Migrate connector delivery to canonical artifacts#106
Merged
Conversation
tnunamak
force-pushed
the
feat/connector-distribution-consolidation
branch
from
4a61a61 to
7095652
Compare
2 tasks
- scripts/ensure-connectors.js: call resolve-connectors.js directly instead of going through the fetch-connectors wrapper, and rename log strings from "fetch"/"registry" to "resolve"/"signed index" so they match the new distribution model. - scripts/sync-connectors-dev.js: drop stale registry.json reference from the skip-list comment; replace with the current non-connector filenames we actually skip. - docs/260310-adding-a-new-connector.md: point contributors at the signed connector index instead of registry.json. - ecosystem/submit-data-app.md: replace the raw-main registry.json link with the signed connectors-latest connector-index.json and update the "find scopes" recipe accordingly. fetch-connectors.js is intentionally kept as a thin wrapper around resolve-connectors.js so existing postinstall and any external callers keep working; it can be removed in a later cleanup wave.
Adds three targeted unit tests around the signed-distribution gate in src-tauri/src/commands/updates.rs: - verify_checksum_rejects_tampered_payload: flips one bit of a payload and asserts verify_checksum() no longer matches the recomputed sha256 — proves the artifact_sha256 gate actually rejects tampering. - verify_checksum_rejects_mismatched_expected: asserts a deliberately wrong expected sha256 is rejected — proves the comparison is strict. - verify_sigstore_bundle_rejects_malformed_bundle: passes junk bytes as the signature bundle and asserts verify_sigstore_bundle() errors out before reaching Sigstore verification — proves malformed input cannot silently bypass the signature path. These are permanent regression checks for the signed index + signed artifact contract on this branch. Full end-to-end Sigstore verification against a real bundle is covered by runtime + manual QA; that requires network access to the Sigstore TUF repo and is not a fit for unit tests.
- ensure-connectors.js: "skip resolve" -> "skip resolution" and "Connector resolve completed" -> "Connector resolution completed" for grammar. - fetch-connectors.js: mark the file as a legacy wrapper in a header comment and rename its error prefix accordingly so it is obvious the script exists only for backwards compatibility.
- README.md: update connectors section to say the data-connectors index is signed, mention `npm run connectors:check` for verifying the lockfile without mutating connectors/, and rewrite the runtime precedence paragraph to reflect the new order: active installs in ~/.dataconnect/connectors-store/ (via connectors-active.json) -> legacy ~/.dataconnect/connectors/ -> bundled connectors/. - ecosystem/submit-data-app.md: rework the "where to get scopes" recipe so authors go to the repo manifest directly (which is where scope strings live) and list the published signed index as a secondary reference rather than the first stop. No script or runtime changes in this commit.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Validation