JonCooperWorks/open.go

## open.go
// Open loads a plugin from disk and verifies that its SHA3-256 hash was signed by the expected public key.
// This implementation does not care where the public key or signature come from, allowing callers to load them from disk, a database or a website.
// It is vital that public keys and signatures are loaded securely, otherwise an attacker will be able to circumvent the entire scheme.
func Open(publicKey *ecdsa.PublicKey, signature []byte, pluginPath string) (*plugin.Plugin, error) {
	lock := flock.NewFlock(pluginPath)
	locked, err := lock.TryLock()
	if err != nil {
		return nil, err
	}

	if !locked {
		return nil, ErrLockFailed
	}

	defer lock.Unlock()

	p, err := ioutil.ReadFile(pluginPath)
	if err != nil {
		return nil, err
	}

	verified, err := Verify(publicKey, signature, p)
	if err != nil {
		return nil, err
	}

	if !verified {
		return nil, ErrSignatureValidationFailed
	}

	return plugin.Open(pluginPath)
}
	// Open loads a plugin from disk and verifies that its SHA3-256 hash was signed by the expected public key.
	// This implementation does not care where the public key or signature come from, allowing callers to load them from disk, a database or a website.
	// It is vital that public keys and signatures are loaded securely, otherwise an attacker will be able to circumvent the entire scheme.
	func Open(publicKey ecdsa.PublicKey, signature []byte, pluginPath string) (plugin.Plugin, error) {
	lock := flock.NewFlock(pluginPath)
	locked, err := lock.TryLock()
	if err != nil {
	return nil, err
	}

	if !locked {
	return nil, ErrLockFailed
	}

	defer lock.Unlock()

	p, err := ioutil.ReadFile(pluginPath)
	if err != nil {
	return nil, err
	}

	verified, err := Verify(publicKey, signature, p)
	if err != nil {
	return nil, err
	}

	if !verified {
	return nil, ErrSignatureValidationFailed
	}

	return plugin.Open(pluginPath)
	}