verify: report E_SIG_INVALID_KEY when no runtime key is given#16
Merged
Conversation
Verifying a content or transaction without --expected-runtime-pubkey fabricated an all-zero RuntimePubkey and let the signature check fail, so the reject surfaced as E_SIG_VERIFICATION - indistinguishable from a genuinely bad signature. A missing authorizing key is not a signature failure: report it as E_SIG_INVALID_KEY before attempting verification, matching the entangled-core reference runner. Automation can now tell 'no manifest context' apart from 'bad signature'. Add an integration test asserting the diagnostic, and update the README and example wording.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes the low-severity audit finding: verifying a content/transaction without
--expected-runtime-pubkeyfabricated an all-zeroRuntimePubkey, so the reject surfaced asE_SIG_VERIFICATION- indistinguishable from a genuinely bad signature, so automation could not tell 'manifest context omitted' from 'bad signature'.A missing authorizing key is not a signature failure. Report it as
E_SIG_INVALID_KEYbefore attempting verification, matching the entangled-core reference runner's handling. Confirmed: no key ->E_SIG_INVALID_KEY; valid key -> accept; wrong key ->E_SIG_VERIFICATION(the three are now distinct).Add an integration test asserting the diagnostic (not just the exit code), and update the README and example wording. fmt, clippy -D warnings, build, and test green with --locked.