fix: signature dose not work as expected, if upload new pkg to old dify (#311)

- Updated the  method in the  interface to remove the  parameter, simplifying its usage.
- Introduced a new  function to provide a default verification structure.
- Added a  file to store verification data, improving the plugin signing process.
- Enhanced tests in  to validate the verification process, ensuring proper handling of success and failure scenarios.
- Refactored related code to accommodate the new verification structure and improve overall maintainability.

Author: Yeuoly

cmd/commandline/signature/signature_test.go

@@ -172,6 +172,29 @@ func TestSignAndVerify(t *testing.T) {
 			} else if !tt.expectSuccess && err == nil {
 				t.Errorf("Expected verification to fail, but it succeeded")
 			}
+
+			// check the verification
+			pluginData, err := os.ReadFile(dummyPluginPath)
+			assert.NoError(t, err)
+
+			decoder, err := decoder.NewZipPluginDecoderWithThirdPartySignatureVerificationConfig(
+				pluginData,
+				&decoder.ThirdPartySignatureVerificationConfig{
+					Enabled:        true,
+					PublicKeyPaths: []string{tt.verifyKeyPath},
+				},
+			)
+			assert.NoError(t, err)
+
+			if tt.expectSuccess {
+				verification, err := decoder.Verification()
+				assert.NoError(t, err)
+				assert.Equal(t, tt.verification.AuthorizedCategory, verification.AuthorizedCategory)
+			} else {
+				verification, err := decoder.Verification()
+				assert.Error(t, err)
+				assert.Nil(t, verification)
+			}
 		})
 	}
 }
@@ -273,7 +296,7 @@ func TestVerifyPluginWithoutVerificationField(t *testing.T) {
 	)
 	assert.NoError(t, err)
 
-	verification, err := decoder.Verification(false)
+	verification, err := decoder.Verification()
 	assert.NoError(t, err)
 	assert.Nil(t, verification)
 

internal/service/plugin_decoder.go

@@ -61,11 +61,9 @@ func UploadPluginPkg(
 		}
 	}
 
-	verification, _ := decoderInstance.Verification(false)
+	verification, _ := decoderInstance.Verification()
 	if verification == nil && decoderInstance.Verified() {
-		verification = &decoder.Verification{
-			AuthorizedCategory: decoder.AUTHORIZED_CATEGORY_LANGGENIUS,
-		}
+		verification = decoder.DefaultVerification()
 	}
 
 	return entities.NewSuccessResponse(map[string]any{

pkg/plugin_packager/consts/verification.go

@@ -0,0 +1,5 @@
+package consts
+
+const (
+	VERIFICATION_FILE = ".verification.dify.json"
+)

pkg/plugin_packager/decoder/decoder.go

@@ -45,7 +45,7 @@ type PluginDecoder interface {
 
 	// Verification returns the verification of the plugin, if available
 	// Error will only returns if the plugin is not verified
-	Verification(ignoreVerifySignature bool) (*Verification, error)
+	Verification() (*Verification, error)
 
 	// CreateTime returns the creation time of the plugin as a Unix timestamp
 	CreateTime() (int64, error)

pkg/plugin_packager/decoder/entities.go

@@ -11,3 +11,9 @@ const (
 type Verification struct {
 	AuthorizedCategory AuthorizedCategory `json:"authorized_category"`
 }
+
+func DefaultVerification() *Verification {
+	return &Verification{
+		AuthorizedCategory: AUTHORIZED_CATEGORY_LANGGENIUS,
+	}
+}

pkg/plugin_packager/decoder/fs.go

@@ -169,7 +169,7 @@ func (d *FSPluginDecoder) CreateTime() (int64, error) {
 	return 0, nil
 }
 
-func (d *FSPluginDecoder) Verification(ignoreVerifySignature bool) (*Verification, error) {
+func (d *FSPluginDecoder) Verification() (*Verification, error) {
 	return nil, nil
 }
 

pkg/plugin_packager/decoder/verifier.go

@@ -12,7 +12,6 @@ import (
 
 	"github.com/langgenius/dify-plugin-daemon/internal/core/license/public_key"
 	"github.com/langgenius/dify-plugin-daemon/internal/utils/encryption"
-	"github.com/langgenius/dify-plugin-daemon/internal/utils/parser"
 )
 
 // VerifyPlugin is a function that verifies the signature of a plugin
@@ -96,22 +95,9 @@ func VerifyPluginWithPublicKeys(decoder PluginDecoder, publicKeys []*rsa.PublicK
 		return err
 	}
 
-	// get the verification, at this point, verification is used to verify checksum
-	// just ignore verifying signature
-	verification, err := decoder.Verification(true)
-	if err != nil {
-		return err
-	}
-
 	// write the time into data
 	data.Write([]byte(strconv.FormatInt(createdAt, 10)))
 
-	if verification != nil {
-		// marshal
-		verificationBytes := parser.MarshalJsonBytes(verification)
-		data.Write(verificationBytes)
-	}
-
 	sigBytes, err := base64.StdEncoding.DecodeString(signature)
 	if err != nil {
 		return err

pkg/plugin_packager/decoder/zip.go

@@ -15,6 +15,7 @@ import (
 
 	"github.com/langgenius/dify-plugin-daemon/internal/utils/parser"
 	"github.com/langgenius/dify-plugin-daemon/pkg/entities/plugin_entities"
+	"github.com/langgenius/dify-plugin-daemon/pkg/plugin_packager/consts"
 )
 
 type ZipPluginDecoder struct {
@@ -184,9 +185,8 @@ func (z *ZipPluginDecoder) decode() error {
 	}
 
 	signatureData, err := parser.UnmarshalJson[struct {
-		Signature    string        `json:"signature"`
-		Time         int64         `json:"time"`
-		Verification *Verification `json:"verification"`
+		Signature string `json:"signature"`
+		Time      int64  `json:"time"`
 	}](z.reader.Comment)
 
 	if err != nil {
@@ -195,11 +195,31 @@ func (z *ZipPluginDecoder) decode() error {
 
 	pluginSig := signatureData.Signature
 	pluginTime := signatureData.Time
-	pluginVerification := signatureData.Verification
+
+	var verification *Verification
+
+	// try to read the verification file
+	verificationData, err := z.ReadFile(consts.VERIFICATION_FILE)
+	if err != nil {
+		if !errors.Is(err, os.ErrNotExist) {
+			return err
+		}
+
+		// if the verification file is not found, set the verification to nil
+		verification = nil
+	} else {
+		// unmarshal the verification data
+		verificationData, err := parser.UnmarshalJsonBytes[Verification](verificationData)
+		if err != nil {
+			return err
+		}
+
+		verification = &verificationData
+	}
 
 	z.sig = pluginSig
 	z.createTime = pluginTime
-	z.verification = pluginVerification
+	z.verification = verification
 
 	return nil
 }
@@ -238,8 +258,8 @@ func (z *ZipPluginDecoder) CreateTime() (int64, error) {
 	return z.createTime, nil
 }
 
-func (z *ZipPluginDecoder) Verification(ignoreVerifySignature bool) (*Verification, error) {
-	if !ignoreVerifySignature && !z.Verified() {
+func (z *ZipPluginDecoder) Verification() (*Verification, error) {
+	if !z.Verified() {
 		return nil, errors.New("plugin is not verified")
 	}
 

pkg/plugin_packager/signer/withkey/sign_with_key.go

@@ -14,6 +14,7 @@ import (
 
 	"github.com/langgenius/dify-plugin-daemon/internal/utils/encryption"
 	"github.com/langgenius/dify-plugin-daemon/internal/utils/parser"
+	"github.com/langgenius/dify-plugin-daemon/pkg/plugin_packager/consts"
 	"github.com/langgenius/dify-plugin-daemon/pkg/plugin_packager/decoder"
 )
 
@@ -73,6 +74,31 @@ func SignPluginWithPrivateKey(
 		return nil, err
 	}
 
+	// write the verification into data
+	// NOTE: .verification.dify.json is a special file that contains the verification information
+	// and it will be placed at the end of the zip file, checksum is calculated using it also
+	verificationBytes := parser.MarshalJsonBytes(verification)
+
+	// write verification into the zip file
+	fileWriter, err := zipWriter.Create(consts.VERIFICATION_FILE)
+	if err != nil {
+		return nil, err
+	}
+
+	if _, err := fileWriter.Write(verificationBytes); err != nil {
+		return nil, err
+	}
+
+	// hash the verification
+	hash := sha256.New()
+	hash.Write(verificationBytes)
+	hashed := hash.Sum(nil)
+
+	// write the hash into data
+	if _, err := data.Write(hashed); err != nil {
+		return nil, err
+	}
+
 	// get current time
 	ct := time.Now().Unix()
 
@@ -82,12 +108,6 @@ func SignPluginWithPrivateKey(
 	// write the time into data
 	data.Write([]byte(timeString))
 
-	// json marshal the verification
-	verificationBytes := parser.MarshalJsonBytes(verification)
-
-	// write the verification into data
-	data.Write(verificationBytes)
-
 	// sign the data
 	signature, err := encryption.RSASign(privateKey, data.Bytes())
 	if err != nil {
@@ -96,9 +116,8 @@ func SignPluginWithPrivateKey(
 
 	// write the signature into the comment field of the zip file
 	comments := parser.MarshalJson(map[string]any{
-		"signature":    base64.StdEncoding.EncodeToString(signature),
-		"time":         ct,
-		"verification": verification,
+		"signature": base64.StdEncoding.EncodeToString(signature),
+		"time":      ct,
 	})
 
 	// write signature