Skip to content

Verify update packages with ECDSA signatures#418

Draft
c-kr wants to merge 1 commit into
ConSol-Monitoring:mainfrom
c-kr:verify-update-signatures
Draft

Verify update packages with ECDSA signatures#418
c-kr wants to merge 1 commit into
ConSol-Monitoring:mainfrom
c-kr:verify-update-signatures

Conversation

@c-kr

@c-kr c-kr commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

This PR is a feature proposal and a basis for discussion:

  • Update packages are signed with ECDSA P-256 during the GitHub release workflow.
  • Detached signatures are published alongside the corresponding update artifacts.
  • The client verifies the signature before accepting and installing an update.
  • The implementation is intentionally minimal on both sides: a small GitHub Action and lightweight client-side verification using only the Go standard library, with no additional dependencies and a low memory footprint.

Example action run with created .sig files: https://github.com/c-kr/snclient/actions/runs/29515430329

If the general concept looks good, it could be introduced in two phases:

  1. Deploy only the signing step through the GitHub Action.
  2. Add client-side signature verification in a later release once the signing workflow has proven reliable.

Before production deployment, the production key must be provided through the appropriate environment secret. The public key and its SHA fingerprint in the code must then be updated accordingly.

Assisted by: gpt-5.6-sol medium

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant