fix(security): UPnP opt-in, bounded SSE reader, signed self-update

Phase 2 security audit follow-up. Three independent hardenings against the unauthenticated daemon surface, the long-lived agent SSE stream and the self-update channel. UPnP is now opt-in. The stream port + /hls endpoints have no auth, so publishing them on the WAN via the gateway was a default that exposed active downloads to anyone scanning the operator's external IP. New config downloads.enable_upnp (default false) gates the mapping; LAN and Tailscale clients continue to work unchanged. A startup log makes the new default visible. The agent SSE reader now uses a bounded bufio.Scanner instead of an unbounded ReadString. A hostile or buggy server can no longer grow daemon memory by streaming a single line forever or by emitting unbounded data: continuation lines — both are capped at 256 KiB and 1 MiB respectively, and an error is surfaced so SignalLoop reconnects. Self-update now verifies an ed25519 signature over checksums.txt when the binary was built with a release public key embedded (injected via goreleaser ldflags from RELEASE_SIGNING_PUBKEY). The companion scripts/sign-checksums runs in the release workflow when both the public-key variable and the private-key secret are present, uploading checksums.txt.sig next to the existing checksums file. Builds without the embedded key continue to update with SHA256-only verification; a --allow-unsigned flag is provided so users on a signed build can still install pre-signing releases or recover from an accidental unsigned release. A new scripts/gen-release-key helper documents the one-time keypair generation procedure required before flipping signing on.
2026-05-15 17:29:22 +02:00 · 2026-05-15 17:29:22 +02:00 · 433e375def
commit 433e375def
parent c148cb8ce7
17 changed files with 551 additions and 32 deletions
--- a/scripts/gen-release-key/main.go
+++ b/scripts/gen-release-key/main.go
@ -0,0 +1,37 @@
+// gen-release-key generates an ed25519 keypair for signing release artifacts.
+// Run once per repository, then store the printed values:
+//
+//	RELEASE_SIGNING_KEY     → GitHub Actions secret (private key, base64)
+//	RELEASE_SIGNING_PUBKEY  → GitHub Actions variable (public key, base64)
+//
+// The public key is injected into the binary at build time via the
+// goreleaser ldflags entry that resolves
+// `github.com/torrentclaw/unarr/internal/upgrade.releasePubKeyBase64`.
+// The private key is used by the workflow's "Sign checksums.txt" step.
+//
+// Build and run:
+//
+//	go run ./scripts/gen-release-key
+package main
+
+import (
+	"crypto/ed25519"
+	"crypto/rand"
+	"encoding/base64"
+	"fmt"
+)
+
+func main() {
+	pub, priv, err := ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		panic(err)
+	}
+	fmt.Println("# Add the following to your GitHub repository:")
+	fmt.Println("#   - Settings → Secrets and variables → Actions → New repository secret")
+	fmt.Println("#       RELEASE_SIGNING_KEY  =  <PRIVATE_KEY_BASE64 below>")
+	fmt.Println("#   - Settings → Secrets and variables → Actions → New repository variable")
+	fmt.Println("#       RELEASE_SIGNING_PUBKEY  =  <PUBLIC_KEY_BASE64 below>")
+	fmt.Println()
+	fmt.Printf("PUBLIC_KEY_BASE64=%s\n", base64.StdEncoding.EncodeToString(pub))
+	fmt.Printf("PRIVATE_KEY_BASE64=%s\n", base64.StdEncoding.EncodeToString(priv))
+}