feat(mining): pin xmrig release-signing key + fix raw-signature parsing bug

- Pin the ed25519 public key in xmrig_updater.h, activating signature verification in soft mode
  (kXmrigRequireSignature=false): a release's ".sig" asset is verified when present, but an
  unsigned release still installs on TLS + SHA-256. Verified live against the current release
  (v6.25.2, which ships no .sig yet) — still installs.
- gitignore *.ed25519.key / *.ed25519.pub.b64 so a signing secret key can never be committed.
- Add a unit test that the pinned key decodes to a valid 32-byte ed25519 key (a malformed paste
  fails the build, not silently disabling verification).

Bug fix (found via a flaky test): verifyXmrigSignature trimmed trailing whitespace BEFORE the
raw-64-byte check, so a raw signature whose last byte equals '\n'/'\r'/space/tab (~1.6% of
signatures) was corrupted and rejected. Now base64 is tried first (safe to trim) and the raw
path uses the exact untrimmed bytes. Added a deterministic regression test that forces a
whitespace-terminated raw signature. Suite is stable (0 failures in 10 runs; was ~3/8).

Also de-brittled the live integration test: it no longer pins a release-specific binary hash
(reaching Done already means the worker verified the binary against the release's own checksum).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
2026-06-07 00:44:53 -05:00
parent eece57c025
commit 85b53baeaf
4 changed files with 65 additions and 19 deletions

View File

@@ -52,8 +52,9 @@ struct XmrigRelease {
// raw 64-byte) ed25519 signature of the archive bytes (see scripts/sign-xmrig-release.sh). Once a
// key is set, an install verifies the signature when the .sig asset is present; set
// kXmrigRequireSignature=true to additionally refuse installs that publish no signature.
inline constexpr const char* kXmrigSignaturePublicKeyBase64 = "";
inline constexpr bool kXmrigRequireSignature = false;
inline constexpr const char* kXmrigSignaturePublicKeyBase64 =
"j/9M+0E8NgcudP1q+23ar5uzwAFzQled8TtkFMaou6Q=";
inline constexpr bool kXmrigRequireSignature = false; // soft rollout: verify .sig if present
// ── Pure helpers (no I/O; unit-tested) ───────────────────────────────────────