From b7c9661c99dcfbdb0f25ceb46a991006028f18c8 Mon Sep 17 00:00:00 2001 From: Thales Maciel Date: Wed, 29 Apr 2026 12:50:52 -0300 Subject: [PATCH] updater: embed real cosign public key for v0.1.0 release signing The placeholder in BangerReleasePublicKey is replaced with the production cosign public key (P-256 ECDSA). The matching private key is stored offline by the maintainer; this is the public half that every banger CLI baked from this commit forward will use to verify SHA256SUMS signatures. cosign.pub is also committed at the repo root so external auditors can re-verify a release without parsing the Go source. The placeholder-refuses test now swaps the embedded key for a synthetic placeholder for the duration of the test, since the default value is no longer a placeholder. Co-Authored-By: Claude Opus 4.7 (1M context) --- cosign.pub | 4 ++++ internal/updater/verify_signature.go | 4 ++-- internal/updater/verify_signature_test.go | 13 ++++++++++--- 3 files changed, 16 insertions(+), 5 deletions(-) create mode 100644 cosign.pub diff --git a/cosign.pub b/cosign.pub new file mode 100644 index 0000000..daea5ef --- /dev/null +++ b/cosign.pub @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElWFSLKLosBrdjfuF8ZS6U01Ufky4 +zNeVPCkA6HEJ/oe634fRqwFxkXKGWg03eGFSnlwRxnUxN2+duXQSsR0pzQ== +-----END PUBLIC KEY----- diff --git a/internal/updater/verify_signature.go b/internal/updater/verify_signature.go index fb536cd..e239743 100644 --- a/internal/updater/verify_signature.go +++ b/internal/updater/verify_signature.go @@ -49,8 +49,8 @@ const MaxSignatureBytes int64 = 1024 // in-test-generated key; production sets it at compile time and // never mutates it. var BangerReleasePublicKey = `-----BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPLACEHOLDER0000000000000000000 -000000000000000000000000000000000000000000000000000000000000PLACE +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElWFSLKLosBrdjfuF8ZS6U01Ufky4 +zNeVPCkA6HEJ/oe634fRqwFxkXKGWg03eGFSnlwRxnUxN2+duXQSsR0pzQ== -----END PUBLIC KEY-----` // ErrSignatureRequired is returned by VerifyManifestRelease when the diff --git a/internal/updater/verify_signature_test.go b/internal/updater/verify_signature_test.go index e514179..7f0121f 100644 --- a/internal/updater/verify_signature_test.go +++ b/internal/updater/verify_signature_test.go @@ -43,9 +43,16 @@ func signBlob(t *testing.T, priv *ecdsa.PrivateKey, body []byte) string { } func TestVerifyBlobSignaturePlaceholderRefuses(t *testing.T) { - // The default constant in this binary is the placeholder. Any - // verify call must refuse with ErrSignatureRequired so an - // un-rotated build can't silently accept anything. + // A build that hasn't replaced the placeholder key must refuse + // every verify call with ErrSignatureRequired so an un-rotated + // build can't silently accept anything. Swap the embedded key + // out for the placeholder shape and assert that. + prev := BangerReleasePublicKey + BangerReleasePublicKey = `-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPLACEHOLDER0000000000000000000 +000000000000000000000000000000000000000000000000000000000000PLACE +-----END PUBLIC KEY-----` + defer func() { BangerReleasePublicKey = prev }() err := VerifyBlobSignature([]byte("body"), []byte("sig")) if !errors.Is(err, ErrSignatureRequired) { t.Fatalf("err = %v, want ErrSignatureRequired", err)