Documentation
¶
Overview ¶
Package catalogtrust holds the app-store catalogue trust anchor: the ed25519 public key the signed catalogue is verified against, plus a verify helper. The matching private key is held by the release pipeline and is never committed (see catalogue/README.md).
This replaces the all-zeros placeholder trust anchor: pilotctl verifies the catalogue signature against PublicKey() before trusting any install target, and the daemon passes PublicKey() into the app-store service so its Start-time trust-anchor check sees a real key.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ErrBadSignature = errors.New("catalogtrust: catalogue signature verification failed")
ErrBadSignature is returned when a signature does not verify against the embedded key.
var ErrNoKey = errors.New("catalogtrust: no valid embedded catalogue public key")
ErrNoKey is returned when the embedded key is missing or malformed. Fail-closed: with no trust anchor, nothing verifies.
Functions ¶
func PublicKey ¶
PublicKey returns the embedded catalogue public key, or nil if the embedded value is malformed (e.g. a bad ldflags override).
func SignWithEphemeralKey ¶
SignWithEphemeralKey is a TEST-ONLY helper for packages outside catalogtrust (e.g. cmd/pilotctl) that need to stage a catalogue fixture the fail-closed loader will accept. It generates a throwaway ed25519 keypair, swaps the package's embedded public key (publicKeyB64) to the generated public half, signs data with the private half, and returns the detached signature plus a restore func that puts the original embedded key back.
This exists so fixture-based tests exercise REAL fail-closed verification against a VALID signature, rather than disabling or weakening the gate. It is not referenced by any production code path.
Usage:
sig, restore := catalogtrust.SignWithEphemeralKey(catalogueBytes) defer restore() // write catalogueBytes + base64(sig) and point the loader at them
Types ¶
This section is empty.