Fix signature verification to use wasmsign2 "signature" section and upgrade rules_fuzzing for macOS support

mmorel-35 · mmorel-35 · commit f2791fec6fe6 · 2025-12-22T06:44:20.000+01:00
Signed-off-by: Matthieu MOREL &lt;matthieu.morel35@gmail.com&gt;
diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl
@@ -121,9 +121,9 @@ def proxy_wasm_cpp_host_repositories():
     maybe(
         http_archive,
         name = "rules_fuzzing",
-        sha256 = "3ec0eee05b243552cc4a784b30323d088bf73cb2177ddda02c827e68981933f1",
-        strip_prefix = "rules_fuzzing-0.5.2",
-        urls = ["https://github.com/bazelbuild/rules_fuzzing/archive/v0.5.2.tar.gz"],
+        sha256 = "850897989ebc06567ea06c959eb4a6129fa509ed2dbbd0d147d62d2b986714a9",
+        strip_prefix = "rules_fuzzing-0.6.0",
+        urls = ["https://github.com/bazelbuild/rules_fuzzing/archive/v0.6.0.tar.gz"],
     )
 
     maybe(
diff --git a/src/signature_util.cc b/src/signature_util.cc
@@ -64,18 +64,18 @@ bool SignatureUtil::verifySignature(std::string_view bytecode, std::string &mess
    */
 
   std::string_view payload;
-  if (!BytecodeUtil::getCustomSection(bytecode, "signature_wasmsign", payload)) {
+  if (!BytecodeUtil::getCustomSection(bytecode, "signature", payload)) {
     message = "Failed to parse corrupted Wasm module";
     return false;
   }
 
   if (payload.empty()) {
-    message = "Custom Section \"signature_wasmsign\" not found";
+    message = "Custom Section \"signature\" not found";
     return false;
   }
 
   if (bytecode.data() + bytecode.size() != payload.data() + payload.size()) {
-    message = "Custom Section \"signature_wasmsign\" not at the end of Wasm module";
+    message = "Custom Section \"signature\" not at the end of Wasm module";
     return false;
   }
 
@@ -100,7 +100,7 @@ bool SignatureUtil::verifySignature(std::string_view bytecode, std::string &mess
   SHA512_Update(&ctx, "WasmSignature", sizeof("WasmSignature") - 1);
   const uint32_t ad_len = 0;
   SHA512_Update(&ctx, &ad_len, sizeof(uint32_t));
-  const size_t section_len = 3 + sizeof("signature_wasmsign") - 1 + 68;
+  const size_t section_len = 3 + sizeof("signature") - 1 + 68;
   SHA512_Update(&ctx, bytecode.data(), bytecode.size() - section_len);
   uint8_t hash[SHA512_DIGEST_LENGTH];
   SHA512_Final(hash, &ctx);
diff --git a/test/signature_util_test.cc b/test/signature_util_test.cc
@@ -54,7 +54,7 @@ TEST(TestSignatureUtil, NoSignature) {
   const auto bytecode = readTestWasmFile("abi_export.wasm");
   std::string message;
   EXPECT_FALSE(SignatureUtil::verifySignature(bytecode, message));
-  EXPECT_EQ(message, "Custom Section \"signature_wasmsign\" not found");
+  EXPECT_EQ(message, "Custom Section \"signature\" not found");
 }
 
 } // namespace proxy_wasm

Original file line number	Diff line number	Diff line change
`@@ -54,7 +54,7 @@ TEST(TestSignatureUtil, NoSignature) {`
`54`	`54`	`const auto bytecode = readTestWasmFile("abi_export.wasm");`
`55`	`55`	`std::string message;`
`56`	`56`	`EXPECT_FALSE(SignatureUtil::verifySignature(bytecode, message));`
`57`		`- EXPECT_EQ(message, "Custom Section \"signature_wasmsign\" not found");`
	`57`	`+ EXPECT_EQ(message, "Custom Section \"signature\" not found");`
`58`	`58`	`}`
`59`	`59`
`60`	`60`	`} // namespace proxy_wasm`