From 05444a0f6af8389b9bb85280fc31337c556d4300 Mon Sep 17 00:00:00 2001 From: Aditya Manthramurthy Date: Mon, 20 Mar 2023 13:16:18 -0700 Subject: [PATCH] Use the official pub key to always verify binary (#16857) --- cmd/update.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/cmd/update.go b/cmd/update.go index 03a8cf59c..3fad61801 100644 --- a/cmd/update.go +++ b/cmd/update.go @@ -518,6 +518,11 @@ func downloadBinary(u *url.URL, mode string) (readerReturn []byte, err error) { return binaryFile, nil } +const ( + // Update this whenever the official minisign pubkey is rotated. + defaultMinisignPubkey = "RWTx5Zr1tiHQLwG9keckT0c45M3AGeHD6IvimQHpyRywVWGbP1aVSGav" +) + func verifyBinary(u *url.URL, sha256Sum []byte, releaseInfo string, mode string, reader []byte) (err error) { if !atomic.CompareAndSwapUint32(&updateInProgress, 0, 1) { return errors.New("update already in progress") @@ -538,7 +543,7 @@ func verifyBinary(u *url.URL, sha256Sum []byte, releaseInfo string, mode string, } } - minisignPubkey := env.Get(envMinisignPubKey, "") + minisignPubkey := env.Get(envMinisignPubKey, defaultMinisignPubkey) if minisignPubkey != "" { v := selfupdate.NewVerifier() u.Path = path.Dir(u.Path) + slashSeparator + releaseInfo + ".minisig"