check_for_updates now fetches the manifest as raw JSON and runs trust::verify_detached before parsing: a tampered or wrong-signer signature rejects the mirror outright, and unsigned manifests are offered for MANUAL apply only — the 3 AM auto-apply scheduler refuses them, closing the unattended remote-root hole (§A of the 1.8.0 hardening plan). UpdateState gains manifest_signed so the UI can surface authenticity. Publisher side: create-release.sh signs the manifest during the release (ceremony, mnemonic via TTY/env only), publish-release-assets hard-refuses to ship an unsigned manifest (grep + new 'ceremony verify' cryptographic gate), and scripts/sign-manifest.sh covers re-signing outside a release run. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
48 lines
2.2 KiB
Bash
Executable File
48 lines
2.2 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# One-step OTA-manifest signer (counterpart to sign-catalog.sh).
|
|
#
|
|
# Run: bash scripts/sign-manifest.sh
|
|
# Then: paste your 24-word release master mnemonic, press Enter, then Ctrl-D.
|
|
#
|
|
# Signs releases/manifest.json in place and cryptographically verifies the
|
|
# result against the pinned release-root anchor. The mnemonic is read from the
|
|
# terminal only (never stored, never in shell history, never passed to Claude).
|
|
#
|
|
# Normally create-release.sh signs the manifest inline; this script exists for
|
|
# re-signing (e.g. a manifest edited after creation) or signing on a box where
|
|
# the release run was non-interactive.
|
|
set -euo pipefail
|
|
|
|
REPO="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
|
MANIFEST="$REPO/releases/manifest.json"
|
|
|
|
# Use ONLY a prebuilt signer — never compile here (compiling caused hangs in
|
|
# the earlier catalog ceremony). Prefer the repo's release build.
|
|
BIN=""
|
|
for candidate in "$REPO/core/target/release/archipelago" /tmp/archy-sign-bin/release/archipelago; do
|
|
if [[ -x "$candidate" ]]; then BIN="$candidate"; break; fi
|
|
done
|
|
if [[ -z "$BIN" ]]; then
|
|
echo "⏳ No prebuilt signer found. Build one first:"
|
|
echo " (cd core && cargo build --release -p archipelago)"
|
|
echo " Nothing was changed."
|
|
exit 0
|
|
fi
|
|
|
|
echo "════════════════════════════════════════════════════════════════"
|
|
echo " Paste your 24-word release master mnemonic below, press Enter,"
|
|
echo " then press Ctrl-D on a new line."
|
|
echo "════════════════════════════════════════════════════════════════"
|
|
"$BIN" ceremony sign "$MANIFEST"
|
|
|
|
echo
|
|
if "$BIN" ceremony verify "$MANIFEST"; then
|
|
echo "✅ SUCCESS — manifest signed by the pinned release root."
|
|
echo " Commit + push releases/manifest.json (and release-manifest.json if present)."
|
|
cp "$MANIFEST" "$REPO/release-manifest.json" 2>/dev/null || true
|
|
else
|
|
echo "❌ Signature did NOT verify against the pinned release-root anchor."
|
|
echo " Do NOT commit. Check the mnemonic and re-run."
|
|
exit 1
|
|
fi
|