lib/upgrade: Extract signing key to embedded file (fixes #9247) (#9296)

### Purpose Instead of hardcoding `SigningKey` as text use `go:embed`. Fixes #9247. ### Testing * Building syncthing * Trying to upgrade (signature verification)
2024-12-22 19:08:58 +00:00 · 2023-12-18 22:47:57 +03:00 · 2023-12-18 22:47:57 +03:00 · 91084b83b4
commit 91084b83b4
parent 5360e7153b
2 changed files with 11 additions and 6 deletions
--- a/lib/upgrade/signingkey.go
+++ b/lib/upgrade/signingkey.go
@ -6,14 +6,13 @@
 package upgrade
 import _ "embed"
 // SigningKey is the public key used to verify signed upgrades. It must match
 // the private key used to sign binaries for the built in upgrade mechanism to
 // accept an upgrade. Keys and signatures can be created and verified with the
 // stsigtool utility. The build script creates signed binaries when given the
 // -sign option.
-var SigningKey = []byte(`-----BEGIN EC PUBLIC KEY-----
+//
-MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQA1iRk+p+DsmolixxVKcpEVlMDPOeQ
+//go:embed signingkey.pem
-1dWthURMqsjxoJuDAe5I98P/A0kXSdBI7avm5hXhX2opJ5TAyBZLHPpDTRoBg4WN
+var SigningKey []byte
 7jUpeAjtPoVVxvOh37qDeDVcjCgJbbDTPKbjxq/Ae3SHlQMRcoes7lVY1+YJ8dPk
 2oPfjA6jtmo9aVbf/uo=
 -----END EC PUBLIC KEY-----`)
--- a/lib/upgrade/signingkey.pem
+++ b/lib/upgrade/signingkey.pem
@ -0,0 +1,6 @@
 -----BEGIN EC PUBLIC KEY-----
 MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQA1iRk+p+DsmolixxVKcpEVlMDPOeQ
 1dWthURMqsjxoJuDAe5I98P/A0kXSdBI7avm5hXhX2opJ5TAyBZLHPpDTRoBg4WN
 7jUpeAjtPoVVxvOh37qDeDVcjCgJbbDTPKbjxq/Ae3SHlQMRcoes7lVY1+YJ8dPk
 2oPfjA6jtmo9aVbf/uo=
 -----END EC PUBLIC KEY-----