From 0fd4386e207c9e3957b628eaf94273955a4b9e30 Mon Sep 17 00:00:00 2001
From: Virgil <virgil@lethean.io>
Date: Thu, 2 Apr 2026 14:36:38 +0000
Subject: [PATCH] fix(manifest): reject invalid public keys in verify

Co-Authored-By: Virgil <virgil@lethean.io>
---
 manifest/loader_test.go | 14 ++++++++++++++
 manifest/sign.go        |  3 +++
 manifest/sign_test.go   |  9 +++++++++
 3 files changed, 26 insertions(+)

diff --git a/manifest/loader_test.go b/manifest/loader_test.go
index 6b49579..2948485 100644
--- a/manifest/loader_test.go
+++ b/manifest/loader_test.go
@@ -63,3 +63,17 @@ func TestLoadVerified_Bad_Tampered_Good(t *testing.T) {
 	_, err := LoadVerified(fs, ".", pub)
 	assert.Error(t, err)
 }
+
+func TestLoadVerified_Bad_InvalidPublicKey_Good(t *testing.T) {
+	fs := io.NewMockMedium()
+	fs.Files[".core/manifest.yaml"] = `
+code: signed-app
+name: Signed
+version: 1.0.0
+sign: c2ln
+`
+
+	_, err := LoadVerified(fs, ".", ed25519.PublicKey([]byte("short")))
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "invalid public key length")
+}
diff --git a/manifest/sign.go b/manifest/sign.go
index 2cbf657..359c671 100644
--- a/manifest/sign.go
+++ b/manifest/sign.go
@@ -45,6 +45,9 @@ func Verify(m *Manifest, pub ed25519.PublicKey) (bool, error) {
 	if m.Sign == "" {
 		return false, coreerr.E("manifest.Verify", "no signature present", nil)
 	}
+	if len(pub) != ed25519.PublicKeySize {
+		return false, coreerr.E("manifest.Verify", "invalid public key length", nil)
+	}
 	sig, err := base64.StdEncoding.DecodeString(m.Sign)
 	if err != nil {
 		return false, coreerr.E("manifest.Verify", "decode failed", err)
diff --git a/manifest/sign_test.go b/manifest/sign_test.go
index 27ed86a..3543810 100644
--- a/manifest/sign_test.go
+++ b/manifest/sign_test.go
@@ -73,3 +73,12 @@ func TestVerify_Bad_NilManifest_Good(t *testing.T) {
 	assert.False(t, ok)
 	assert.Contains(t, err.Error(), "nil manifest")
 }
+
+func TestVerify_Bad_InvalidPublicKey_Good(t *testing.T) {
+	m := &Manifest{Code: "test-app", Sign: "c2ln"}
+
+	ok, err := Verify(m, ed25519.PublicKey([]byte("short")))
+	assert.Error(t, err)
+	assert.False(t, ok)
+	assert.Contains(t, err.Error(), "invalid public key length")
+}