catalogtrust

package
v1.12.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 21, 2026 License: AGPL-3.0 Imports: 5 Imported by: 0

Documentation

Overview

Package catalogtrust holds the app-store catalogue trust anchor: the ed25519 public key the signed catalogue is verified against, plus a verify helper. The matching private key is held by the release pipeline and is never committed (see catalogue/README.md).

This replaces the all-zeros placeholder trust anchor: pilotctl verifies the catalogue signature against PublicKey() before trusting any install target, and the daemon passes PublicKey() into the app-store service so its Start-time trust-anchor check sees a real key.

Index

Constants

This section is empty.

Variables

View Source
var ErrBadSignature = errors.New("catalogtrust: catalogue signature verification failed")

ErrBadSignature is returned when a signature does not verify against the embedded key.

View Source
var ErrNoKey = errors.New("catalogtrust: no valid embedded catalogue public key")

ErrNoKey is returned when the embedded key is missing or malformed. Fail-closed: with no trust anchor, nothing verifies.

Functions

func PublicKey

func PublicKey() ed25519.PublicKey

PublicKey returns the embedded catalogue public key, or nil if the embedded value is malformed (e.g. a bad ldflags override).

func SignWithEphemeralKey

func SignWithEphemeralKey(data []byte) (sig []byte, restore func())

SignWithEphemeralKey is a TEST-ONLY helper for packages outside catalogtrust (e.g. cmd/pilotctl) that need to stage a catalogue fixture the fail-closed loader will accept. It generates a throwaway ed25519 keypair, swaps the package's embedded public key (publicKeyB64) to the generated public half, signs data with the private half, and returns the detached signature plus a restore func that puts the original embedded key back.

This exists so fixture-based tests exercise REAL fail-closed verification against a VALID signature, rather than disabling or weakening the gate. It is not referenced by any production code path.

Usage:

sig, restore := catalogtrust.SignWithEphemeralKey(catalogueBytes)
defer restore()
// write catalogueBytes + base64(sig) and point the loader at them

func Verify

func Verify(data, sig []byte) error

Verify checks that sig is a valid ed25519 signature over data, made with the catalogue signing key. Fail-closed on a missing/invalid embedded key or a wrong-length signature.

Types

This section is empty.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL