ci(signing): enforce key consistency across docs, repo, and generated assets

2026-06-16 23:11:20 +03:00 · 2026-02-16 11:11:27 +00:00
parent 5e389cb582
commit d6665c241f
3 changed files with 106 additions and 0 deletions
@@ -25,6 +25,9 @@ jobs:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

+      - name: Verify signing key consistency (repo + docs)
+        run: ./scripts/ci/verify_signing_key_consistency.sh
+
      - name: Auto-discover skills from releases
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -274,6 +277,18 @@ jobs:
          input_file: public/checksums.json
          signature_file: public/checksums.sig

+      - name: Verify generated public signing key matches canonical key
+        run: |
+          set -euo pipefail
+          CANONICAL_FPR=$(openssl pkey -pubin -in clawsec-signing-public.pem -outform DER | sha256sum | awk '{print $1}')
+          GENERATED_FPR=$(openssl pkey -pubin -in public/signing-public.pem -outform DER | sha256sum | awk '{print $1}')
+          echo "Canonical key fingerprint: $CANONICAL_FPR"
+          echo "Generated key fingerprint: $GENERATED_FPR"
+          if [ "$CANONICAL_FPR" != "$GENERATED_FPR" ]; then
+            echo "::error::public/signing-public.pem fingerprint mismatch vs clawsec-signing-public.pem"
+            exit 1
+          fi
+
      - name: Copy public key to advisory directory
        run: |
          # Clients expect the public key at advisories/feed-signing-public.pem
@@ -36,6 +36,9 @@ jobs:
        with:
          fetch-depth: 0

+      - name: Verify signing key consistency (repo + docs)
+        run: ./scripts/ci/verify_signing_key_consistency.sh
+
      - name: Validate version parity for bumped skills
        env:
          BASE_SHA: ${{ github.event.pull_request.base.sha }}
@@ -526,6 +529,9 @@ jobs:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

+      - name: Verify signing key consistency (repo + docs)
+        run: ./scripts/ci/verify_signing_key_consistency.sh
+
      - name: Validate skill exists
        run: |
          SKILL_PATH="${{ steps.parse.outputs.skill_path }}"
@@ -782,6 +788,18 @@ jobs:
          signature_file: release-assets/checksums.sig
          public_key_output: release-assets/signing-public.pem

+      - name: Verify generated release signing key matches canonical key
+        run: |
+          set -euo pipefail
+          CANONICAL_FPR=$(openssl pkey -pubin -in clawsec-signing-public.pem -outform DER | sha256sum | awk '{print $1}')
+          GENERATED_FPR=$(openssl pkey -pubin -in release-assets/signing-public.pem -outform DER | sha256sum | awk '{print $1}')
+          echo "Canonical key fingerprint: $CANONICAL_FPR"
+          echo "Generated key fingerprint: $GENERATED_FPR"
+          if [ "$CANONICAL_FPR" != "$GENERATED_FPR" ]; then
+            echo "::error::release-assets/signing-public.pem fingerprint mismatch vs clawsec-signing-public.pem"
+            exit 1
+          fi
+
      - name: Show signed release assets
        run: |
          echo "Signed and verified release-assets/checksums.json"