unarr/scripts/sign-checksums/main.go

// sign-checksums signs the dist/checksums.txt file with an ed25519 private
// key and writes the base64-encoded signature to the path given by -out.
//
// Usage (from release workflow):
//
//	go run ./scripts/sign-checksums \
//	    -key "$RELEASE_SIGNING_KEY" \
//	    -in  dist/checksums.txt \
//	    -out dist/checksums.txt.sig
//
// The companion CLI verifier (internal/upgrade/signature.go) requires the
// signature to be base64 text, so emitting base64 + trailing newline makes
// the artifact safe to inspect with `cat` / the GitHub release UI.
package main

import (
	"crypto/ed25519"
	"encoding/base64"
	"flag"
	"fmt"
	"os"
)

func main() {
	keyB64 := flag.String("key", "", "base64-encoded ed25519 private key (PrivateKeySize = 64 bytes)")
	in := flag.String("in", "", "path to file to sign")
	out := flag.String("out", "", "path to write the base64-encoded signature")
	flag.Parse()

	if *keyB64 == "" || *in == "" || *out == "" {
		fmt.Fprintln(os.Stderr, "usage: sign-checksums -key <base64> -in <path> -out <path>")
		os.Exit(2)
	}

	keyBytes, err := base64.StdEncoding.DecodeString(*keyB64)
	if err != nil {
		fail("decode key: %v", err)
	}
	if len(keyBytes) != ed25519.PrivateKeySize {
		fail("private key size %d, expected %d", len(keyBytes), ed25519.PrivateKeySize)
	}
	priv := ed25519.PrivateKey(keyBytes)

	content, err := os.ReadFile(*in)
	if err != nil {
		fail("read input: %v", err)
	}

	sig := ed25519.Sign(priv, content)
	encoded := base64.StdEncoding.EncodeToString(sig) + "\n"
	if err := os.WriteFile(*out, []byte(encoded), 0o644); err != nil {
		fail("write signature: %v", err)
	}
	fmt.Printf("Signed %s (%d bytes) → %s\n", *in, len(content), *out)
}

func fail(format string, args ...any) {
	fmt.Fprintf(os.Stderr, format+"\n", args...)
	os.Exit(1)
}
fix(security): UPnP opt-in, bounded SSE reader, signed self-update Phase 2 security audit follow-up. Three independent hardenings against the unauthenticated daemon surface, the long-lived agent SSE stream and the self-update channel. UPnP is now opt-in. The stream port + /hls endpoints have no auth, so publishing them on the WAN via the gateway was a default that exposed active downloads to anyone scanning the operator's external IP. New config downloads.enable_upnp (default false) gates the mapping; LAN and Tailscale clients continue to work unchanged. A startup log makes the new default visible. The agent SSE reader now uses a bounded bufio.Scanner instead of an unbounded ReadString. A hostile or buggy server can no longer grow daemon memory by streaming a single line forever or by emitting unbounded data: continuation lines — both are capped at 256 KiB and 1 MiB respectively, and an error is surfaced so SignalLoop reconnects. Self-update now verifies an ed25519 signature over checksums.txt when the binary was built with a release public key embedded (injected via goreleaser ldflags from RELEASE_SIGNING_PUBKEY). The companion scripts/sign-checksums runs in the release workflow when both the public-key variable and the private-key secret are present, uploading checksums.txt.sig next to the existing checksums file. Builds without the embedded key continue to update with SHA256-only verification; a --allow-unsigned flag is provided so users on a signed build can still install pre-signing releases or recover from an accidental unsigned release. A new scripts/gen-release-key helper documents the one-time keypair generation procedure required before flipping signing on. 2026-05-15 17:29:22 +02:00			`// sign-checksums signs the dist/checksums.txt file with an ed25519 private`
			`// key and writes the base64-encoded signature to the path given by -out.`
			`//`
			`// Usage (from release workflow):`
			`//`
			`// go run ./scripts/sign-checksums \`
			`// -key "$RELEASE_SIGNING_KEY" \`
			`// -in dist/checksums.txt \`
			`// -out dist/checksums.txt.sig`
			`//`
			`// The companion CLI verifier (internal/upgrade/signature.go) requires the`
			`// signature to be base64 text, so emitting base64 + trailing newline makes`
			// the artifact safe to inspect with `cat` / the GitHub release UI.
			`package main`

			`import (`
			`"crypto/ed25519"`
			`"encoding/base64"`
			`"flag"`
			`"fmt"`
			`"os"`
			`)`

			`func main() {`
			`keyB64 := flag.String("key", "", "base64-encoded ed25519 private key (PrivateKeySize = 64 bytes)")`
			`in := flag.String("in", "", "path to file to sign")`
			`out := flag.String("out", "", "path to write the base64-encoded signature")`
			`flag.Parse()`

			`if keyB64 == "" \|\| in == "" \|\| *out == "" {`
			`fmt.Fprintln(os.Stderr, "usage: sign-checksums -key <base64> -in <path> -out <path>")`
			`os.Exit(2)`
			`}`

			`keyBytes, err := base64.StdEncoding.DecodeString(*keyB64)`
			`if err != nil {`
			`fail("decode key: %v", err)`
			`}`
			`if len(keyBytes) != ed25519.PrivateKeySize {`
			`fail("private key size %d, expected %d", len(keyBytes), ed25519.PrivateKeySize)`
			`}`
			`priv := ed25519.PrivateKey(keyBytes)`

			`content, err := os.ReadFile(*in)`
			`if err != nil {`
			`fail("read input: %v", err)`
			`}`

			`sig := ed25519.Sign(priv, content)`
			`encoded := base64.StdEncoding.EncodeToString(sig) + "\n"`
			`if err := os.WriteFile(*out, []byte(encoded), 0o644); err != nil {`
			`fail("write signature: %v", err)`
			`}`
			`fmt.Printf("Signed %s (%d bytes) → %s\n", in, len(content), out)`
			`}`

			`func fail(format string, args ...any) {`
			`fmt.Fprintf(os.Stderr, format+"\n", args...)`
			`os.Exit(1)`
			`}`