fix(catalogue): rotate signing key + re-sign after #255; sign #255 test fixtures

The previous catalogue trust anchor's private key
(publicKeyB64 = "5aCD92R0UoZ2lGW6PYZeRrDw63ZNBC5oJZxFB8RNOPQ=") was lost and is
unrecoverable, so the committed catalogue.json.sig could never be regenerated
to match an edited catalogue. This anchor existed only on this PR branch — not
on main and not in any shipped binary — so rotating it now has zero
installed-base impact.

Changes:
- Generate a fresh ed25519 release keypair (private key stored only outside the
  repo, never committed) and embed its public half as the new trust anchor:
  publicKeyB64 = "iHdBWayA/hYjkwUOZopTXY70qOlR90d6ii/hin0ZMdI="
- Re-sign catalogue/catalogue.json with the new key (catalogue/catalogue.json.sig),
  which now verifies fail-closed against the embedded key.
- Fix the test fixtures #255 left unsigned: stageCatalogue now signs each
  fixture with a per-test ephemeral key (swapped into the embedded anchor for
  the test's duration via catalogtrust.SignWithEphemeralKey, restored on
  cleanup). Tests exercise REAL fail-closed verification against a VALID
  signature — the gate is not skipped, disabled, or weakened; the negative
  tests (missing-signature, tamper) still pass.

Rebased onto origin/main, reconciling #255's v2 metadata schema with this
branch's catalogue signing (kept the fail-closed sig gate in loadCatalogue,
both `view` and `sign-catalogue` subcommands, and main's metadata pin
discipline in catalogue/README.md).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: teovl

catalogue/catalogue.json.sig

@@ -1 +1 @@
-CD3TrFKmG4MxgX0eK85z6jPgqpH3gb6+8px87iVALCYF7x7//FqByN3CCkBtHIgxgDUE5afGKJptWNpddw6SCw==
+VuWWD6mSCOQR1LLYWxhdUdDu/RHQQXr0UZJBh6fOmy7VyIgcM/W/yeMNo7ym0pYy70KN19xFbDe9SvPjdeFoBw==

cmd/pilotctl/zz_appstore_view_test.go

@@ -4,22 +4,40 @@ package main
 
 import (
 	"crypto/sha256"
+	"encoding/base64"
 	"encoding/hex"
 	"encoding/json"
 	"os"
 	"path/filepath"
 	"strings"
 	"testing"
+
+	"github.com/TeoSlayer/pilotprotocol/internal/catalogtrust"
 )
 
-// stageCatalogue writes a catalogue.json to a tempdir and points
-// PILOT_APPSTORE_CATALOG_URL at it via file://.
+// stageCatalogue writes a catalogue.json to a tempdir, signs it with an
+// ephemeral catalogue key (whose public half is swapped into the embedded
+// trust anchor for the duration of the test), writes the detached
+// <catalogue>.sig, and points PILOT_APPSTORE_CATALOG_URL at it via file://.
+//
+// loadCatalogue verifies fail-closed against the embedded key, so the
+// fixture MUST carry a valid signature — staging an unsigned fixture would
+// (correctly) be rejected. Signing with a per-test key, rather than
+// disabling the gate, keeps these tests exercising the real verification
+// path against a valid signature. The original embedded key is restored via
+// t.Cleanup so tests stay isolated.
 func stageCatalogue(t *testing.T, catJSON string) {
 	t.Helper()
-	p := filepath.Join(t.TempDir(), "catalogue.json")
+	dir := t.TempDir()
+	p := filepath.Join(dir, "catalogue.json")
 	if err := os.WriteFile(p, []byte(catJSON), 0o600); err != nil {
 		t.Fatal(err)
 	}
+	sig, restore := catalogtrust.SignWithEphemeralKey([]byte(catJSON))
+	t.Cleanup(restore)
+	if err := os.WriteFile(p+".sig", []byte(base64.StdEncoding.EncodeToString(sig)+"\n"), 0o600); err != nil {
+		t.Fatal(err)
+	}
 	t.Setenv("PILOT_APPSTORE_CATALOG_URL", "file://"+p)
 }
 

internal/catalogtrust/catalogtrust.go

@@ -22,7 +22,7 @@ import (
 //	-ldflags "-X github.com/TeoSlayer/pilotprotocol/internal/catalogtrust.publicKeyB64=<b64>"
 //
 // The compiled-in default is the current production catalogue key.
-var publicKeyB64 = "5aCD92R0UoZ2lGW6PYZeRrDw63ZNBC5oJZxFB8RNOPQ="
+var publicKeyB64 = "iHdBWayA/hYjkwUOZopTXY70qOlR90d6ii/hin0ZMdI="
 
 // ErrNoKey is returned when the embedded key is missing or malformed.
 // Fail-closed: with no trust anchor, nothing verifies.

internal/catalogtrust/testsupport.go

@@ -0,0 +1,36 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+package catalogtrust
+
+import (
+	"crypto/ed25519"
+	"crypto/rand"
+	"encoding/base64"
+)
+
+// SignWithEphemeralKey is a TEST-ONLY helper for packages outside
+// catalogtrust (e.g. cmd/pilotctl) that need to stage a catalogue fixture
+// the fail-closed loader will accept. It generates a throwaway ed25519
+// keypair, swaps the package's embedded public key (publicKeyB64) to the
+// generated public half, signs data with the private half, and returns the
+// detached signature plus a restore func that puts the original embedded
+// key back.
+//
+// This exists so fixture-based tests exercise REAL fail-closed verification
+// against a VALID signature, rather than disabling or weakening the gate.
+// It is not referenced by any production code path.
+//
+// Usage:
+//
+//	sig, restore := catalogtrust.SignWithEphemeralKey(catalogueBytes)
+//	defer restore()
+//	// write catalogueBytes + base64(sig) and point the loader at them
+func SignWithEphemeralKey(data []byte) (sig []byte, restore func()) {
+	pub, priv, err := ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		panic("catalogtrust: ephemeral key generation failed: " + err.Error())
+	}
+	orig := publicKeyB64
+	publicKeyB64 = base64.StdEncoding.EncodeToString(pub)
+	return ed25519.Sign(priv, data), func() { publicKeyB64 = orig }
+}