Add bundle signature verification

As part of container image we also have detached gpg bundle signature
and this pr is verify that with bundle to make sure bundle is coming
from us.

go.mod

@@ -6,6 +6,7 @@ require (
 	github.com/AlecAivazis/survey/v2 v2.3.4
 	github.com/Masterminds/semver/v3 v3.1.1
 	github.com/Microsoft/go-winio v0.5.2
+	github.com/ProtonMail/go-crypto v0.0.0-20220623141421-5afb4c282135
 	github.com/RedHatQE/gowinx v0.0.3
 	github.com/YourFin/binappend v0.0.0-20181105185800-0add4bf0b9ad
 	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d

go.sum

@@ -124,6 +124,8 @@ github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMo
 github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2 h1:+vx7roKuyA63nhn5WAunQHLTznkw5W8b1Xc0dNjp83s=
 github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2/go.mod h1:HBCaDeC1lPdgDeDbhX8XFpy1jqjK0IBG8W5K+xYqA0w=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
+github.com/ProtonMail/go-crypto v0.0.0-20220623141421-5afb4c282135 h1:xDc/cFH/hwyr9KyWc0sm26lpsscqtfZBvU8NpRLHwJ0=
+github.com/ProtonMail/go-crypto v0.0.0-20220623141421-5afb4c282135/go.mod h1:z4/9nQmJSSwwds7ejkxaJwO37dru3geImFUdJlaLzQo=
 github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/purell v1.1.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=

pkg/crc/constants/constants.go

@@ -41,6 +41,23 @@ const (
 	RegistryURI   = "quay.io/crcont"
 	ClusterDomain = ".crc.testing"
 	AppsDomain    = ".apps-crc.testing"
+
+	// GPGPublicKey key is submitted to keyserver.ubuntu.com and can be fetched using
+	// gpg --keyserver hkps://keyserver.ubuntu.com --recv-key DC7EAC400A1BFDFB
+	GPGPublicKey = `-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEYrvgDRYJKwYBBAHaRw8BAQdAoW+hjSRYpTAdLEE1u6ZuYNER1g97e8ygT4ic
+mvo1AKi0MmNyYyAoS2V5IHRvIHNpZ24gYnVuZGxlIHVzZWQgYnkgY3JjKSA8Y3Jj
+QGNyYy5kZXY+iJkEExYKAEEWIQS4RlW/rByOBn/ZyofcfqxAChv9+wUCYrvgDQIb
+AwUJEswDAAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRDcfqxAChv9+/ep
+APwISi03R7npwimqdL7NYKDGMO8ikOwmmPkqh9CKwt4CdwD8Cc6HNcZumHDpJ4gH
+x7FXxIS9KLwDihpm1Gxr4t1t5Qy4OARiu+ANEgorBgEEAZdVAQUBAQdA/w7pM7hf
+bxZ2qwSuoBuhcA1sAlPSb3NrIZf3CceoqzQDAQgHiH4EGBYKACYWIQS4RlW/rByO
+Bn/ZyofcfqxAChv9+wUCYrvgDQIbDAUJEswDAAAKCRDcfqxAChv9+2UkAQCNCdaf
+vnhbvfPHDltmwDZ3aD4l3jjSKpeySeKQocgjQAD6A7kawst/50k4wb+vUDUnEoYo
+9Ix7lKfKWCXil/z0vg4=
+=lmb/
+-----END PGP PUBLIC KEY BLOCK-----`
 )
 
 var adminHelperExecutableForOs = map[string]string{

pkg/crc/gpg/gpg.go

@@ -0,0 +1,34 @@
+package gpg
+
+import (
+	"bytes"
+	"fmt"
+	"os"
+
+	"github.com/ProtonMail/go-crypto/openpgp"
+	"github.com/code-ready/crc/pkg/crc/constants"
+)
+
+func Verify(filePath, signatureFilePath string) error {
+	data, err := os.Open(filePath)
+	if err != nil {
+		return err
+	}
+	defer data.Close()
+
+	signature, err := os.Open(signatureFilePath)
+	if err != nil {
+		return err
+	}
+	defer signature.Close()
+
+	keyring, err := openpgp.ReadArmoredKeyRing(bytes.NewBufferString(constants.GPGPublicKey))
+	if err != nil {
+		return fmt.Errorf("failed to parse public key: %s", err)
+	}
+
+	if _, err = openpgp.CheckArmoredDetachedSignature(keyring, data, signature, nil); err != nil {
+		return fmt.Errorf("failed to check signature: %s", err)
+	}
+	return nil
+}

pkg/crc/image/image.go

@@ -10,6 +10,7 @@ import (
 	"strings"
 
 	"github.com/code-ready/crc/pkg/crc/constants"
+	"github.com/code-ready/crc/pkg/crc/gpg"
 	"github.com/code-ready/crc/pkg/crc/logging"
 	crcpreset "github.com/code-ready/crc/pkg/crc/preset"
 	"github.com/code-ready/crc/pkg/crc/version"
@@ -113,5 +114,24 @@ func PullBundle(preset crcpreset.Preset) error {
 		return err
 	}
 	_, err = extract.Uncompress(filepath.Join(destDir, imgLayer), constants.MachineCacheDir, true)
-	return err
+	if err != nil {
+		return err
+	}
+
+	fileList, err := extract.Uncompress(filepath.Join(destDir, imgLayer), constants.MachineCacheDir, true)
+	if err != nil {
+		return err
+	}
+	logging.Debugf("Bundle and sign path: %v", fileList)
+
+	logging.Info("Verifying the bundle signature...")
+	if len(fileList) != 2 {
+		return fmt.Errorf("image layer contains more files than expected: %v", fileList)
+	}
+	bundleFilePath, sigFilePath := fileList[0], fileList[1]
+	if !strings.HasSuffix(sigFilePath, ".crcbundle.sig") {
+		sigFilePath, bundleFilePath = fileList[0], fileList[1]
+	}
+
+	return gpg.Verify(bundleFilePath, sigFilePath)
 }