Skip to content

daemon: anchor catalogue apps to the catalogue publisher pin (companion to app-store#25)#324

Merged
TeoSlayer merged 2 commits into
mainfrom
daemon-catalogue-anchor
Jun 23, 2026
Merged

daemon: anchor catalogue apps to the catalogue publisher pin (companion to app-store#25)#324
TeoSlayer merged 2 commits into
mainfrom
daemon-catalogue-anchor

Conversation

@Alexgodoroja

@Alexgodoroja Alexgodoroja commented Jun 23, 2026

Copy link
Copy Markdown
Collaborator

Anchor catalogue apps to the catalogue publisher pin

Companion to pilot-protocol/app-store#25 (which repoints VerifyTrustAnchor
at the catalogue). Together they replace the broken per-publisher allow-list with
a real catalogue-anchored trust check — no static list, no PILOT_TRUSTED_PUBLISHERS.

What this adds

  • internal/catalogue — fetches + signature-verifies the catalogue (same
    catalogtrust gate pilotctl uses) and serves id → publisher pins. Periodic
    refresh + disk cache so a transient catalogue outage on restart doesn't
    fail-close every app; with neither catalogue nor cache, apps fail closed.
  • cmd/daemon — builds the provider and wires appstore.Config.CataloguePublisher.
  • cmd/pilotctlpublisher field on the catalogue entry schema.
  • catalogue/catalogue.json — pins every app (cosift/sixtyfour/wallet/smol),
    re-signed with the catalogue key.

Tested

  • internal/catalogue unit tests (-race): verify gate, tampered/missing-sig
    rejection, cache fallback, fail-closed-when-empty.
  • e2e on a fresh node against the real re-signed catalogue: 4 pins loaded;
    smol installs → daemon spawns it (publisher == pin) → microVM exit 0.
  • Negative e2e: a catalogue with the wrong pin → daemon refuses to spawn
    (publisher … does not match the catalogue pin for io.pilot.smolmachines).

Release coupling

Bumps app-store to the #25 commit. #25 + this must release together#25
fail-closes without these pins; old daemons ignore the new publisher field.

🤖 Generated with Claude Code

@Alexgodoroja Alexgodoroja requested a review from TeoSlayer as a code owner June 23, 2026 19:35
@claude
daemon: anchor catalogue apps to the catalogue publisher pin
0ce4cbe 
Companion to app-store#25 (which repoints VerifyTrustAnchor at the catalogue).
The daemon now loads the per-app publisher pins from the release-signed catalogue
and feeds them to the app-store supervisor, which confirms each non-sideloaded
app's manifest publisher matches its pin before spawning. No static list, no env.

- internal/catalogue: fetch + signature-verify (catalogtrust) the catalogue and
  serve id -> publisher pins; periodic refresh + disk cache so a transient
  catalogue outage on restart doesn't fail-close every app. Unit-tested (-race):
  verify gate, tamper/missing-sig rejection, cache fallback, fail-closed.
- cmd/daemon: build the provider, wire Config.CataloguePublisher, refresh loop.
- cmd/pilotctl: add the `publisher` field to the catalogue entry schema.
- catalogue/catalogue.json: pin every app's publisher (cosift, sixtyfour, wallet,
  smolmachines) and re-sign.
- go.mod: bump app-store to the #25 (catalogue-pin) commit.

e2e (fresh node, real re-signed catalogue): 4 pins loaded; smol installs, spawns
(publisher == pin), boots a microVM (exit 0). Negative: a mismatched pin makes
the daemon refuse to spawn ("publisher ... does not match the catalogue pin").

Depends on pilot-protocol/app-store#25; must release together.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
github-advanced-security[bot]
github-advanced-security AI found potential problems Jun 23, 2026
View reviewed changes
Comment thread cmd/daemon/main.go Dismissed
Comment thread cmd/daemon/main.go Dismissed
Comment thread internal/catalogue/catalogue.go Dismissed
TeoSlayer
TeoSlayer previously approved these changes Jun 23, 2026
View reviewed changes
@TeoSlayer TeoSlayer enabled auto-merge (squash) June 23, 2026 19:42
go.mod: re-pin app-store to the v1.0.2 release tag (#25 merged)
c880261 
Replaces the pre-merge branch pseudo-version with the released v1.0.2 tag
(app-store cecb842, the #25 repoint merge), so the dep is immutable and
branch-deletion-proof.
@Alexgodoroja Alexgodoroja requested a review from TeoSlayer June 23, 2026 19:52
@TeoSlayer TeoSlayer merged commit 1acfbd1 into main Jun 23, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TeoSlayer TeoSlayer TeoSlayer approved these changes

+1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Alexgodoroja @TeoSlayer @github-advanced-security