Repoint the trust anchor at the catalogue pin (keep VerifyTrustAnchor)

[Alexgodoroja]

Repoint the trust anchor at the catalogue pin (keep the mechanism)

Reworked per review. The previous version dropped VerifyTrustAnchor entirely,
which was a regression against #23 (any self-signed manifest in the install root
would pass). This version keeps the anchor and repoints it at the catalogue,
which is the actual root of trust.

What changed

• Manifest.VerifyTrustAnchor(cataloguePublisher string) — kept as the
  mechanism, but now confirms Store.Publisher equals the publisher key the
  release-signed catalogue pins for the app. Empty/unpinned ⇒ fail-closed.
• Removed the unused package-global TrustedPublishers (nothing populated it; an
  empty list made Enforce trust anchor for non-sideloaded installs #23 enforcement skip every catalogue app). The catalogue pin
  replaces it.
• Config.CataloguePublisher(appID) (pub string, pinned bool) — the daemon
  supplies this from the catalogue it has signature-verified with CatalogPubkey.
• Supervisor catalogue path: VerifySignature + VerifyTrustAnchor(pin). A
  nil provider or an unpinned app ⇒ fail-closed (not spawned). Sideload unchanged
  (still clamped to the safe grant subset).

Why this satisfies the trust requirement

Trust is anchored to something the installer pins: the catalogue is signed by the
embedded release key and pins each app; the supervisor re-confirms on every launch
that the installed manifest is published by the catalogue-declared key. A
typo-squatted or compromised entry can't install arbitrary code without being in
the release-signed catalogue. No static list, no env var.

Tests (-race, full app-store suite green)

• CataloguePinnedAppAccepted — pinned + matching publisher ⇒ accepted
• UntrustedPublisherWithoutMarkerRejected — pinned, publisher ≠ pin ⇒ rejected
• AppNotPinnedByCatalogueRejected — valid self-sig but not in catalogue ⇒ rejected
• NilCataloguePublisherFailsClosed — no provider wired ⇒ rejected
• repointed Manifest.VerifyTrustAnchor unit tests

Must land with its companions (or the daemon fail-closes)

1. daemon: load + signature-verify the catalogue and supply CataloguePublisher
   (id → publisher) to appstore.Config.
2. catalogue: each entry declares its publisher ed25519 key (the pin).

🤖 Generated with Claude Code

[codecov]

Codecov Report

❌ Patch coverage is 91.30435% with 2 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
pkg/manifest/manifest.go	89.47%	1 Missing and 1 partial ⚠️

📢 Thoughts on this report? Let us know!

[TeoSlayer]

This conflicts directly with the trust-anchor enforcement added in #23 (merged 2026-06-22).

#23 made catalogue (non-sideloaded) installs fail-closed: a manifest must verify against a trusted-publisher anchor, not just carry a valid self-signature. This PR removes manifest.TrustedPublishers and Manifest.VerifyTrustAnchor, which (a) breaks external callers of those exported symbols, and (b) re-opens the hole — scanInstalled would again accept an app self-signed by any key as long as it appears in the catalogue.

"Catalogue is the source of truth" is reasonable, but the trust decision still has to be anchored to something the installer pins — otherwise a compromised or typo-squatted catalogue entry installs arbitrary code. If we move to catalogue-pin-only, the enforced anchor should become the catalogue signature/pin (ideally keep VerifyTrustAnchor as the mechanism, repointed at the catalogue key) rather than dropping anchor verification entirely.

Recommendation: hold until we agree the trust model. As written this is a security regression against #23.