refactor(ota): use bundled public key for offline signature verification

The offline update path previously fell back to a "warn and bypass"
prompt when the device could not reach GPG keyservers to fetch the
signing key. This defeated the purpose of offline updates, which
exist precisely for air-gapped devices without internet access.

The archive format now includes a .pub file (armored GPG public key)
alongside the binary, .sha256, and .sig. On upload, the bundled key
is validated against the pinned root fingerprint in gpg.go:21 via
parseAndValidateKeyring — the same trust anchor used by the online
update path. If the fingerprint matches, the key is used to verify
the signature locally. No keyserver call is made.

Verification is now binary: it passes or it fails. There is no
third "key fetch failed" state and no bypass option.

Backend (internal/ota/offline.go, ota_offline.go):
- OfflineBundle gains PublicKeyData []byte field
- ExtractOfflineArchive requires .pub (4 files, up from 3)
- VerifyOfflineBundle calls new VerifySignatureFromFileWithKey
  method on GPGVerifier instead of VerifySignatureFromFile
- Removed isKeyFetchError(), KeyFetchFailed from OfflineVerifyResult,
  BypassSignature from offlineUpdateApplyRequest, offlineUploadTimeout
- VerifyOfflineBundle no longer takes a context parameter

New GPG method (internal/ota/gpg.go):
- VerifySignatureFromFileWithKey accepts raw armored key bytes,
  validates the fingerprint via parseAndValidateKeyring, then
  calls CheckDetachedSignature with the resulting single-entity
  keyring. No keyserver interaction, no cache mutation.

Frontend (ui/src/components/OfflineUpdateCard.tsx):
- Removed bypass confirmation dialog, showBypassPrompt state,
  keyFetchFailed from UploadResult, bypassSignature from apply
  request, ExclamationTriangleIcon import
- Signature OK indicator now always shows on verified state

Localisation (ui/localization/messages/en.json):
- Removed offline_update_signature_bypass_title,
  offline_update_signature_bypass_description,
  offline_update_signature_bypass_confirm

Tests (internal/ota/offline_test.go):
- All archives now include .pub files
- newOfflineSigningFixture replaces newSigningTestFixture for
  offline tests — no mock HTTP client needed
- Added TestExtractOfflineArchive_MissingPub,
  TestVerifyOfflineBundle_EmptyPublicKey,
  TestVerifyOfflineBundle_WrongKey (bundled key fingerprint
  mismatch)
- Removed TestIsKeyFetchError,
  TestVerifyOfflineBundle_KeyFetchFailure
- End-to-end tests updated for 4-file archive format

Makefile:
- offline_archive_app target includes jetkvm_app.pub

Key rotation is not addressed here. rootKeyFP is a single string;
expanding to []string for the v1→v2→v3→v4 key rollover model is
a separate change.

Signed-off-by: Alex Howells <alex@howells.me>

Author: agh

Makefile

@@ -314,17 +314,18 @@ _build_release_inner: build_native
 		-o $(BIN_DIR)/jetkvm_app cmd/main.go
 
 # Package a signed app binary into an offline update archive.
-# Expects bin/jetkvm_app, bin/jetkvm_app.sha256, and bin/jetkvm_app.sig
-# to already exist (produced by the signing step in release/test_production_release).
+# Expects bin/jetkvm_app, bin/jetkvm_app.sha256, bin/jetkvm_app.sig,
+# and bin/jetkvm_app.pub to already exist (produced by the signing step
+# in release/test_production_release).
 offline_archive_app:
 	@echo "Creating offline update archive for app..."
-	@for f in jetkvm_app jetkvm_app.sha256 jetkvm_app.sig; do \
+	@for f in jetkvm_app jetkvm_app.sha256 jetkvm_app.sig jetkvm_app.pub; do \
 		if [ ! -f "$(BIN_DIR)/$$f" ]; then \
 			echo "Error: $(BIN_DIR)/$$f not found. Run signing step first."; exit 1; \
 		fi; \
 	done
 	tar czf $(BIN_DIR)/jetkvm_app_offline_update.tar.gz \
-		-C $(BIN_DIR) jetkvm_app jetkvm_app.sha256 jetkvm_app.sig
+		-C $(BIN_DIR) jetkvm_app jetkvm_app.sha256 jetkvm_app.sig jetkvm_app.pub
 	@echo "✓ Created $(BIN_DIR)/jetkvm_app_offline_update.tar.gz"
 
 release: git_check_dev check_r2

internal/ota/gpg.go

@@ -256,6 +256,31 @@ func (g *GPGVerifier) VerifySignatureFromFile(ctx context.Context, signature []b
 	return nil
 }
 
+// VerifySignatureFromFileWithKey verifies a detached GPG signature against a
+// file using a caller-supplied armored public key rather than fetching from
+// keyservers. The key is validated against the pinned root fingerprint before
+// use. This is the verification path for offline updates where keyservers are
+// unreachable.
+func (g *GPGVerifier) VerifySignatureFromFileWithKey(signature []byte, filePath string, armoredKey []byte) error {
+	keyring, err := g.parseAndValidateKeyring(armoredKey)
+	if err != nil {
+		return fmt.Errorf("bundled public key rejected: %w", err)
+	}
+
+	file, err := os.Open(filePath)
+	if err != nil {
+		return fmt.Errorf("failed to open file for verification: %w", err)
+	}
+	defer file.Close()
+
+	if _, err := openpgp.CheckDetachedSignature(keyring, file, bytes.NewReader(signature), nil); err != nil {
+		return fmt.Errorf("signature verification failed: %w", err)
+	}
+
+	g.logger.Info().Str("file", filePath).Msg("offline signature verification successful")
+	return nil
+}
+
 // ClearCache clears the cached public key (useful for testing)
 func (g *GPGVerifier) ClearCache() {
 	g.mu.Lock()

internal/ota/offline.go

@@ -3,7 +3,6 @@ package ota
 import (
 	"archive/tar"
 	"compress/gzip"
-	"context"
 	"crypto/sha256"
 	"encoding/hex"
 	"fmt"
@@ -18,18 +17,17 @@ import (
 // OfflineBundle represents a validated offline update archive that has been
 // extracted and is ready for verification.
 type OfflineBundle struct {
-	BinaryPath   string // absolute path to the extracted binary
-	ExpectedHash string // SHA256 hex digest read from the .sha256 file
-	Signature    []byte // raw GPG signature bytes (nil if no .sig was present)
-	Component    string // "app" or "system"
+	BinaryPath    string // absolute path to the extracted binary
+	ExpectedHash  string // SHA256 hex digest read from the .sha256 file
+	Signature     []byte // raw GPG signature bytes
+	PublicKeyData []byte // armored GPG public key bytes
+	Component     string // "app" or "system"
 }
 
 // OfflineVerifyResult captures the outcome of offline bundle verification.
 type OfflineVerifyResult struct {
-	HashOK         bool   `json:"hashOK"`
-	SignatureOK    bool   `json:"signatureOK"`
-	SignatureError string `json:"signatureError,omitempty"`
-	KeyFetchFailed bool   `json:"keyFetchFailed"`
+	HashOK      bool   `json:"hashOK"`
+	SignatureOK bool   `json:"signatureOK"`
 }
 
 // expectedBinaryNames maps component names to the binary filename expected
@@ -59,7 +57,7 @@ func ExtractOfflineArchive(r io.Reader, destDir string, component string, l *zer
 
 	bundle := &OfflineBundle{Component: component}
 	fileCount := 0
-	const maxFiles = 3 // binary + .sha256 + .sig
+	const maxFiles = 4 // binary + .sha256 + .sig + .pub
 
 	for {
 		header, err := tr.Next()
@@ -120,6 +118,14 @@ func ExtractOfflineArchive(r io.Reader, destDir string, component string, l *zer
 			bundle.Signature = sig
 			l.Debug().Int("bytes", len(sig)).Msg("read signature")
 
+		case name == binaryName+".pub":
+			pub, err := io.ReadAll(io.LimitReader(tr, 65536))
+			if err != nil {
+				return nil, fmt.Errorf("error reading public key file: %w", err)
+			}
+			bundle.PublicKeyData = pub
+			l.Debug().Int("bytes", len(pub)).Msg("read public key")
+
 		default:
 			return nil, fmt.Errorf("unexpected file in archive: %s", name)
 		}
@@ -134,6 +140,9 @@ func ExtractOfflineArchive(r io.Reader, destDir string, component string, l *zer
 	if len(bundle.Signature) == 0 {
 		return nil, fmt.Errorf("archive missing required signature file: %s.sig", binaryName)
 	}
+	if len(bundle.PublicKeyData) == 0 {
+		return nil, fmt.Errorf("archive missing required public key file: %s.pub", binaryName)
+	}
 
 	return bundle, nil
 }
@@ -153,11 +162,10 @@ func extractFileFromTar(tr *tar.Reader, destPath string, mode int64) error {
 }
 
 // VerifyOfflineBundle checks the SHA256 hash and GPG signature of an
-// extracted offline bundle. Hash mismatches are always fatal. Signature
-// verification is attempted; if the GPG public key cannot be fetched
-// (air-gapped device), KeyFetchFailed is set instead of returning an error.
-// A bad signature (key available, verification failed) is always fatal.
-func VerifyOfflineBundle(ctx context.Context, bundle *OfflineBundle, gpgVerifier *GPGVerifier, l *zerolog.Logger) (*OfflineVerifyResult, error) {
+// extracted offline bundle. The bundled public key is validated against the
+// pinned root fingerprint before use — no keyserver access is required.
+// Hash mismatches and signature failures are always fatal.
+func VerifyOfflineBundle(bundle *OfflineBundle, gpgVerifier *GPGVerifier, l *zerolog.Logger) (*OfflineVerifyResult, error) {
 	result := &OfflineVerifyResult{}
 
 	// SHA256 verification
@@ -172,22 +180,15 @@ func VerifyOfflineBundle(ctx context.Context, bundle *OfflineBundle, gpgVerifier
 	result.HashOK = true
 	l.Info().Str("hash", hash).Msg("SHA256 hash verified")
 
-	// GPG signature verification
+	// GPG signature verification using the bundled public key
 	if len(bundle.Signature) == 0 {
 		return nil, fmt.Errorf("signature is required for offline updates")
 	}
+	if len(bundle.PublicKeyData) == 0 {
+		return nil, fmt.Errorf("public key is required for offline updates")
+	}
 
-	err = gpgVerifier.VerifySignatureFromFile(ctx, bundle.Signature, bundle.BinaryPath)
-	if err != nil {
-		errStr := err.Error()
-		// Distinguish between key-fetch failure (air-gapped) and actual bad signature.
-		// Key fetch failures contain "keyserver" or "fetch" or "cancelled" in the error chain.
-		if isKeyFetchError(errStr) {
-			result.KeyFetchFailed = true
-			result.SignatureError = errStr
-			l.Warn().Err(err).Msg("GPG key fetch failed (device may be air-gapped)")
-			return result, nil
-		}
+	if err := gpgVerifier.VerifySignatureFromFileWithKey(bundle.Signature, bundle.BinaryPath, bundle.PublicKeyData); err != nil {
 		return nil, fmt.Errorf("GPG signature verification failed: %w", err)
 	}
 
@@ -196,16 +197,6 @@ func VerifyOfflineBundle(ctx context.Context, bundle *OfflineBundle, gpgVerifier
 	return result, nil
 }
 
-// isKeyFetchError returns true if the error string indicates a key fetch
-// failure rather than an actual signature mismatch.
-func isKeyFetchError(errStr string) bool {
-	lower := strings.ToLower(errStr)
-	return strings.Contains(lower, "keyserver") ||
-		strings.Contains(lower, "fetch") ||
-		strings.Contains(lower, "cancelled") ||
-		strings.Contains(lower, "all keyservers failed")
-}
-
 // hashFile computes the SHA256 hex digest of the file at path.
 func hashFile(path string) (string, error) {
 	f, err := os.Open(path)