Skip to content

feat(security): add minisign signature verification to netclaw update#393

Merged
Aaronontheweb merged 2 commits into
devfrom
feat/verify-update-signatures
Mar 23, 2026
Merged

feat(security): add minisign signature verification to netclaw update#393
Aaronontheweb merged 2 commits into
devfrom
feat/verify-update-signatures

Conversation

@Aaronontheweb

Copy link
Copy Markdown
Collaborator

Summary

  • Verifies minisign Ed25519 signature on manifest.json before trusting its contents during netclaw update and all background update checks
  • Downloads manifest.json.sig alongside the manifest; fails loudly if signature is missing or invalid (fail-closed, no fallback to unsigned)
  • Embeds the public key from feeds/releases/manifest.pub as a compiled constant — no CDN dependency for verification
  • Converts BinaryUpdateCheckService from IHostedService to BackgroundService with 24-hour periodic recheck timer
  • Emits UpdateAvailable operational alert via existing webhook notification infrastructure when updates are detected
  • Adds NSec.Cryptography (libsodium wrapper) for Ed25519 verification — .NET 10 lacks built-in Ed25519

Closes #390

Test plan

  • 13 MinisignVerifier unit tests (parse, verify, tampered, malformed, key mismatch, embedded key consistency)
  • 20 BinaryUpdateCheckService tests updated with Ed25519-signed test fixtures
  • 5 StatusUpdateChecker tests updated with signed manifests
  • New tests: signature failure returns appropriate ManifestFetchStatus, tampered manifest rejected, alert emitted/not emitted
  • Full suite: 1,282 tests pass, 0 failures
  • dotnet slopwatch analyze — no new violations

…#390)

Closes the client-side verification gap: the release pipeline already signs
manifest.json with minisign, but the client never checked.  Now every manifest
fetch (update command, daemon startup, background check, doctor, status)
verifies the Ed25519 signature against an embedded public key before trusting
the manifest contents.  Fail-closed — missing or invalid signatures reject
the manifest.

Also converts BinaryUpdateCheckService to a BackgroundService with a 24-hour
periodic recheck timer and emits UpdateAvailable operational alerts through
the existing webhook notification infrastructure.

Closes #390
@Aaronontheweb Aaronontheweb enabled auto-merge (squash) March 23, 2026 22:16
@Aaronontheweb Aaronontheweb merged commit 3185e8b into dev Mar 23, 2026
3 checks passed
@Aaronontheweb Aaronontheweb deleted the feat/verify-update-signatures branch March 23, 2026 22:16
@Aaronontheweb Aaronontheweb mentioned this pull request Mar 25, 2026
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add minisign manifest signature verification to netclaw update

1 participant