Skip to content

Signed Releases#1188

Draft
adamshiervani wants to merge 15 commits intodevfrom
feat/signed-releases
Draft

Signed Releases#1188
adamshiervani wants to merge 15 commits intodevfrom
feat/signed-releases

Conversation

@adamshiervani
Copy link
Contributor

@adamshiervani adamshiervani commented Feb 4, 2026
edited
Loading

Summary

  • Ensure that updates are signed by trusted key

TODO

  • Update public key fingerprint in code

Checklist

  • Ran make test_e2e locally and passed
  • Linked to issue(s) above by issue number (e.g. Closes #<issue-number>)
  • One problem per PR (no unrelated changes)
  • Lints pass; CI green
  • Tricky parts are commented in code

@adamshiervani
Implement GPG signature verification for OTA updates
657f95b 
- Added GPG signature verification to the OTA update process, ensuring that updates requiring signatures cannot be applied without them.
- Introduced a new GPGVerifier struct to handle fetching and verifying signatures.
- Updated the updateApp and updateSystem methods to check for signature URLs and download signatures as needed.
- Enhanced error handling for missing signatures and verification failures.
- Removed the old release.sh script as its functionality has been integrated into the Makefile for better release management.
@adamshiervani
Add tests for GPG signature verification in OTA updates
7aee55a
@adamshiervani
Refactor error message for missing GPG signature URL in OTA updates
3f44914
@adamshiervani
Refactor OTA update process to improve signature handling
b915200 
- Introduced a new method for downloading component signatures, ensuring that updates requiring signatures cannot proceed without them.
- Updated the Makefile to allow E2E tests to optionally include OTA tests based on the SKIP_OTA_E2E variable.
- Enhanced the test_local_update.sh script to support signature file verification and inclusion during tests.
- Improved error handling for missing signature URLs and added context cancellation checks in GPG key fetching.
IDisposable
IDisposable reviewed Feb 5, 2026
View reviewed changes
Copy link
Contributor

@IDisposable IDisposable left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks pretty good... will this make local development testing of upgrades harder?

@adamshiervani
Refactor GPG key caching to validate keyring before storing
be4022d
@adamshiervani
Update Makefile to enhance E2E test process with optional OTA signatu…
d7acaec 
…re verification
@adamshiervani
Comment out non-working keyservers and update root key fingerprint
94080a3
@adamshiervani
Add Ubunutu keyserver
291ccf6
@adamshiervani
Update root key fingerprint for GPG signature verification in OTA upd…
fcf07cb 
…ates
@adamshiervani
Add signed OTA E2E test and full E2E test suite to Makefile
f504d2d 
- Introduced `test_e2e_signed` target for testing signed OTA updates with GPG signature verification.
- Added `test_e2e_full` target to run both regular and signed OTA tests, requiring a signing key fingerprint.
- Enhanced error handling for missing parameters in both test targets.
@adamshiervani
Refactor mouse position handling in E2E tests
78fa529
@adamshiervani
Update IP address extraction in test_local_update.sh to exclude all l…
b75ff78 
…ocalhost addresses
@adamshiervani
Add GPG public key fetching tests with caching and error handling
a27dc2e
@adamshiervani
Enhance build and testing scripts for signed OTA updates
13ce495
@adamshiervani
Add fingerprint extraction and validation for GPG keys
99b5e39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@IDisposable IDisposable IDisposable left review comments

@chemhack chemhack Awaiting requested review from chemhack

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@adamshiervani @IDisposable