3 Commits

Author SHA1 Message Date
archipelago
e77ccff0e1 fix(release): close two publish-path verification gaps (§B hardening)
- create-release.sh: assert the freshly built frontend dist actually embeds
  the bumped version before packaging — the ui-dist-version guard in
  tests/release/run.sh is behind --with-build, which the release path never
  passes, so a silently no-opped npm build could ship a stale dist with a
  valid sha256. Verified against the real dist (passes on current version,
  trips on a missing one).
- publish-release-assets.sh: verify published assets by downloading and
  comparing sha256 against the manifest, not just Content-Length — a
  size-correct/content-wrong mirror asset now fails the publish gate.
  Verified live against the v1.7.99-alpha assets on the vps2 mirror.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-08 19:04:14 -04:00
archipelago
51647b21cd feat(trust): verify release-root signature on the OTA manifest
check_for_updates now fetches the manifest as raw JSON and runs
trust::verify_detached before parsing: a tampered or wrong-signer
signature rejects the mirror outright, and unsigned manifests are
offered for MANUAL apply only — the 3 AM auto-apply scheduler refuses
them, closing the unattended remote-root hole (§A of the 1.8.0
hardening plan). UpdateState gains manifest_signed so the UI can
surface authenticity.

Publisher side: create-release.sh signs the manifest during the
release (ceremony, mnemonic via TTY/env only), publish-release-assets
hard-refuses to ship an unsigned manifest (grep + new 'ceremony
verify' cryptographic gate), and scripts/sign-manifest.sh covers
re-signing outside a release run.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-02 12:33:01 -04:00
archipelago
75d147b69f fix(release): verify published OTA artifacts 2026-05-19 12:10:42 -04:00