Open
Conversation
zgroza
reviewed
Mar 23, 2026
Comment on lines
-127
to
+130
| This package also includes 2 CLI tools | ||
| This package includes 2 CLI tools: | ||
|
|
||
| - `wbn-sign` which lets you sign a web bundle easily without having to write any | ||
| additional JavaScript. | ||
| - `wbn-dump-id` which can be used to calculate the Web Bundle ID corresponding | ||
| to your signing key. | ||
| - `wbn-sign`: A comprehensive tool for signing bundles and managing signatures. | ||
| - `wbn-dump-id`: A simple utility to calculate the Web Bundle ID for a given key. |
Collaborator
There was a problem hiding this comment.
Is it really necessary to change this? Such changes make it more difficult to review code, as it's difficult to pinpoint what's actually meaningful.
Comment on lines
-170
to
-183
| #### Legacy usage (<0.2.6) | ||
| Previously the CLI tool used only options (no command). This usage form will be deprecated, but in the actual version is still supported. | ||
|
|
||
| In `wbn-sign [options]` form followling options are available: | ||
| - (required) `--private-key <filePath>` (`-k <filePath>`) | ||
| which takes the path to ed25519/ecdsaP256 private key. Can be specified multiple times. | ||
| - (required) `--input <filePath>` (`-i <filePath>`) | ||
| which takes the path to the web bundle to be signed. | ||
| - (optional) `--output <filePath>` (`-o <filePath>`) | ||
| which takes the path to the wanted signed web bundle output. Default: | ||
| `signed.swbn`. | ||
| - (required if more than one key is provided) | ||
| `--web-bundle-id <web-bundle-id>` | ||
| which takes the `web-bundle-id` to be associated with the web bundle. |
Collaborator
There was a problem hiding this comment.
Can you maybe just change it to "Legacy usage (<0.3.1)" and put here the description of how things work prior to this change?
Comment on lines
-200
to
+167
| wbn-dump-id -s -k ~/path/to/ed25519key.pem | ||
| wbn-dump-id -s -k /ed25519key.pem |
Comment on lines
208
to
+211
| # encrypt the key (will ask for a passphrase, make sure to use a strong one) | ||
| openssl pkcs8 -in ed25519key.pem -topk8 -out encrypted_ed25519key.pem | ||
| openssl pkcs8 -in private_key.pem -topk8 -out encrypted_key.pem | ||
| # delete the unencrypted key | ||
| rm ed25519key.pem | ||
| rm private_key.pem |
| } | ||
| } | ||
|
|
||
| printStatus() { |
Collaborator
There was a problem hiding this comment.
How exactly error logs look here (the case of debugging a malformed bundle, which might be among the main reasons for actually using this)? Are they actually readable?
Also, correct me if I am wrong but I don't seem to see any tests for this?
Comment on lines
-139
to
+142
| Currenly supported commands are: | ||
| ``` | ||
| Usage: wbn-sign sign [options] <web_bundle> <private_keys...> | ||
|
|
||
| Signs the given web bundle with private key(s). Produces signed web bundle output file. | ||
|
|
||
| Arguments: | ||
| web_bundle a web bundle (file `*.wbn`) to sign | ||
| private_keys private keys (files `*.pem`) with which the web bundle will be signed. EcdsaP256 and ed25519 keys (encrypted and not encrypted) are supported. | ||
|
|
||
| Options: | ||
| -o, --output <file> signed web bundle output file (default: "signed.swbn") | ||
| --web-bundle-id <web-bundle-id> web bundle ID. Derived from the first key if not specified. | ||
| -h, --help display help for command | ||
| ``` | ||
| #### Commands: | ||
|
|
||
| For more details check `wbn-sign help [command]`. | ||
| - `sign <web_bundle> <private_keys...>`: Signs a web bundle with one or more private keys. | ||
| - `add-signature <signed_web_bundle> <private_keys...>`: Adds new signatures to an already signed bundle. | ||
| - `remove-signature <signed_web_bundle> <keys...>`: Removes signatures from a bundle. Keys can be public (Base64/.pem) or private (.pem). | ||
| - `replace-signature <signed_web_bundle> <old_key> <new_private_key>`: Replaces an existing signature. | ||
| - `info <web_bundle>`: Displays information about the integrity block, including the Web Bundle ID and public keys of signers. |
Collaborator
There was a problem hiding this comment.
I kind of liked the help syntax more, is it necessary to change it? (This is not a must, just preference.)
| openssl genpkey -algorithm Ed25519 -out ed25519key.pem | ||
| ``` | ||
|
|
||
| For better security, one should prefer using passphrase-encrypted ed25519 |
Collaborator
There was a problem hiding this comment.
Nit: restore recommendation to use ed25519 keys.
| return this; | ||
| } | ||
|
|
||
| printStatus(): void { |
Collaborator
There was a problem hiding this comment.
Here and in js/sign/src/core/integrity-block.ts: Why "status" and not "info"? Can we be a consistent?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR expands the CLI with new commands for managing integrity blocks.
This is a continuation of #913, which was split into API(original PR) and CLI(this PR) parts.