From 38f2fae580fada192655b336849e9717f4288dca Mon Sep 17 00:00:00 2001
From: Jesse Shawl <jesse@jesse.sh>
Date: Fri, 16 Feb 2024 05:25:26 -0600
Subject: [PATCH] add untrusted comments to signatures (#39)

---
 lib/minisign/cli.rb               |  2 +-
 lib/minisign/private_key.rb       | 14 +++++++-------
 spec/minisign/cli_spec.rb         | 11 +++++++----
 spec/minisign/private_key_spec.rb |  6 +++++-
 4 files changed, 20 insertions(+), 13 deletions(-)

diff --git a/lib/minisign/cli.rb b/lib/minisign/cli.rb
index 6ad3cff..a704564 100644
--- a/lib/minisign/cli.rb
+++ b/lib/minisign/cli.rb
@@ -123,7 +123,7 @@ def self.sign(options)
         print 'Password: '
         Minisign::PrivateKey.new(File.read(options[:s]), prompt)
       end
-      signature = private_key.sign(options[:m], File.read(options[:m]), options[:t])
+      signature = private_key.sign(options[:m], File.read(options[:m]), options[:t], options[:c])
       File.write(options[:x], signature)
     end
 
diff --git a/lib/minisign/private_key.rb b/lib/minisign/private_key.rb
index dbe3c04..40c8224 100644
--- a/lib/minisign/private_key.rb
+++ b/lib/minisign/private_key.rb
@@ -35,19 +35,19 @@ def public_key
     #
     # @param filename [String] The filename to be used in the trusted comment section
     # @param message [String] The file's contents
-    # @param comment [String] An optional trusted comment to be included in the signature
+    # @param trusted_comment [String] An optional trusted comment to be included in the signature
+    # @param untrusted_comment [String] An optional untrusted comment
     # @return [Minisign::Signature]
-    def sign(filename, message, comment = nil)
+    def sign(filename, message, trusted_comment = nil, untrusted_comment = nil)
       signature = ed25519_signing_key.sign(blake2b512(message))
-      trusted_comment = comment || "timestamp:#{Time.now.to_i}\tfile:#{filename}\thashed"
+      trusted_comment ||= "timestamp:#{Time.now.to_i}\tfile:#{filename}\thashed"
+      untrusted_comment ||= 'signature from minisign secret key'
       global_signature = ed25519_signing_key.sign("#{signature}#{trusted_comment}")
-      # TODO: allow setting an untrusted comment, too
       Minisign::Signature.new([
-        'untrusted comment: signature from minisign secret key',
+        "untrusted comment: #{untrusted_comment}",
         Base64.strict_encode64("ED#{@key_id.pack('C*')}#{signature}"),
         "trusted comment: #{trusted_comment}",
-        Base64.strict_encode64(global_signature),
-        ''
+        "#{Base64.strict_encode64(global_signature)}\n"
       ].join("\n"))
     end
 
diff --git a/spec/minisign/cli_spec.rb b/spec/minisign/cli_spec.rb
index 2f6d082..ff0dc20 100644
--- a/spec/minisign/cli_spec.rb
+++ b/spec/minisign/cli_spec.rb
@@ -103,9 +103,10 @@
         t: 'the trusted comment',
         m: 'test/generated/.keep'
       }
-      system(
-        "test/generated/minisign -Sm test/generated/.keep -s #{options[:s]} -t '#{options[:t]}'"
-      )
+      # rubocop:disable Layout/LineLength
+      command = "test/generated/minisign -Sm test/generated/.keep -s #{options[:s]} -c '#{options[:c]}' -t '#{options[:t]}'"
+      # rubocop:enable Layout/LineLength
+      system(command)
       jedisct1_signature = File.read('test/generated/.keep.minisig')
       File.delete('test/generated/.keep.minisig')
       Minisign::CLI.sign(options)
@@ -121,7 +122,9 @@
         m: 'test/generated/.keep'
       }
       system(
-        "echo 'password' | test/generated/minisign -Sm test/generated/.keep -s test/minisign.key -t '#{options[:t]}'"
+        # rubocop:disable Layout/LineLength
+        "echo 'password' | test/generated/minisign -Sm #{options[:m]} -s #{options[:s]} -t '#{options[:t]}' -c '#{options[:c]}'"
+        # rubocop:enable Layout/LineLength
       )
       jedisct1_signature = File.read('test/generated/.keep.minisig')
       File.delete('test/generated/.keep.minisig')
diff --git a/spec/minisign/private_key_spec.rb b/spec/minisign/private_key_spec.rb
index 3522228..01f2e55 100644
--- a/spec/minisign/private_key_spec.rb
+++ b/spec/minisign/private_key_spec.rb
@@ -78,7 +78,11 @@
     it 'signs a file' do
       @filename = 'encrypted-key.txt'
       @message = SecureRandom.uuid
-      signature = @private_key.sign(@filename, @message, 'this is a trusted comment')
+      trusted_comment = 'this is a trusted comment'
+      untrusted_comment = 'this is an untrusted comment'
+      signature = @private_key.sign(@filename, @message, trusted_comment, untrusted_comment)
+      expect(signature.to_s).to match(trusted_comment)
+      expect(signature.to_s).to match(untrusted_comment)
       @public_key = Minisign::PublicKey.new('RWSmKaOrT6m3TGwjwBovgOmlhSbyBUw3hyhnSOYruHXbJa36xHr8rq2M')
       expect(@public_key.verify(signature, @message)).to match('Signature and comment signature verified')
       File.write("test/generated/#{@filename}", @message)