Add GPG signing support for manifest generation

- Add --sign-key flag and MFER_SIGN_KEY env var to gen and freshen commands - Sign inner message multihash with GPG detached signature - Include signer fingerprint and public key in outer wrapper - Add comprehensive tests with temporary GPG keyring - Increase test timeout to 10s for GPG key generation
2025-12-18 02:12:54 -08:00
parent 308c583d57
commit 778999a285
10 changed files with 415 additions and 13 deletions
--- a/internal/cli/freshen.go
+++ b/internal/cli/freshen.go
@@ -227,6 +227,14 @@ func (mfa *CLIApp) freshenManifestOperation(ctx *cli.Context) error {

 	builder := mfer.NewBuilder()

+	// Set up signing options if sign-key is provided
+	if signKey := ctx.String("sign-key"); signKey != "" {
+		builder.SetSigningOptions(&mfer.SigningOptions{
+			KeyID: mfer.GPGKeyID(signKey),
+		})
+		log.Infof("signing manifest with GPG key: %s", signKey)
+	}
+
 	for _, e := range entries {
 		select {
 		case <-ctx.Done():
--- a/internal/cli/gen.go
+++ b/internal/cli/gen.go
@@ -25,6 +25,14 @@ func (mfa *CLIApp) generateManifestOperation(ctx *cli.Context) error {
 		Fs:              mfa.Fs,
 	}

+	// Set up signing options if sign-key is provided
+	if signKey := ctx.String("sign-key"); signKey != "" {
+		opts.SigningOptions = &mfer.SigningOptions{
+			KeyID: mfer.GPGKeyID(signKey),
+		}
+		log.Infof("signing manifest with GPG key: %s", signKey)
+	}
+
 	s := mfer.NewScannerWithOptions(opts)

 	// Phase 1: Enumeration - collect paths and stat files
--- a/internal/cli/mfer.go
+++ b/internal/cli/mfer.go
@@ -148,6 +148,12 @@ func (mfa *CLIApp) run(args []string) {
 						Aliases: []string{"P"},
 						Usage:   "Show progress during enumeration and scanning",
 					},
+					&cli.StringFlag{
+						Name:    "sign-key",
+						Aliases: []string{"s"},
+						Usage:   "GPG key ID to sign the manifest with",
+						EnvVars: []string{"MFER_SIGN_KEY"},
+					},
 				),
 			},
 			{
@@ -208,6 +214,12 @@ func (mfa *CLIApp) run(args []string) {
 						Aliases: []string{"P"},
 						Usage:   "Show progress during scanning and hashing",
 					},
+					&cli.StringFlag{
+						Name:    "sign-key",
+						Aliases: []string{"s"},
+						Usage:   "GPG key ID to sign the manifest with",
+						EnvVars: []string{"MFER_SIGN_KEY"},
+					},
 				),
 			},
 			{