A tool to add and verify digital signatures to/from WASM binaries.
Unlike typical desktop and mobile applications, WebAssembly binaries do not embed any kind of digital signatures to verify that they come from a trusted source, and haven't been tampered with.
Wasmsign takes an existing wasm binary, computes an EdDSA signature, and builds a new binary embedding that signature as a global, exported symbol.
The resulting binary remains a standalone, valid wasm binary, but its signature can be verified prior to executing it.
wasmsign requires rust-nightly, which can be installed using rustup.
cargo install is then all it takes to compile and install the command-line wasmsign tool.
```
wasmsign [FLAGS] [OPTIONS] --symbol-name
FLAGS: -h, --help Prints help information -G, --keygen Generate a key pair -S, --sign Sign a file --version Prints version information -V, --verify Verify a file
OPTIONS:
-a, --ad
sh
wasmsign --keygen --pk-path key.public --sk-path key.secret
sh
wasmsign --sign --pk-path key.public --sk-path key.secret \
--input unsigned.wasm --output signed.wasm
Additional data can be authenticated, so that the signature is only valid for a given user, group, or machine:
sh
wasmsign --sign --pk-path key.public --sk-path key.secret \
--input unsigned.wasm --output signed.wasm --ad user19238
sh
wasmsign --verify --pk-path key.public --input signed.wasm
or with additional data:
sh
wasmsign --verify --pk-path key.public --input signed.wasm --ad user19238
The command exits with 0 if the embedded signature is valid for the given public key, content and additional data, or with a non-0 value on error.