("already downloaded");
+                    } else {
+                        download(&url)?.into_reader().read_to_end(&mut buf2)?;
+                        let hash = Sha256::digest(&buf2);
+                        if format!("{hash:x}") != v.checksum {
+                            bail!("checksum mismatch for {url}");
+                        }
+                        let decoder = flate2::read::GzDecoder::new(&*buf2);
+                        let mut archive = tar::Archive::new(decoder);
+                        for entry in archive.entries()? {
+                            let mut entry = entry?;
+                            let path = entry.path()?;
+                            if path.file_name() == Some(OsStr::new("Cargo.toml")) {
+                                entry.unpack(crate_download_cache)?;
+                                break;
+                            }
+                        }
+                        buf2.clear();
+                        eprintln!("download complete");
+                    }
+                    if pubkey.is_none() {
+                        let cargo_manifest = toml::from_str::<cargo_manifest::Manifest>(
+                            &fs::read_to_string(crate_download_cache)?,
+                        )?;
+                        eprintln!(
+                            "algorithm: {}",
+                            cargo_manifest.package.metadata.binstall.signing.algorithm
+                        );
+                        eprintln!(
+                            "pubkey: {}",
+                            cargo_manifest.package.metadata.binstall.signing.pubkey
+                        );
+                        assert_eq!(
+                            cargo_manifest.package.metadata.binstall.signing.algorithm,
+                            "minisign"
+                        );
+                        pubkey = Some(minisign_verify::PublicKey::from_base64(
+                            &cargo_manifest.package.metadata.binstall.signing.pubkey,
+                        )?);
+                    }
+                    let pubkey = pubkey.as_ref().unwrap();
+                    eprint!("verifying signature for {bin_url} ... ");
+                    let allow_legacy = false;
+                    pubkey.verify(&buf, &sig, allow_legacy)?;
+                    eprintln!("done");
+                }
+                None => {}
+            }
+
+            download_info.insert(platform, ManifestDownloadInfo {
+                url: Some(url),
+                checksum: hash,
+                bin: base_download_info
+                    .bin
+                    .as_ref()
+                    .or(base_info.bin.as_ref())
+                    .map(|s| replace_vars(s, package, Some(version), Some(platform)))
+                    .transpose()?,
+            });
            buf.clear();
        }
        if download_info.is_empty() {
@@ -295,39 +354,30 @@ fn main() -> Result<()> {
            if !(version.major == 0 && version.minor == 0) {
                manifests.map.insert(
                    Reverse(Version::omitted(version.major, Some(version.minor))),
-                    ManifestRef::Ref {
-                        version: version.clone().into(),
-                    },
+                    ManifestRef::Ref { version: version.clone().into() },
                );
            }
            if version.major != 0 {
-                manifests.map.insert(
-                    Reverse(Version::omitted(version.major, None)),
-                    ManifestRef::Ref {
+                manifests
+                    .map
+                    .insert(Reverse(Version::omitted(version.major, None)), ManifestRef::Ref {
                        version: version.clone().into(),
-                    },
-                );
+                    });
            }
            prev_version = version;
        }
-        manifests.map.insert(
-            Reverse(Version::latest()),
-            ManifestRef::Ref {
-                version: prev_version.clone().into(),
-            },
-        );
+        manifests.map.insert(Reverse(Version::latest()), ManifestRef::Ref {
+            version: prev_version.clone().into(),
+        });
    }

-    let ManifestRef::Ref {
-        version: latest_version,
-    } = manifests.map.first_key_value().unwrap().1.clone()
+    let ManifestRef::Ref { version: latest_version } =
+        manifests.map.first_key_value().unwrap().1.clone()
    else {
        unreachable!()
    };
    if latest_only {
-        manifests
-            .map
-            .retain(|k, _| k.0 == Version::latest() || k.0 == latest_version);
+        manifests.map.retain(|k, _| k.0 == Version::latest() || k.0 == latest_version);
    }
    let ManifestRef::Real(latest_manifest) = &manifests.map[&Reverse(latest_version.clone())]
    else {
@@ -338,16 +388,12 @@ fn main() -> Result<()> {
            continue;
        }
        if p == HostPlatform::x86_64_linux_gnu
-            && latest_manifest
-                .download_info
-                .contains_key(&HostPlatform::x86_64_linux_musl)
+            && latest_manifest.download_info.contains_key(&HostPlatform::x86_64_linux_musl)
        {
            continue;
        }
        if p == HostPlatform::aarch64_linux_gnu
-            && latest_manifest
-                .download_info
-                .contains_key(&HostPlatform::aarch64_linux_musl)
+            && latest_manifest.download_info.contains_key(&HostPlatform::aarch64_linux_musl)
        {
            continue;
        }
@@ -358,9 +404,7 @@ fn main() -> Result<()> {
    }

    let original_manifests = manifests.clone();
-    let mut template = Some(ManifestTemplate {
-        download_info: BTreeMap::new(),
-    });
+    let mut template = Some(ManifestTemplate { download_info: BTreeMap::new() });
    'outer: for (version, manifest) in &mut manifests.map {
        let ManifestRef::Real(manifest) = manifest else {
            continue;
@@ -376,13 +420,10 @@ fn main() -> Result<()> {
                    break 'outer;
                }
            } else {
-                t.download_info.insert(
-                    *platform,
-                    ManifestTemplateDownloadInfo {
-                        url: template_url,
-                        bin: template_bin,
-                    },
-                );
+                t.download_info.insert(*platform, ManifestTemplateDownloadInfo {
+                    url: template_url,
+                    bin: template_bin,
+                });
            }
        }
    }
@@ -587,9 +628,7 @@ impl<'de> Deserialize<'de> for Version {
        D: serde::Deserializer<'de>,
    {
        use serde::de::Error as _;
-        String::deserialize(deserializer)?
-            .parse()
-            .map_err(D::Error::custom)
+        String::deserialize(deserializer)?.parse().map_err(D::Error::custom)
    }
 }

@@ -652,10 +691,27 @@ struct BaseManifest {
    asset_name: Option<StringOrArray>,
    /// Path to binary in archive. Default to `${tool}${exe}`.
    bin: Option<String>,
+    signing: Option<Signing>,
    platform: BTreeMap<HostPlatform, BaseManifestPlatformInfo>,
    version_range: Option<String>,
 }

+#[derive(Debug, Deserialize)]
+#[serde(deny_unknown_fields)]
+struct Signing {
+    kind: SigningKind,
+}
+
+#[derive(Debug, Deserialize, PartialEq, Eq)]
+#[serde(rename_all = "kebab-case")]
+#[serde(deny_unknown_fields)]
+enum SigningKind {
+    /// algorithm: minisign
+    /// public key: package.metadata.binstall.signing.pubkey at Cargo.toml
+    /// <https://github.com/cargo-bins/cargo-binstall/blob/HEAD/SIGNING.md>
+    MinisignBinstall,
+}
+
 #[derive(Debug, Deserialize)]
 #[serde(deny_unknown_fields)]
 struct BaseManifestPlatformInfo {
@@ -775,7 +831,39 @@ mod crates_io {

    #[derive(Debug, Deserialize)]
    pub struct Version {
+        pub checksum: String,
+        pub dl_path: String,
        pub num: semver::Version,
        pub yanked: bool,
    }
 }
+
+mod cargo_manifest {
+    use serde::Deserialize;
+
+    #[derive(Debug, Deserialize)]
+    pub struct Manifest {
+        pub package: Package,
+    }
+
+    #[derive(Debug, Deserialize)]
+    pub struct Package {
+        pub metadata: Metadata,
+    }
+
+    #[derive(Debug, Deserialize)]
+    pub struct Metadata {
+        pub binstall: Binstall,
+    }
+
+    #[derive(Debug, Deserialize)]
+    pub struct Binstall {
+        pub signing: BinstallSigning,
+    }
+
+    #[derive(Debug, Deserialize)]
+    pub struct BinstallSigning {
+        pub algorithm: String,
+        pub pubkey: String,
+    }
+}
Author	SHA1	Message	Date
Taiki Endo	e07b619ce2	Release 2.19.0	2023-09-28 12:03:42 +09:00
Taiki Endo	d5124717d1	Update changelog	2023-09-28 12:03:24 +09:00
Taiki Endo	b30758ca4a	Support signature verification (minisign)	2023-09-28 12:01:51 +09:00
Taiki Endo	ac65fbce2a	Update `syft@latest` to 0.92.0 (#238 )	2023-09-28 08:07:28 +10:00
Taiki Endo	d90c734ca8	Update .rustfmt.toml	2023-09-27 21:35:58 +09:00
Taiki Endo	0831efaca4	Update `cargo-make@latest` to 0.37.2 (#236 )	2023-09-27 17:23:07 +10:00
Taiki Endo	ff7717e39e	Update `cargo-binstall@latest` to 1.4.1 (#235 )	2023-09-27 17:04:52 +10:00
Taiki Endo	0087e57cc3	Release 2.18.17	2023-09-27 03:28:10 +09:00
Taiki Endo	63649bfbf1	Update `cargo-llvm-cov@latest` to 0.5.33	2023-09-27 03:26:06 +09:00
Taiki Endo	5b205dd5b8	Release 2.18.16	2023-09-23 21:13:00 +09:00
Taiki Endo	f664a60d0a	Update `cargo-machete@latest` to 0.6.0	2023-09-23 21:10:09 +09:00
Taiki Endo	99f24c701f	Update `cargo-llvm-cov@latest` to 0.5.32	2023-09-23 21:10:09 +09:00
Taiki Endo	05acba8f2d	Release 2.18.15	2023-09-22 20:19:19 +09:00
Taiki Endo	2c288a7d53	Update `cargo-careful@latest` to 0.4.0 (#232 )	2023-09-22 17:01:29 +10:00
Taiki Endo	2afb713f1c	Release 2.18.14	2023-09-21 10:07:20 +09:00
Taiki Endo	5d0fca79ad	Update readme	2023-09-21 10:07:10 +09:00
Taiki Endo	14deed0413	Update `syft@latest` to 0.91.0 (#231 )	2023-09-20 21:38:21 +00:00
Taiki Endo	0143d8cb45	Update `wasmtime@latest` to 13.0.0 (#230 )	2023-09-21 07:33:26 +10:00
Taiki Endo	2358ab6439	Release 2.18.13	2023-09-17 21:46:26 +09:00
Taiki Endo	d7013fbfd0	Update manifest (#228 ) * Update `cargo-binstall@latest` to 1.3.1 * Update `cargo-make@latest` to 0.37.1 * Update `cargo-tarpaulin@latest` to 0.27.0	2023-09-17 21:46:00 +09:00