chore: rotate signing key and add verify-key subcommand#42
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
This PR addresses a release-signing failure by rotating the embedded ML-DSA-65 release public key and adding a CLI subcommand to validate hex-encoded secret keys before they’re stored as CI secrets.
Changes:
- Rotates the embedded ML-DSA-65 release public key used for upgrade signature verification.
- Adds
ant-keygen verify-keyto validate and sanity-check hex-encoded secret keys (incl. stdin input). - Updates
Cargo.lockmetadata forsaorsa-core.
Reviewed changes
Copilot reviewed 1 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
src/upgrade/signature.rs |
Replaces the embedded ML-DSA-65 release public key used to verify upgrade/release signatures. |
src/bin/keygen.rs |
Adds verify-key subcommand to validate hex-encoded ML-DSA-65 secret keys intended for CI usage. |
Cargo.lock |
Adds missing registry source/checksum metadata for saorsa-core. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
The previous release failed because the ANT_NODE_SIGNING_KEY secret contained invalid hex (decoded to 0 bytes). Add a `verify-key` subcommand to ant-keygen so the hex representation can be validated before setting the GitHub secret. Also generates a fresh ML-DSA-65 keypair and embeds the new public key. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
jacderida
force-pushed
the
chore/rotate-signing-key-with-validation
branch
from
a25afee to
fda30ed
Compare
mickvandijke
added a commit
that referenced
this pull request
Apr 1, 2026
Add unit and e2e tests covering the remaining Section 18 scenarios: Unit tests (32 new): - Quorum: #4 fail→abandoned, #16 timeout→inconclusive, #27 single-round dual-evidence, #28 dynamic threshold undersized, #33 batched per-key, #34 partial response unresolved, #42 quorum-derived paid-list auth - Admission: #5 unauthorized peer, #7 out-of-range rejected - Config: #18 invalid config rejected, #26 dynamic paid threshold - Scheduling: #8 dedup safety, #8 replica/paid collapse - Neighbor sync: #35 round-robin cooldown skip, #36 cycle completion, #38 snapshot stability mid-join, #39 unreachable removal + slot fill, #40 cooldown peer removed, #41 cycle termination guarantee, consecutive rounds, cycle preserves sync times - Pruning: #50 hysteresis prevents premature delete, #51 timestamp reset on heal, #52 paid/record timestamps independent, #23 entry removal - Audit: #19/#53 partial failure mixed responsibility, #54 all pass, #55 empty failure discard, #56 repair opportunity filter, response count validation, digest uses full record bytes - Types: #13 bootstrap drain, repair opportunity edge cases, terminal state variants - Bootstrap claims: #46 first-seen recorded, #49 cleared on normal E2e tests (4 new): - #2 fresh offer with empty PoP rejected - #5/#37 neighbor sync request returns response - #11 audit challenge multi-key (present + absent) - Fetch not-found for non-existent key Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ANT_NODE_SIGNING_KEYdecoded to 0 bytes (invalid hex)ant-keygen verify-keysubcommand to validate hex-encoded secret keys before setting them as GitHub secretsUsage
After merging
Update the
ANT_NODE_SIGNING_KEYGitHub Actions secret with the new hex-encoded key.Test plan
verify-keyvalidates the new key successfullyANT_NODE_SIGNING_KEYsecret and re-run release🤖 Generated with Claude Code