Thales Maciel
b7c9661c99
The placeholder in BangerReleasePublicKey is replaced with the production cosign public key (P-256 ECDSA). The matching private key is stored offline by the maintainer; this is the public half that every banger CLI baked from this commit forward will use to verify SHA256SUMS signatures. cosign.pub is also committed at the repo root so external auditors can re-verify a release without parsing the Go source. The placeholder-refuses test now swaps the embedded key for a synthetic placeholder for the duration of the test, since the default value is no longer a placeholder. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| download.go | ||
| flow_test.go | ||
| manifest.go | ||
| manifest_test.go | ||
| sha256sums.go | ||
| sha256sums_test.go | ||
| stage.go | ||
| swap.go | ||
| verify_signature.go | ||
| verify_signature_test.go | ||