thaloco/banger
1
Fork 0
Code Pull requests Releases Packages Activity Actions

updater: embed real cosign public key for v0.1.0 release signing

Browse source 
The placeholder in BangerReleasePublicKey is replaced with the
production cosign public key (P-256 ECDSA). The matching private
key is stored offline by the maintainer; this is the public half
that every banger CLI baked from this commit forward will use to
verify SHA256SUMS signatures.

cosign.pub is also committed at the repo root so external auditors
can re-verify a release without parsing the Go source.

The placeholder-refuses test now swaps the embedded key for a
synthetic placeholder for the duration of the test, since the
default value is no longer a placeholder.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Thales Maciel 2026-04-29 12:50:52 -03:00
parent fae28e3d8b
commit b7c9661c99
No known key found for this signature in database
GPG key ID: 33112E6833C34679
3 changed files with 16 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

4
cosign.pub Normal file
View file

@ -0,0 +1,4 @@
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElWFSLKLosBrdjfuF8ZS6U01Ufky4
zNeVPCkA6HEJ/oe634fRqwFxkXKGWg03eGFSnlwRxnUxN2+duXQSsR0pzQ==
-----END PUBLIC KEY-----

4
internal/updater/verify_signature.go
View file

@ -49,8 +49,8 @@ const MaxSignatureBytes int64 = 1024
// in-test-generated key; production sets it at compile time and
// never mutates it.
var BangerReleasePublicKey = `-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPLACEHOLDER0000000000000000000
000000000000000000000000000000000000000000000000000000000000PLACE
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElWFSLKLosBrdjfuF8ZS6U01Ufky4
zNeVPCkA6HEJ/oe634fRqwFxkXKGWg03eGFSnlwRxnUxN2+duXQSsR0pzQ==
-----END PUBLIC KEY-----`
// ErrSignatureRequired is returned by VerifyManifestRelease when the

13
internal/updater/verify_signature_test.go
View file

@ -43,9 +43,16 @@ func signBlob(t *testing.T, priv *ecdsa.PrivateKey, body []byte) string {
}
func TestVerifyBlobSignaturePlaceholderRefuses(t *testing.T) {
// The default constant in this binary is the placeholder. Any
// verify call must refuse with ErrSignatureRequired so an
// un-rotated build can't silently accept anything.
// A build that hasn't replaced the placeholder key must refuse
// every verify call with ErrSignatureRequired so an un-rotated
// build can't silently accept anything. Swap the embedded key
// out for the placeholder shape and assert that.
prev := BangerReleasePublicKey
BangerReleasePublicKey = `-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPLACEHOLDER0000000000000000000
000000000000000000000000000000000000000000000000000000000000PLACE
-----END PUBLIC KEY-----`
defer func() { BangerReleasePublicKey = prev }()
err := VerifyBlobSignature([]byte("body"), []byte("sig"))
if !errors.Is(err, ErrSignatureRequired) {
t.Fatalf("err = %v, want ErrSignatureRequired", err)