Plugins: Unsigned chromium file should not invalidate signature for Renderer plugin (#59104)

* Plugins: Unsigned chromium file should not invalidate signature for Renderer plugin * fix test * re-work solution
2025-09-27 05:43:43 +08:00 · 2022-12-19 11:46:27 +00:00
parent 02fbb1cd8f
commit 48b33ab521
7 changed files with 77 additions and 11 deletions
--- a/pkg/plugins/manager/signature/manifest.go
+++ b/pkg/plugins/manager/signature/manifest.go
@ -12,6 +12,7 @@ import (
 	"os"
 	"path"
 	"path/filepath"
+	"runtime"
 	"strings"

 	"github.com/gobwas/glob"
@ -54,6 +55,8 @@ N1c5v9v/4h6qeA==
 -----END PGP PUBLIC KEY BLOCK-----
 `

+var runningWindows = runtime.GOOS == "windows"
+
 // pluginManifest holds details for the file manifest
 type pluginManifest struct {
 	Plugin  string            `json:"plugin"`
@ -259,6 +262,11 @@ func pluginFilesRequiringVerification(plugin *plugins.Plugin) ([]string, error)
 			return nil
 		}

+		// Ignoring unsigned Chromium debug.log so it doesn't invalidate the signature for Renderer plugin running on Windows
+		if runningWindows && plugin.IsRenderer() && strings.HasSuffix(path, filepath.Join("chrome-win", "debug.log")) {
+			return nil
+		}
+
 		// verify that file is within plugin directory
 		file, err := filepath.Rel(plugin.PluginDir, path)
 		if err != nil {
--- a/pkg/plugins/manager/signature/manifest_test.go
+++ b/pkg/plugins/manager/signature/manifest_test.go
@ -165,6 +165,31 @@ func TestCalculate(t *testing.T) {
 			require.Equal(t, tc.expectedSignature, sig)
 		}
 	})
+
+	t.Run("Unsigned Chromium file should not invalidate signature for Renderer plugin running on Windows", func(t *testing.T) {
+		backup := runningWindows
+		t.Cleanup(func() {
+			runningWindows = backup
+		})
+
+		runningWindows = true
+		sig, err := Calculate(log.NewNopLogger(), &plugins.Plugin{
+			JSONData: plugins.JSONData{
+				ID:   "test-renderer",
+				Type: plugins.Renderer,
+				Info: plugins.Info{
+					Version: "1.0.0",
+				},
+			},
+			PluginDir: "../testdata/renderer-added-file/plugin",
+		})
+		require.NoError(t, err)
+		require.Equal(t, plugins.Signature{
+			Status:     plugins.SignatureValid,
+			Type:       plugins.GrafanaSignature,
+			SigningOrg: "Grafana Labs",
+		}, sig)
+	})
 }

 func fileList(manifest *pluginManifest) []string {
--- a/pkg/plugins/manager/testdata/renderer-added-file/plugin/MANIFEST.txt
+++ b/pkg/plugins/manager/testdata/renderer-added-file/plugin/MANIFEST.txt
@ -0,0 +1,28 @@
+
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+{
+  "manifestVersion": "2.0.0",
+  "signatureType": "grafana",
+  "signedByOrg": "grafana",
+  "signedByOrgName": "Grafana Labs",
+  "plugin": "test-renderer",
+  "version": "1.0.0",
+  "time": 1669116992691,
+  "keyId": "7e4d0c6a708866e7",
+  "files": {
+    "plugin.json": "2f8fc554d0a080b9719ba43c0a8df366a88500eb129dfd4aedd9e3d147178273"
+  }
+}
+-----BEGIN PGP SIGNATURE-----
+Version: OpenPGP.js v4.10.10
+Comment: https://openpgpjs.org
+
+wrgEARMKAAYFAmN8tEAAIQkQfk0ManCIZucWIQTzOyW2kQdOhGNlcPN+TQxq
+cIhm576UAgiedgIhpOgTi/ypYgg8AtGQqKAwnDuDRDrYOc6LUDuskbSsR+J7
+f2QjcPGpPk3alaqiTYMxixkTgmD01hltaTJ0AwIJAS9XkKHKxC9/ZhSHYemw
+7wUeKs6AEvKR6amYZ+TF2pVyiJ9cEnl9J55MmDikqKFrIqC9J0V9r9wFkPAF
+kOKVOY+y
+=gqF+
+-----END PGP SIGNATURE-----
--- a/pkg/plugins/manager/testdata/renderer-added-file/plugin/chrome-win/debug.log
+++ b/pkg/plugins/manager/testdata/renderer-added-file/plugin/chrome-win/debug.log
@ -0,0 +1 @@
+TEST LOG LINE
--- a/pkg/plugins/manager/testdata/renderer-added-file/plugin/plugin.json
+++ b/pkg/plugins/manager/testdata/renderer-added-file/plugin/plugin.json
@ -0,0 +1,11 @@
+{
+  "type": "renderer",
+  "name": "Test",
+  "id": "test-renderer",
+  "backend": true,
+  "executable": "test",
+  "info": {
+    "version": "1.0.0",
+    "description": "Test"
+  }
+}