work

2025-11-23 23:40:10 +02:00
parent c13355923f
commit 029002ad05
93 changed files with 2160 additions and 285 deletions
--- a/scripts/mirror/ci-sign.sh
+++ b/scripts/mirror/ci-sign.sh
@@ -2,7 +2,9 @@
 set -euo pipefail
 # Allow CI to fall back to a deterministic test key when MIRROR_SIGN_KEY_B64 is unset,
 # but forbid this on release/tag builds when REQUIRE_PROD_SIGNING=1.
-DEFAULT_TEST_KEY_B64="LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1DNENBUUF3QlFZREsyVndCQ0lFSUhLbjhWMjJ5ZEpwbkZTY3k5VlNsdTczNXZBQ1NFdFFIWlBRR3pSNzcyUGcKLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo="
+# Throwaway dev key (Ed25519) generated 2025-11-23; matches the value documented in
+# docs/modules/mirror/signing-runbook.md. Safe for non-production smoke only.
+DEFAULT_TEST_KEY_B64="LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1DNENBUUF3QlFZREsyVndCQ0lFSURqb3pDRVdKVVFUdW1xZ2gyRmZXcVBaemlQbkdaSzRvOFZRTThGYkZCSEcKLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo="
 if [[ -z "${MIRROR_SIGN_KEY_B64:-}" ]]; then
  if [[ "${REQUIRE_PROD_SIGNING:-0}" == "1" ]]; then
    echo "[error] MIRROR_SIGN_KEY_B64 is required for production signing; refusing to use test key." >&2
@@ -17,6 +19,8 @@ mkdir -p "$KEYDIR"
 KEYFILE="$KEYDIR/ci-ed25519.pem"
 printf "%s" "$MIRROR_SIGN_KEY_B64" | base64 -d > "$KEYFILE"
 chmod 600 "$KEYFILE"
+# Export public key for TUF keyid calculation
+openssl pkey -in "$KEYFILE" -pubout -out "$KEYDIR/ci-ed25519.pub" >/dev/null 2>&1
 STAGE=${STAGE:-$ROOT/out/mirror/thin/stage-v1}
 CREATED=${CREATED:-$(date -u +%Y-%m-%dT%H:%M:%SZ)}
 SIGN_KEY="$KEYFILE" STAGE="$STAGE" CREATED="$CREATED" "$ROOT/src/Mirror/StellaOps.Mirror.Creator/make-thin-v1.sh"