feat(audit): 1.1 — project scaffold, schema types, collector stub, updater trust

- go.mod: module bee/audit - schema/hardware.go: HardwareIngestRequest types (compatible with core) - collector/collector.go: Run() stub, logs start/finish, returns empty snapshot - updater/trust.go: Ed25519 multi-key verification via ldflags injection - updater/trust_test.go: valid sig, tampered, multi-key any-match, dev build - cmd/audit/main.go: --output stdout|file:<path>|usb, --version flag - Version = "dev" by default, injected via ldflags at release Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-05 10:32:12 +03:00
commit a4f70b17f0
8 changed files with 362 additions and 0 deletions
--- a/audit/internal/updater/trust_test.go
+++ b/audit/internal/updater/trust_test.go
@@ -0,0 +1,72 @@
+package updater
+
+import (
+	"crypto/ed25519"
+	"crypto/rand"
+	"encoding/base64"
+	"testing"
+)
+
+func TestVerifySignature_valid(t *testing.T) {
+	pub, priv, err := ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	data := []byte("release binary content")
+	sig := ed25519.Sign(priv, data)
+
+	trustedKeysRaw = base64.StdEncoding.EncodeToString(pub)
+	t.Cleanup(func() { trustedKeysRaw = "" })
+
+	if err := VerifySignature(data, sig); err != nil {
+		t.Fatalf("expected valid signature to pass: %v", err)
+	}
+}
+
+func TestVerifySignature_tampered(t *testing.T) {
+	pub, priv, err := ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		t.Fatal(err)
+	}
+	_ = pub
+
+	data := []byte("original content")
+	sig := ed25519.Sign(priv, data)
+
+	// different key embedded
+	pub2, _, _ := ed25519.GenerateKey(rand.Reader)
+	trustedKeysRaw = base64.StdEncoding.EncodeToString(pub2)
+	t.Cleanup(func() { trustedKeysRaw = "" })
+
+	if err := VerifySignature(data, sig); err == nil {
+		t.Fatal("expected tampered signature to fail")
+	}
+}
+
+func TestVerifySignature_multiKey_anyMatches(t *testing.T) {
+	pub1, _, _ := ed25519.GenerateKey(rand.Reader)
+	pub2, priv2, _ := ed25519.GenerateKey(rand.Reader)
+
+	data := []byte("signed by developer 2")
+	sig := ed25519.Sign(priv2, data)
+
+	trustedKeysRaw = base64.StdEncoding.EncodeToString(pub1) + ":" +
+		base64.StdEncoding.EncodeToString(pub2)
+	t.Cleanup(func() { trustedKeysRaw = "" })
+
+	if err := VerifySignature(data, sig); err != nil {
+		t.Fatalf("expected any-key match to pass: %v", err)
+	}
+}
+
+func TestVerifySignature_devBuild(t *testing.T) {
+	trustedKeysRaw = ""
+	_, priv, _ := ed25519.GenerateKey(rand.Reader)
+	data := []byte("content")
+	sig := ed25519.Sign(priv, data)
+
+	if err := VerifySignature(data, sig); err == nil {
+		t.Fatal("expected dev build (no keys) to fail")
+	}
+}