Skip to content

Prove NLBoot release-candidate workflow#8

Merged
mdheller merged 7 commits intomainfrom
chatgpt/release-candidate-proof
Apr 30, 2026
Merged

Prove NLBoot release-candidate workflow#8
mdheller merged 7 commits intomainfrom
chatgpt/release-candidate-proof

Conversation

@mdheller
Copy link
Copy Markdown
Member

@mdheller mdheller commented Apr 30, 2026

This PR exists to trigger and prove .github/workflows/release-candidate.yml through the normal pull-request path.

Scope:

  • add docs/RELEASE_CANDIDATE_PROOF.md only;
  • no runtime behavior changes;
  • no host-changing behavior;
  • no release publication.

Acceptance:

  • release-candidate workflow runs;
  • workflow either succeeds and uploads the RC artifact, or fails with actionable logs for the next hardening PR.

@mdheller ChatGPT Codex Connector
Copy link
Copy Markdown
Member Author

mdheller commented Apr 30, 2026

@copilot Please fix the remaining RC failure on this PR branch. Root cause: Rust canonical_manifest_payload does not match Python reference canonicalization. Python signs compact JSON with sorted keys: json.dumps(unsigned, sort_keys=True, separators=(",", ":")). Update Rust to recursively sort JSON object keys before serde_json::to_vec, preserve array order, then rerun make rust-test and the fixture targets. Keep scope limited to this verifier fix and any necessary workflow cache setting.

github-advanced-security[bot]
github-advanced-security AI found potential problems Apr 30, 2026
View reviewed changes
Comment thread rust/nlboot-client/src/main.rs Fixed
Comment thread rust/nlboot-client/src/main.rs Fixed
@mdheller
Fix Rust RSA-PSS verification: replace ring with rsa crate, add expli…
fdd8c6d 
…cit key sorting

- Replace `ring` dependency with `rsa = { version = "0.9", features = ["sha2"] }`
  Root cause: ring's parse_public_key expects PKCS#1 RSAPublicKey DER but trusted
  key PEM is SubjectPublicKeyInfo format. rsa crate's from_public_key_pem() handles
  SubjectPublicKeyInfo correctly.

- Add sort_value_keys() helper that recursively sorts JSON object keys (matching
  Python's json.dumps(sort_keys=True)) by explicitly sorting entries before collecting,
  preserving array order. Used in canonical_manifest_payload().

- Remove pem = \"3\" dependency (no longer needed directly).

- Add rust/nlboot-client/.gitignore to exclude target/ directory.

- Update Cargo.lock to reflect new dependencies.

All 13 Rust tests pass. make validate, rust-check, rust-test and all fixture
targets pass.

Agent-Logs-Url: https://github.com/SociOS-Linux/nlboot/sessions/81ccb471-24d4-4d98-99a9-dfe20c34d90c

Co-authored-by: mdheller <21163552+mdheller@users.noreply.github.com>
Copy link
Copy Markdown

Copilot AI commented Apr 30, 2026

@copilot Please fix the remaining RC failure on this PR branch. Root cause: Rust canonical_manifest_payload does not match Python reference canonicalization. Python signs compact JSON with sorted ke...

Fixed in fdd8c6d.

Root cause was actually two issues:

  1. Verifier incompatibility: ring's parse_public_key expects PKCS#1 RSAPublicKey DER (just SEQUENCE { INTEGER n, INTEGER e }), but the trusted key PEM is SubjectPublicKeyInfo format. Replaced ring with rsa = { version = "0.9", features = ["sha2"] } which correctly handles SubjectPublicKeyInfo via RsaPublicKey::from_public_key_pem().

  2. Explicit key sorting: Added sort_value_keys() helper that recursively sorts JSON object keys by explicitly sorting entries before collecting (matching Python's json.dumps(sort_keys=True, separators=(",",":"))) and preserving array order. Used in canonical_manifest_payload().

All 13 Rust tests pass. make validate, make rust-check, make rust-test, and all fixture targets pass.

@mdheller mdheller merged commit 2b4dd59 into main Apr 30, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mdheller @github-advanced-security