ZDDC/zddc/cmd/zddc-server at c6eaa77c6e8a2b67e26e3a670c941089a97883ce - VARASYS/ZDDC

History

ZDDC 52dde0b014 feat(apps): also accept apps_pubkey: inline in root .zddc Adds a second way to configure the apps signing pubkey alongside the existing --apps-pubkey / ZDDC_APPS_PUBKEY (path-to-PEM-file) form: an inline PEM block under apps_pubkey: in the root .zddc file. Resolution order: 1. --apps-pubkey / ZDDC_APPS_PUBKEY (path) ← env/flag wins 2. apps_pubkey: inline PEM in root .zddc ← second 3. nothing ← URL fetches refused Honored only at the root .zddc — same trust-anchor treatment as the existing admins: field. Subtree write authority cannot re-anchor trust because subtree apps_pubkey: entries are ignored. (Same unmarshal pattern as the rest of ZddcFile; the root-only enforcement is in setupApps where we explicitly read filepath.Join(cfg.Root, ".zddc") rather than walking a chain.) Why offer both: env/flag fits k8s + systemd deployment shapes where the operator already manages a config volume and prefers env-based plumbing. Inline-in-.zddc fits the "everything in one config file" mental model and matches how operators already think about admins: and acl:. Either ships a working URL-fetch-verify story; the choice is operator preference. Logged differently per source so operators can grep for which path populated the key: apps signing pubkey loaded source=env/flag path=/path/to/pubkey.pem apps signing pubkey loaded source="root .zddc apps_pubkey" Smoke-tested end-to-end: a root .zddc with inline apps_pubkey: PEM block + apps: archive: <upstream-URL> + ZDDC_APPS_PUBKEY unset — the server logs "loaded source=root .zddc apps_pubkey" at startup, fetches the URL, verifies the .sig against the inline key, caches. Tampering still rejects; missing .sig still rejects; everything that worked yesterday still works. Docs: env-var tables in zddc/README.md and AGENTS.md note the inline alternative; the federal-readiness gap analysis subsection on code signing now lists both paths in its resolution order; the release-page "Verify your downloads" section mentions both for operators. Production binary unchanged at ~13 MB. All 11 Go test packages green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-05 06:56:02 -05:00
..
main.go	feat(apps): also accept apps_pubkey: inline in root .zddc	2026-05-05 06:56:02 -05:00
main_test.go	feat(apps): code-signed URL fetches; dev chart overlays prod data RO	2026-05-04 21:59:07 -05:00

ZDDC 52dde0b014 feat(apps): also accept apps_pubkey: inline in root .zddc

Adds a second way to configure the apps signing pubkey alongside the
existing --apps-pubkey / ZDDC_APPS_PUBKEY (path-to-PEM-file) form: an
inline PEM block under apps_pubkey: in the root .zddc file. Resolution
order:

  1. --apps-pubkey / ZDDC_APPS_PUBKEY  (path)   ← env/flag wins
  2. apps_pubkey: inline PEM in root .zddc       ← second
  3. nothing                                      ← URL fetches refused

Honored only at the root .zddc — same trust-anchor treatment as the
existing admins: field. Subtree write authority cannot re-anchor
trust because subtree apps_pubkey: entries are ignored. (Same
unmarshal pattern as the rest of ZddcFile; the root-only enforcement
is in setupApps where we explicitly read filepath.Join(cfg.Root,
".zddc") rather than walking a chain.)

Why offer both: env/flag fits k8s + systemd deployment shapes where
the operator already manages a config volume and prefers env-based
plumbing. Inline-in-.zddc fits the "everything in one config file"
mental model and matches how operators already think about admins:
and acl:. Either ships a working URL-fetch-verify story; the choice
is operator preference.

Logged differently per source so operators can grep for which path
populated the key:
  apps signing pubkey loaded source=env/flag path=/path/to/pubkey.pem
  apps signing pubkey loaded source="root .zddc apps_pubkey"

Smoke-tested end-to-end: a root .zddc with inline apps_pubkey: PEM
block + apps: archive: <upstream-URL> + ZDDC_APPS_PUBKEY unset —
the server logs "loaded source=root .zddc apps_pubkey" at startup,
fetches the URL, verifies the .sig against the inline key, caches.
Tampering still rejects; missing .sig still rejects; everything that
worked yesterday still works.

Docs: env-var tables in zddc/README.md and AGENTS.md note the
inline alternative; the federal-readiness gap analysis subsection
on code signing now lists both paths in its resolution order; the
release-page "Verify your downloads" section mentions both for
operators.

Production binary unchanged at ~13 MB. All 11 Go test packages green.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-05 06:56:02 -05:00

main.go

feat(apps): also accept apps_pubkey: inline in root .zddc

2026-05-05 06:56:02 -05:00

main_test.go

feat(apps): code-signed URL fetches; dev chart overlays prod data RO

2026-05-04 21:59:07 -05:00