refactor: verifier

pkg/controller/exec/exec_test.go

@@ -26,6 +26,7 @@ import (
 	"github.com/aquaproj/aqua/v2/pkg/slsa"
 	"github.com/aquaproj/aqua/v2/pkg/testutil"
 	"github.com/aquaproj/aqua/v2/pkg/unarchive"
+	"github.com/aquaproj/aqua/v2/pkg/verify"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/afero"
 	"github.com/suzuki-shunsuke/go-osenv/osenv"
@@ -151,7 +152,7 @@ packages:
 			whichCtrl := which.New(d.param, finder.NewConfigFinder(fs), reader.New(fs, d.param), registry.New(d.param, ghDownloader, fs, d.rt, &cosign.MockVerifier{}, &slsa.MockVerifier{}), d.rt, osEnv, fs, linker)
 			downloader := download.NewDownloader(nil, download.NewHTTPDownloader(http.DefaultClient))
 			executor := &exec.Mock{}
-			pkgInstaller := installpackage.New(d.param, downloader, d.rt, fs, linker, nil, &checksum.Calculator{}, unarchive.New(executor, fs), &cosign.MockVerifier{}, &slsa.MockVerifier{}, &minisign.MockVerifier{}, &installpackage.MockGoInstallInstaller{}, &installpackage.MockGoBuildInstaller{}, &installpackage.MockCargoPackageInstaller{})
+			pkgInstaller := installpackage.New(d.param, downloader, d.rt, fs, linker, nil, &checksum.Calculator{}, unarchive.New(executor, fs), &cosign.MockVerifier{}, &slsa.MockVerifier{}, &minisign.MockVerifier{}, &installpackage.MockGoInstallInstaller{}, &installpackage.MockGoBuildInstaller{}, &installpackage.MockCargoPackageInstaller{}, &verify.Mock{})
 			policyFinder := policy.NewConfigFinder(fs)
 			ctrl := execCtrl.New(pkgInstaller, whichCtrl, executor, osEnv, fs, policy.NewReader(fs, policy.NewValidator(d.param, fs), policyFinder, policy.NewConfigReader(fs)))
 			if err := ctrl.Exec(ctx, logE, d.param, d.exeName, d.args...); err != nil {
@@ -246,7 +247,7 @@ packages:
 			whichCtrl := which.New(d.param, finder.NewConfigFinder(fs), reader.New(fs, d.param), registry.New(d.param, ghDownloader, afero.NewOsFs(), d.rt, &cosign.MockVerifier{}, &slsa.MockVerifier{}), d.rt, osEnv, fs, linker)
 			downloader := download.NewDownloader(nil, download.NewHTTPDownloader(http.DefaultClient))
 			executor := &exec.Mock{}
-			pkgInstaller := installpackage.New(d.param, downloader, d.rt, fs, linker, nil, &checksum.Calculator{}, unarchive.New(executor, fs), &cosign.MockVerifier{}, &slsa.MockVerifier{}, &minisign.MockVerifier{}, &installpackage.MockGoInstallInstaller{}, &installpackage.MockGoBuildInstaller{}, &installpackage.MockCargoPackageInstaller{})
+			pkgInstaller := installpackage.New(d.param, downloader, d.rt, fs, linker, nil, &checksum.Calculator{}, unarchive.New(executor, fs), &cosign.MockVerifier{}, &slsa.MockVerifier{}, &minisign.MockVerifier{}, &installpackage.MockGoInstallInstaller{}, &installpackage.MockGoBuildInstaller{}, &installpackage.MockCargoPackageInstaller{}, &verify.Mock{})
 			ctrl := execCtrl.New(pkgInstaller, whichCtrl, executor, osEnv, fs, &policy.MockReader{})
 			b.ResetTimer()
 			for i := 0; i < b.N; i++ {

pkg/controller/install/install_test.go

@@ -22,6 +22,7 @@ import (
 	"github.com/aquaproj/aqua/v2/pkg/slsa"
 	"github.com/aquaproj/aqua/v2/pkg/testutil"
 	"github.com/aquaproj/aqua/v2/pkg/unarchive"
+	"github.com/aquaproj/aqua/v2/pkg/verify"
 	"github.com/sirupsen/logrus"
 )
 
@@ -102,7 +103,7 @@ packages:
 			}
 			downloader := download.NewDownloader(nil, download.NewHTTPDownloader(http.DefaultClient))
 			executor := &exec.Mock{}
-			pkgInstaller := installpackage.New(d.param, downloader, d.rt, fs, linker, nil, &checksum.Calculator{}, unarchive.New(executor, fs), &cosign.MockVerifier{}, &slsa.MockVerifier{}, &minisign.MockVerifier{}, &installpackage.MockGoInstallInstaller{}, &installpackage.MockGoBuildInstaller{}, &installpackage.MockCargoPackageInstaller{})
+			pkgInstaller := installpackage.New(d.param, downloader, d.rt, fs, linker, nil, &checksum.Calculator{}, unarchive.New(executor, fs), &cosign.MockVerifier{}, &slsa.MockVerifier{}, &minisign.MockVerifier{}, &installpackage.MockGoInstallInstaller{}, &installpackage.MockGoBuildInstaller{}, &installpackage.MockCargoPackageInstaller{}, &verify.Mock{})
 			policyFinder := policy.NewConfigFinder(fs)
 			policyReader := policy.NewReader(fs, &policy.MockValidator{}, policyFinder, policy.NewConfigReader(fs))
 			ctrl := install.New(d.param, finder.NewConfigFinder(fs), reader.New(fs, d.param), registry.New(d.param, registryDownloader, fs, d.rt, &cosign.MockVerifier{}, &slsa.MockVerifier{}), pkgInstaller, fs, d.rt, policyReader)

pkg/controller/wire.go

@@ -44,6 +44,7 @@ import (
 	"github.com/aquaproj/aqua/v2/pkg/runtime"
 	"github.com/aquaproj/aqua/v2/pkg/slsa"
 	"github.com/aquaproj/aqua/v2/pkg/unarchive"
+	"github.com/aquaproj/aqua/v2/pkg/verify"
 	"github.com/aquaproj/aqua/v2/pkg/versiongetter"
 
 	"github.com/google/wire"
@@ -248,6 +249,7 @@ func InitializeInstallCommandController(ctx context.Context, param *config.Param
 		wire.NewSet(
 			installpackage.New,
 			wire.Bind(new(install.Installer), new(*installpackage.Installer)),
+			wire.Bind(new(verify.Installer), new(*installpackage.Installer)),
 		),
 		wire.NewSet(
 			download.NewDownloader,
@@ -332,6 +334,10 @@ func InitializeInstallCommandController(ctx context.Context, param *config.Param
 			installpackage.NewCargoPackageInstallerImpl,
 			wire.Bind(new(installpackage.CargoPackageInstaller), new(*installpackage.CargoPackageInstallerImpl)),
 		),
+		wire.NewSet(
+			verify.New,
+			wire.Bind(new(installpackage.Verifier), new(*verify.Verifier)),
+		),
 	)
 	return &install.Controller{}, nil
 }

pkg/download/util.go

@@ -15,6 +15,8 @@ import (
 )
 
 func ConvertDownloadedFileToFile(file *registry.DownloadedFile, art *File, rt *runtime.Runtime, tplParam *template.Artifact) (*File, error) {
+	// art has the version and the default value of RepoOwner and RepoName.
+	// tplParam has parameters to render asset and URL.
 	f := &File{
 		Type:      file.Type,
 		RepoOwner: file.RepoOwner,

pkg/installpackage/aqua_test.go

@@ -15,6 +15,7 @@ import (
 	"github.com/aquaproj/aqua/v2/pkg/slsa"
 	"github.com/aquaproj/aqua/v2/pkg/testutil"
 	"github.com/aquaproj/aqua/v2/pkg/unarchive"
+	"github.com/aquaproj/aqua/v2/pkg/verify"
 	"github.com/sirupsen/logrus"
 )
 
@@ -67,7 +68,7 @@ e922723678f493216c2398f3f23fb027c9a98808b49f6fce401ef82ee2c22b03  aqua_linux_arm
 			}
 			ctrl := installpackage.New(d.param, &download.Mock{
 				RC: io.NopCloser(strings.NewReader("xxx")),
-			}, d.rt, fs, installpackage.NewMockLinker(fs), d.checksumDownloader, d.checksumCalculator, &unarchive.MockUnarchiver{}, &cosign.MockVerifier{}, &slsa.MockVerifier{}, &minisign.MockVerifier{}, &installpackage.MockGoInstallInstaller{}, &installpackage.MockGoBuildInstaller{}, &installpackage.MockCargoPackageInstaller{})
+			}, d.rt, fs, installpackage.NewMockLinker(fs), d.checksumDownloader, d.checksumCalculator, &unarchive.MockUnarchiver{}, &cosign.MockVerifier{}, &slsa.MockVerifier{}, &minisign.MockVerifier{}, &installpackage.MockGoInstallInstaller{}, &installpackage.MockGoBuildInstaller{}, &installpackage.MockCargoPackageInstaller{}, &verify.Mock{})
 			if err := ctrl.InstallAqua(ctx, logE, d.version); err != nil {
 				if d.isErr {
 					return

pkg/installpackage/installer.go

@@ -51,26 +51,31 @@ type Installer struct {
 	onlyLink              bool
 	cosignDisabled        bool
 	slsaDisabled          bool
+	verifier              Verifier
 }
 
-func New(param *config.Param, downloader download.ClientAPI, rt *runtime.Runtime, fs afero.Fs, linker Linker, chkDL download.ChecksumDownloader, chkCalc ChecksumCalculator, unarchiver Unarchiver, cosignVerifier CosignVerifier, slsaVerifier SLSAVerifier, minisignVerifier MinisignVerifier, goInstallInstaller GoInstallInstaller, goBuildInstaller GoBuildInstaller, cargoPackageInstaller CargoPackageInstaller) *Installer {
-	installer := newInstaller(param, downloader, rt, fs, linker, chkDL, chkCalc, unarchiver, cosignVerifier, slsaVerifier, minisignVerifier, goInstallInstaller, goBuildInstaller, cargoPackageInstaller)
+type Verifier interface {
+	Verify(ctx context.Context, logE *logrus.Entry, pkg *config.Package, bodyFile *download.DownloadedFile) error
+}
+
+func New(param *config.Param, downloader download.ClientAPI, rt *runtime.Runtime, fs afero.Fs, linker Linker, chkDL download.ChecksumDownloader, chkCalc ChecksumCalculator, unarchiver Unarchiver, cosignVerifier CosignVerifier, slsaVerifier SLSAVerifier, minisignVerifier MinisignVerifier, goInstallInstaller GoInstallInstaller, goBuildInstaller GoBuildInstaller, cargoPackageInstaller CargoPackageInstaller, verifier Verifier) *Installer {
+	installer := newInstaller(param, downloader, rt, fs, linker, chkDL, chkCalc, unarchiver, cosignVerifier, slsaVerifier, minisignVerifier, goInstallInstaller, goBuildInstaller, cargoPackageInstaller, verifier)
 	installer.cosignInstaller = &Cosign{
-		installer: newInstaller(param, downloader, runtime.NewR(), fs, linker, chkDL, chkCalc, unarchiver, cosignVerifier, slsaVerifier, minisignVerifier, goInstallInstaller, goBuildInstaller, cargoPackageInstaller),
+		installer: newInstaller(param, downloader, runtime.NewR(), fs, linker, chkDL, chkCalc, unarchiver, cosignVerifier, slsaVerifier, minisignVerifier, goInstallInstaller, goBuildInstaller, cargoPackageInstaller, verifier),
 		mutex:     &sync.Mutex{},
 	}
 	installer.slsaVerifierInstaller = &SLSAVerifierInstaller{
-		installer: newInstaller(param, downloader, runtime.NewR(), fs, linker, chkDL, chkCalc, unarchiver, cosignVerifier, slsaVerifier, minisignVerifier, goInstallInstaller, goBuildInstaller, cargoPackageInstaller),
+		installer: newInstaller(param, downloader, runtime.NewR(), fs, linker, chkDL, chkCalc, unarchiver, cosignVerifier, slsaVerifier, minisignVerifier, goInstallInstaller, goBuildInstaller, cargoPackageInstaller, verifier),
 		mutex:     &sync.Mutex{},
 	}
 	installer.minisignInstaller = &MinisignInstaller{
-		installer: newInstaller(param, downloader, runtime.NewR(), fs, linker, chkDL, chkCalc, unarchiver, cosignVerifier, slsaVerifier, minisignVerifier, goInstallInstaller, goBuildInstaller, cargoPackageInstaller),
+		installer: newInstaller(param, downloader, runtime.NewR(), fs, linker, chkDL, chkCalc, unarchiver, cosignVerifier, slsaVerifier, minisignVerifier, goInstallInstaller, goBuildInstaller, cargoPackageInstaller, verifier),
 		mutex:     &sync.Mutex{},
 	}
 	return installer
 }
 
-func newInstaller(param *config.Param, downloader download.ClientAPI, rt *runtime.Runtime, fs afero.Fs, linker Linker, chkDL download.ChecksumDownloader, chkCalc ChecksumCalculator, unarchiver Unarchiver, cosignVerifier CosignVerifier, slsaVerifier SLSAVerifier, minisignVerifier MinisignVerifier, goInstallInstaller GoInstallInstaller, goBuildInstaller GoBuildInstaller, cargoPackageInstaller CargoPackageInstaller) *Installer {
+func newInstaller(param *config.Param, downloader download.ClientAPI, rt *runtime.Runtime, fs afero.Fs, linker Linker, chkDL download.ChecksumDownloader, chkCalc ChecksumCalculator, unarchiver Unarchiver, cosignVerifier CosignVerifier, slsaVerifier SLSAVerifier, minisignVerifier MinisignVerifier, goInstallInstaller GoInstallInstaller, goBuildInstaller GoBuildInstaller, cargoPackageInstaller CargoPackageInstaller, verifier Verifier) *Installer {
 	return &Installer{
 		rootDir:               param.RootDir,
 		maxParallelism:        param.MaxParallelism,
@@ -92,6 +97,7 @@ func newInstaller(param *config.Param, downloader download.ClientAPI, rt *runtim
 		goInstallInstaller:    goInstallInstaller,
 		goBuildInstaller:      goBuildInstaller,
 		cargoPackageInstaller: cargoPackageInstaller,
+		verifier:              verifier,
 	}
 }
 

pkg/installpackage/installer_test.go

@@ -17,6 +17,7 @@ import (
 	"github.com/aquaproj/aqua/v2/pkg/slsa"
 	"github.com/aquaproj/aqua/v2/pkg/testutil"
 	"github.com/aquaproj/aqua/v2/pkg/unarchive"
+	"github.com/aquaproj/aqua/v2/pkg/verify"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/afero"
 )
@@ -187,7 +188,7 @@ func Test_installer_InstallPackages(t *testing.T) { //nolint:funlen
 				}
 			}
 			downloader := download.NewDownloader(nil, download.NewHTTPDownloader(http.DefaultClient))
-			ctrl := installpackage.New(d.param, downloader, d.rt, fs, linker, nil, &checksum.Calculator{}, unarchive.New(d.executor, fs), &cosign.MockVerifier{}, &slsa.MockVerifier{}, &minisign.MockVerifier{}, &installpackage.MockGoInstallInstaller{}, &installpackage.MockGoBuildInstaller{}, &installpackage.MockCargoPackageInstaller{})
+			ctrl := installpackage.New(d.param, downloader, d.rt, fs, linker, nil, &checksum.Calculator{}, unarchive.New(d.executor, fs), &cosign.MockVerifier{}, &slsa.MockVerifier{}, &minisign.MockVerifier{}, &installpackage.MockGoInstallInstaller{}, &installpackage.MockGoBuildInstaller{}, &installpackage.MockCargoPackageInstaller{}, &verify.Mock{})
 			if err := ctrl.InstallPackages(ctx, logE, &installpackage.ParamInstallPackages{
 				Config:         d.cfg,
 				Registries:     d.registries,
@@ -262,7 +263,7 @@ func Test_installer_InstallPackage(t *testing.T) { //nolint:funlen
 				t.Fatal(err)
 			}
 			downloader := download.NewDownloader(nil, download.NewHTTPDownloader(http.DefaultClient))
-			ctrl := installpackage.New(d.param, downloader, d.rt, fs, nil, nil, &checksum.Calculator{}, unarchive.New(d.executor, fs), &cosign.MockVerifier{}, &slsa.MockVerifier{}, &minisign.MockVerifier{}, &installpackage.MockGoInstallInstaller{}, &installpackage.MockGoBuildInstaller{}, &installpackage.MockCargoPackageInstaller{})
+			ctrl := installpackage.New(d.param, downloader, d.rt, fs, nil, nil, &checksum.Calculator{}, unarchive.New(d.executor, fs), &cosign.MockVerifier{}, &slsa.MockVerifier{}, &minisign.MockVerifier{}, &installpackage.MockGoInstallInstaller{}, &installpackage.MockGoBuildInstaller{}, &installpackage.MockCargoPackageInstaller{}, &verify.Mock{})
 			if err := ctrl.InstallPackage(ctx, logE, &installpackage.ParamInstallPackage{
 				Pkg: d.pkg,
 			}); err != nil {

pkg/installpackage/proxy_test.go

@@ -16,6 +16,7 @@ import (
 	"github.com/aquaproj/aqua/v2/pkg/slsa"
 	"github.com/aquaproj/aqua/v2/pkg/testutil"
 	"github.com/aquaproj/aqua/v2/pkg/unarchive"
+	"github.com/aquaproj/aqua/v2/pkg/verify"
 	"github.com/sirupsen/logrus"
 )
 
@@ -63,7 +64,7 @@ func Test_installer_InstallProxy(t *testing.T) {
 				}
 			}
 			downloader := download.NewDownloader(nil, download.NewHTTPDownloader(http.DefaultClient))
-			ctrl := installpackage.New(d.param, downloader, d.rt, fs, linker, nil, &checksum.Calculator{}, unarchive.New(d.executor, fs), &cosign.MockVerifier{}, &slsa.MockVerifier{}, &minisign.MockVerifier{}, &installpackage.MockGoInstallInstaller{}, &installpackage.MockGoBuildInstaller{}, &installpackage.MockCargoPackageInstaller{})
+			ctrl := installpackage.New(d.param, downloader, d.rt, fs, linker, nil, &checksum.Calculator{}, unarchive.New(d.executor, fs), &cosign.MockVerifier{}, &slsa.MockVerifier{}, &minisign.MockVerifier{}, &installpackage.MockGoInstallInstaller{}, &installpackage.MockGoBuildInstaller{}, &installpackage.MockCargoPackageInstaller{}, &verify.Mock{})
 			if err := ctrl.InstallProxy(ctx, logE); err != nil {
 				if d.isErr {
 					return

pkg/installpackage/verify_minisign.go

@@ -15,6 +15,7 @@ func (is *Installer) verifyWithMinisign(ctx context.Context, logE *logrus.Entry,
 	if !m.GetEnabled() {
 		return nil
 	}
+
 	art := ppkg.TemplateArtifact(is.runtime, param.Asset)
 	logE.Info("verify a package with minisign")
 	if err := is.minisignInstaller.installMinisign(ctx, logE); err != nil {

pkg/verify/cosign/verifiy.go

@@ -0,0 +1,70 @@
+package cosign
+
+import (
+	"context"
+	"sync"
+
+	"github.com/aquaproj/aqua/v2/pkg/config"
+	"github.com/aquaproj/aqua/v2/pkg/config/aqua"
+	"github.com/aquaproj/aqua/v2/pkg/config/registry"
+	"github.com/sirupsen/logrus"
+)
+
+type Verifier struct{}
+
+func NewVerifier() *Verifier {
+	return &Verifier{}
+}
+
+func (v *Verifier) Package() *config.Package {
+	return &config.Package{
+		Package: &aqua.Package{
+			Name:    "sigstore/cosign",
+			Version: Version,
+		},
+		PackageInfo: &registry.PackageInfo{
+			Type:      "github_release",
+			RepoOwner: "sigstore",
+			RepoName:  "cosign",
+			Asset:     "cosign-{{.OS}}-{{.Arch}}",
+			SupportedEnvs: []string{
+				"darwin",
+				"linux",
+				"amd64",
+			},
+		},
+	}
+}
+
+func (v *Verifier) Checksums() map[string]string {
+	return Checksums()
+}
+
+func (v *Verifier) Enabled(pkg *registry.PackageInfo) bool {
+	if pkg.Minisign == nil {
+		return false
+	}
+	if pkg.Minisign.Enabled == nil {
+		return true
+	}
+	return *pkg.Minisign.Enabled
+}
+
+func (v *Verifier) SupportedConfig() bool {
+	return true
+}
+
+func (v *Verifier) Signature(ctx context.Context, logE *logrus.Entry) (*registry.DownloadedFile, string, error) {
+	return v.Package().PackageInfo.Minisign.ToDownloadedFile(), "", nil
+}
+
+func (v *Verifier) Command(verifiedFilePath, sigPath string) (*sync.Mutex, int, []string) {
+	return nil, 1, []string{
+		"-Vm",
+		verifiedFilePath,
+		"-P",
+		v.Package().PackageInfo.Minisign.PublicKey,
+		"-x",
+		sigPath,
+	}
+}

pkg/verify/cosign/version.go

@@ -0,0 +1,13 @@
+package cosign
+
+const Version = "v2.2.4"
+
+func Checksums() map[string]string {
+	return map[string]string{
+		"darwin/amd64":  "0E5A77A86115E4C00BA4243DB01ABCEACB13CC06981C45E53EE71F2E1DB8CE25",
+		"darwin/arm64":  "FCD310E64ECDDC1EAA13FE814AC1C9FC02F6F9EACD9A58480AB8160EB8CA381E",
+		"linux/amd64":   "97A6A1E15668A75FC4FF7A4DC4CB2F098F929CBEA2F12FAA9DE31DB6B42B17D7",
+		"linux/arm64":   "658087351E1D4F9C396B5F59EE5437461C06128F4CE80BA899CCAA1C0B6A8A62",
+		"windows/amd64": "9E9B71BD3FA2A6ABFA903B5F784D9CA0FBC29C563D2B084C1A82C593C2BAB001",
+	}
+}

pkg/verify/minisign/verify.go

@@ -0,0 +1,100 @@
+package minisign
+
+import (
+	"context"
+	"sync"
+
+	"github.com/aquaproj/aqua/v2/pkg/config"
+	"github.com/aquaproj/aqua/v2/pkg/config/aqua"
+	"github.com/aquaproj/aqua/v2/pkg/config/registry"
+	"github.com/sirupsen/logrus"
+)
+
+type Verifier struct{}
+
+func NewVerifier() *Verifier {
+	return &Verifier{}
+}
+
+func (v *Verifier) Package() *config.Package {
+	return &config.Package{
+		Package: &aqua.Package{
+			Name:    "jedisct1/minisign",
+			Version: Version,
+		},
+		PackageInfo: &registry.PackageInfo{
+			Type:                "github_release",
+			RepoOwner:           "jedisct1",
+			RepoName:            "minisign",
+			Asset:               "minisign-{{.Version}}-{{.OS}}.{{.Format}}",
+			Format:              "zip",
+			Rosetta2:            true,
+			WindowsARMEmulation: true,
+			Replacements: map[string]string{
+				"darwin":  "macos",
+				"windows": "win64",
+				"amd64":   "x86_64",
+				"arm64":   "aarch64",
+			},
+			Overrides: []*registry.Override{
+				{
+					GOOS:   "linux",
+					Format: "tar.gz",
+					Files: []*registry.File{
+						{
+							Name: "minisign",
+							Src:  "minisign-{{.OS}}/{{.Arch}}/minisign",
+						},
+					},
+				},
+				{
+					GOOS: "windows",
+					Files: []*registry.File{
+						{
+							Name: "minisign",
+							Src:  "minisign-win64/minisign.exe",
+						},
+					},
+				},
+			},
+			SupportedEnvs: []string{
+				"darwin",
+				"windows",
+				"amd64",
+			},
+		},
+	}
+}
+
+func (v *Verifier) Checksums() map[string]string {
+	return Checksums()
+}
+
+func (v *Verifier) Enabled(pkg *registry.PackageInfo) bool {
+	if pkg.Minisign == nil {
+		return false
+	}
+	if pkg.Minisign.Enabled == nil {
+		return true
+	}
+	return *pkg.Minisign.Enabled
+}
+
+func (v *Verifier) SupportedConfig() bool {
+	return true
+}
+
+func (v *Verifier) Signature(ctx context.Context, logE *logrus.Entry) (*registry.DownloadedFile, string, error) {
+	return v.Package().PackageInfo.Minisign.ToDownloadedFile(), "", nil
+}
+
+func (v *Verifier) Command(verifiedFilePath, sigPath string) (*sync.Mutex, int, []string) {
+	return nil, 1, []string{
+		"-Vm",
+		verifiedFilePath,
+		"-P",
+		v.Package().PackageInfo.Minisign.PublicKey,
+		"-x",
+		sigPath,
+	}
+}

pkg/verify/minisign/version.go

@@ -0,0 +1,11 @@
+package minisign
+
+const Version = "0.11"
+
+func Checksums() map[string]string {
+	return map[string]string{
+		"darwin/amd64":  "e7c410ae8b8960d7087392472b040bda9b2f307c76df0384ac37f9ad103fc893",
+		"linux/amd64":   "f0a0954413df8531befed169e447a66da6868d79052ed7e892e50a4291af7ae0",
+		"windows/amd64": "b9c31c2c3034f81f0e5f5d92cbcc20e67a9671b6e5455661588638848dc58031",
+	}
+}