Now that the release publishes a valid .sig per archive (verified against the pinned key for
linux/win/macOS), enable enforcement and fix two bugs that the newer multi-platform release
(v6.25.3, which added a macOS build) exposed:
- kXmrigRequireSignature = true: refuse any install whose release doesn't publish a valid
ed25519 signature over the archive. Verified live end-to-end against the signed v6.25.3
(archive SHA-256 + signature -> install).
- Drop the redundant inner-binary SHA-256 check. It keyed on the inner filename, but both the
linux and macOS archives contain a binary literally named "xmrig", so the two "xmrig (…)"
checksum lines collided in the map and the linux install compared against the macOS hash ->
spurious "could not verify" failure. The whole archive is already verified (SHA-256 +
signature), so every extracted member is authentic by transitivity — the per-member check
added nothing but ambiguity.
- Fix the macOS platform token: the asset is named "...-macos-x86_64.zip", not "...-macos-x64",
so selectXmrigAsset never matched it. currentXmrigPlatformToken() now returns "macos-x86_64"
on Intel macs (arm64 has no build -> Unavailable). Added a matcher test for the macOS naming.
Both variants build; suite stable (0 failures / multiple runs); live require-mode install verified.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
DanS
b9881278af