fix(installer): verify keyring signature and remove insecure bypass (#323)

Jaro-c · web-flow · commit b3e7d7d5f696 · 2026-06-15T12:16:32.000-05:00
Closes #314 (inert on squash->develop; close manually after merge). ## What - **#1** \`--apt\` path now downloads \`glyndor-archive-keyring.deb.sig\` and verifies the Ed25519 signature against the embedded release key **before** \`dpkg -i\` (fail-closed). - **#2** Removed \`PODUP_INSECURE_SKIP_VERIFY\` opt-out from \`install.sh\` + \`install.ps1\`. A strong cryptographic proof is now mandatory. ## Coordination The \`--apt\` verification requires the apt repo (\`Glyndor/apt\`) to publish \`glyndor-archive-keyring.deb.sig\`. A companion apt PR signs the keyring; this must land before the next release ships the new install.sh. ## Test \`bash -n install.sh\` OK. shellcheck/PSScriptAnalyzer run in CI (lint-shell, lint-powershell). Signed-off-by: Jaro-c <75870284+Jaro-c@users.noreply.github.com>
diff --git a/docs/self-update.md b/docs/self-update.md
@@ -44,8 +44,10 @@ The one-line installer applies the same fail-closed policy. It requires **at
 least one** strong proof to succeed — the Ed25519 signature (when `python3` +
 `cryptography` and a configured public key are present) **or** the GitHub
 build-provenance attestation (`gh attestation verify`). If neither verifier is
-available it refuses to install. `PODUP_INSECURE_SKIP_VERIFY=1` is the explicit,
-documented opt-out (checksum only) for constrained environments.
+available it refuses to install. There is **no opt-out**: a checksum alone is not
+a trust anchor, so a verifier (`gh` or `python3` + `cryptography`) must be present
+at install time. The `--apt` path likewise verifies the keyring package's Ed25519
+signature before installing it as root.
 
 ## The embedded public keys
 
diff --git a/install.ps1 b/install.ps1
@@ -10,7 +10,6 @@
 #   PODUP_VERSION              Release tag to install (e.g. v0.3.0). Default: latest.
 #   PODUP_INSTALL_DIR          Installation directory. Default: %LOCALAPPDATA%\Programs\podup.
 #   PODUP_RELEASE_PUBKEY_B64   Override the baked-in Ed25519 release public key (for forks).
-#   PODUP_INSECURE_SKIP_VERIFY Set to 1 to accept checksum-only verification.
 
 Set-StrictMode -Version Latest
 $ErrorActionPreference = 'Stop'
@@ -81,8 +80,7 @@ try {
 	# SHA256SUMS. The binary is trusted only after at least one cryptographic proof
 	# tied to the release key or the repository's build identity succeeds — the
 	# Ed25519 signature over SHA256SUMS, or the GitHub build-provenance attestation.
-	# If neither verifier can run, the install fails closed. Set
-	# PODUP_INSECURE_SKIP_VERIFY=1 to explicitly opt out (checksum only).
+	# If neither verifier can run, the install fails closed.
 
 	# Baked-in base64 (unpadded) raw Ed25519 public keys (32 bytes each) matching
 	# the release signing key (RELEASE_SIGN_KEY). Up to two are accepted: the
@@ -166,13 +164,11 @@ sys.exit(1)
 		Write-LogInfo 'GitHub CLI with attestation support not found — cannot check attestation'
 	}
 
-	# Fail closed unless a strong proof succeeded or the user explicitly opts out.
+	# Fail closed: a strong cryptographic proof is mandatory. A checksum alone is not
+	# a trust anchor, and there is no opt-out — hardened environments require
+	# verifiable supply-chain integrity at install time.
 	if (-not $verified) {
-		if ($env:PODUP_INSECURE_SKIP_VERIFY -eq '1') {
-			Write-LogInfo 'PODUP_INSECURE_SKIP_VERIFY=1 — proceeding with checksum verification only'
-		} else {
-			Fail "No signature or attestation verifier available. Install 'gh' (>= 2.49) or python3 with the 'cryptography' package, set PODUP_RELEASE_PUBKEY_B64, or re-run with PODUP_INSECURE_SKIP_VERIFY=1 to accept checksum-only verification."
-		}
+		Fail "No signature or attestation verifier available. Install 'gh' (>= 2.49) or python3 with the 'cryptography' package, or set PODUP_RELEASE_PUBKEY_B64, then re-run."
 	}
 
 	Write-LogInfo 'Verifying SHA-256 checksum ...'
diff --git a/install.sh b/install.sh
@@ -159,13 +159,27 @@ install_apt() {
 	command -v dpkg >/dev/null 2>&1 || fail "--apt requires dpkg"
 
 	# Bootstrap the repository over HTTPS by installing the glyndor-archive-keyring
-	# package, which registers the signing key and source list. This curl step has
-	# the same trust as running this installer; from then on apt verifies every
-	# package against the repository's GPG signature, and key renewals arrive
+	# package, which registers the signing key and source list. The package is
+	# verified against the embedded Ed25519 release key before it is installed, so
+	# a tampered CDN or MITM cannot inject a rogue keyring. From then on apt verifies
+	# every package against the repository's GPG signature, and key renewals arrive
 	# automatically through apt upgrade.
 	local kr="glyndor-archive-keyring.deb"
 	log_info "Setting up the Glyndor apt repository ..."
 	download "https://apt.glyndor.net/${kr}" "${TMP_DIR}/${kr}"
+	download "https://apt.glyndor.net/${kr}.sig" "${TMP_DIR}/${kr}.sig"
+
+	# Fail closed: the keyring package is installed as root, so it must carry a
+	# valid Ed25519 signature from the release key. No checksum-only fallback.
+	log_info "Verifying keyring package signature ..."
+	local kr_rc=0
+	ed25519_verify "${TMP_DIR}/${kr}.sig" "${TMP_DIR}/${kr}" || kr_rc=$?
+	case "$kr_rc" in
+		0) log_ok "Keyring signature verified" ;;
+		1) fail "Keyring signature verification failed — aborting (package may be tampered)" ;;
+		2) fail "Cannot verify keyring signature: install python3 with the 'cryptography' package (and a configured release key) — aborting" ;;
+	esac
+
 	run_root dpkg -i "${TMP_DIR}/${kr}"
 	run_root apt-get update
 	log_info "Installing podup ..."
@@ -187,8 +201,7 @@ install_binary() {
 	# SHA256SUMS. The binary is trusted only after at least one cryptographic proof
 	# tied to the release key or the repository's build identity succeeds — the
 	# Ed25519 signature over SHA256SUMS, or the GitHub build-provenance attestation.
-	# If neither verifier can run, the install fails closed. Set
-	# PODUP_INSECURE_SKIP_VERIFY=1 to explicitly opt out (checksum only).
+	# If neither verifier can run, the install fails closed.
 	local verified=0 rc=0
 
 	log_info "Verifying SHA256SUMS signature ..."
@@ -217,15 +230,12 @@ install_binary() {
 		log_info "GitHub CLI with attestation support not found — cannot check attestation"
 	fi
 
-	# Fail closed unless a strong proof succeeded or the user explicitly opts out.
+	# Fail closed: a strong cryptographic proof is mandatory. A checksum alone is
+	# not a trust anchor, and there is no opt-out — government and hardened
+	# environments require verifiable supply-chain integrity at install time.
 	if [[ "$verified" -ne 1 ]]; then
-		if [[ "${PODUP_INSECURE_SKIP_VERIFY:-0}" == "1" ]]; then
-			log_info "PODUP_INSECURE_SKIP_VERIFY=1 — proceeding with checksum verification only"
-		else
-			fail "No signature or attestation verifier available. Install 'gh' (>= 2.49) \
-or python3 with the 'cryptography' package, set PODUP_RELEASE_PUBKEY_B64, or re-run \
-with PODUP_INSECURE_SKIP_VERIFY=1 to accept checksum-only verification."
-		fi
+		fail "No signature or attestation verifier available. Install 'gh' (>= 2.49) \
+or python3 with the 'cryptography' package, or set PODUP_RELEASE_PUBKEY_B64, then re-run."
 	fi
 
 	verify_checksum "$ARTIFACT"
