feat(mining): pin xmrig release-signing key + fix raw-signature parsing bug

- Pin the ed25519 public key in xmrig_updater.h, activating signature verification in soft mode
  (kXmrigRequireSignature=false): a release's ".sig" asset is verified when present, but an
  unsigned release still installs on TLS + SHA-256. Verified live against the current release
  (v6.25.2, which ships no .sig yet) — still installs.
- gitignore *.ed25519.key / *.ed25519.pub.b64 so a signing secret key can never be committed.
- Add a unit test that the pinned key decodes to a valid 32-byte ed25519 key (a malformed paste
  fails the build, not silently disabling verification).

Bug fix (found via a flaky test): verifyXmrigSignature trimmed trailing whitespace BEFORE the
raw-64-byte check, so a raw signature whose last byte equals '\n'/'\r'/space/tab (~1.6% of
signatures) was corrupted and rejected. Now base64 is tried first (safe to trim) and the raw
path uses the exact untrimmed bytes. Added a deterministic regression test that forces a
whitespace-terminated raw signature. Suite is stable (0 failures in 10 runs; was ~3/8).

Also de-brittled the live integration test: it no longer pins a release-specific binary hash
(reaching Done already means the worker verified the binary against the release's own checksum).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

tests/test_phase4.cpp

@@ -4054,6 +4054,22 @@ void testXmrigSignatureAssetSelection()
     EXPECT_EQ(selectXmrigSignatureAsset(rel, "other.zip"), -1);
 }
 
+void testXmrigPinnedKeyValidity()
+{
+    using namespace dragonx::util;
+    const std::string pin = kXmrigSignaturePublicKeyBase64;
+    if (pin.empty()) return;  // signing disabled -> nothing to validate
+    // A non-empty pinned key MUST decode to exactly a 32-byte ed25519 public key, or signature
+    // verification would silently never succeed. Guards against a malformed/truncated paste.
+    EXPECT_TRUE(sodium_init() >= 0);
+    unsigned char pk[crypto_sign_PUBLICKEYBYTES];
+    std::size_t n = 0; const char* end = nullptr;
+    const int rc = sodium_base642bin(pk, sizeof(pk), pin.data(), pin.size(), " \t\r\n",
+                                     &n, &end, sodium_base64_VARIANT_ORIGINAL);
+    EXPECT_EQ(rc, 0);
+    EXPECT_EQ(n, static_cast<std::size_t>(crypto_sign_PUBLICKEYBYTES));
+}
+
 void testXmrigSignatureVerify()
 {
     using namespace dragonx::util;
@@ -4079,6 +4095,27 @@ void testXmrigSignatureVerify()
     // Whitespace around the base64 signature is tolerated.
     EXPECT_TRUE(verifyXmrigSignature(data, "  " + sigB64 + "\n", pkB64));
 
+    // Regression: a RAW 64-byte signature whose final byte equals a whitespace value (~1.6% of
+    // signatures) must still verify — it must not be whitespace-trimmed. Force that case.
+    {
+        unsigned char rpk[crypto_sign_PUBLICKEYBYTES], rsk[crypto_sign_SECRETKEYBYTES],
+                      rsig[crypto_sign_BYTES];
+        bool found = false;
+        for (int i = 0; i < 20000 && !found; ++i) {
+            crypto_sign_keypair(rpk, rsk);
+            const std::string m = "raw-ws-regression-" + std::to_string(i);
+            crypto_sign_detached(rsig, nullptr,
+                                 reinterpret_cast<const unsigned char*>(m.data()), m.size(), rsk);
+            const unsigned char last = rsig[crypto_sign_BYTES - 1];
+            if (last == '\n' || last == '\r' || last == ' ' || last == '\t') {
+                found = true;
+                const std::string rawSig(reinterpret_cast<const char*>(rsig), crypto_sign_BYTES);
+                EXPECT_TRUE(verifyXmrigSignature(m, rawSig, b64(rpk, sizeof(rpk))));
+            }
+        }
+        EXPECT_TRUE(found);
+    }
+
     // Fails closed: tampered data, wrong key, malformed/empty inputs.
     EXPECT_FALSE(verifyXmrigSignature(data + "x", sigB64, pkB64));
     unsigned char pk2[crypto_sign_PUBLICKEYBYTES], sk2[crypto_sign_SECRETKEYBYTES];
@@ -4114,16 +4151,14 @@ void testXmrigLiveInstall()
         std::printf("[testXmrigLiveInstall] failed: %s\n", p.error.c_str());
         return;
     }
-    // The miner binary was flattened out of the versioned subdir into the target dir, verified.
+    // The miner binary was flattened out of the versioned subdir into the target dir. We don't pin
+    // a release-specific hash here (releases change) — reaching State::Done already means the worker
+    // verified the binary against the release's own published SHA-256. Just assert a real binary landed.
     const std::string bin = dir + "/" + xmrigExtractBasenames(currentXmrigPlatformToken()).front();
     EXPECT_TRUE(std::filesystem::exists(bin));
     if (std::filesystem::exists(bin)) {
-        std::ifstream f(bin, std::ios::binary);
-        const std::string bytes((std::istreambuf_iterator<char>(f)), std::istreambuf_iterator<char>());
-        // On this (linux-x64) box the installed binary must match the published inner checksum.
-        if (currentXmrigPlatformToken() == "linux-x64")
-            EXPECT_EQ(sha256Hex(bytes.data(), bytes.size()),
-                      std::string("37c178f743c269c1d9e18302cead0ed117ded2b5fe30910e836896b4abc20e57"));
+        std::error_code szEc;
+        EXPECT_TRUE(std::filesystem::file_size(bin, szEc) > 100000);  // a real miner binary is MBs
     }
     std::filesystem::remove_all(dir, ec);
 }
@@ -4186,6 +4221,7 @@ int main()
     testXmrigChecksumParsing();
     testXmrigSha256AndBasenames();
     testXmrigSignatureAssetSelection();
+    testXmrigPinnedKeyValidity();
     testXmrigSignatureVerify();
     testXmrigLiveInstall();
     testGeneratedResourceBehavior();