VARASYS/ZDDC
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ZDDC/zddc/internal
History
ZDDC 52dde0b014 feat(apps): also accept apps_pubkey: inline in root .zddc 
Adds a second way to configure the apps signing pubkey alongside the
existing --apps-pubkey / ZDDC_APPS_PUBKEY (path-to-PEM-file) form: an
inline PEM block under apps_pubkey: in the root .zddc file. Resolution
order:

  1. --apps-pubkey / ZDDC_APPS_PUBKEY  (path)   ← env/flag wins
  2. apps_pubkey: inline PEM in root .zddc       ← second
  3. nothing                                      ← URL fetches refused

Honored only at the root .zddc — same trust-anchor treatment as the
existing admins: field. Subtree write authority cannot re-anchor
trust because subtree apps_pubkey: entries are ignored. (Same
unmarshal pattern as the rest of ZddcFile; the root-only enforcement
is in setupApps where we explicitly read filepath.Join(cfg.Root,
".zddc") rather than walking a chain.)

Why offer both: env/flag fits k8s + systemd deployment shapes where
the operator already manages a config volume and prefers env-based
plumbing. Inline-in-.zddc fits the "everything in one config file"
mental model and matches how operators already think about admins:
and acl:. Either ships a working URL-fetch-verify story; the choice
is operator preference.

Logged differently per source so operators can grep for which path
populated the key:
  apps signing pubkey loaded source=env/flag path=/path/to/pubkey.pem
  apps signing pubkey loaded source="root .zddc apps_pubkey"

Smoke-tested end-to-end: a root .zddc with inline apps_pubkey: PEM
block + apps: archive: <upstream-URL> + ZDDC_APPS_PUBKEY unset —
the server logs "loaded source=root .zddc apps_pubkey" at startup,
fetches the URL, verifies the .sig against the inline key, caches.
Tampering still rejects; missing .sig still rejects; everything that
worked yesterday still works.

Docs: env-var tables in zddc/README.md and AGENTS.md note the
inline alternative; the federal-readiness gap analysis subsection
on code signing now lists both paths in its resolution order; the
release-page "Verify your downloads" section mentions both for
operators.

Production binary unchanged at ~13 MB. All 11 Go test packages green.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-05 06:56:02 -05:00
..
apps feat(apps): code-signed URL fetches; dev chart overlays prod data RO 2026-05-04 21:59:07 -05:00
archive feat: lockstep release infra + cascade/.archive fixes + profile perf + page redesign 2026-05-01 20:11:38 -05:00
config feat(apps): code-signed URL fetches; dev chart overlays prod data RO 2026-05-04 21:59:07 -05:00
fs feat(server): pluggable OPA-compatible policy decider 2026-05-04 17:45:07 -05:00
handler feat(server): /.profile/effective-policy cascade tracer (admin-only) 2026-05-04 18:01:24 -05:00
jsonschema feat: form-data system v0 (sixth tool + zddc-server endpoints) 2026-05-02 20:12:16 -05:00
listing feat(zddc-server): user profile page replaces /.admin/ 2026-04-29 16:32:02 -05:00
policy feat(server): federal-mode reference Rego (parent-deny-is-absolute) 2026-05-04 18:05:44 -05:00
tlsutil feat(server): TLS hardening per NIST SP 800-52 Rev. 2 + HSTS 2026-05-04 17:55:52 -05:00
zddc feat(apps): also accept apps_pubkey: inline in root .zddc 2026-05-05 06:56:02 -05:00