Verify config file signature

Read log key from config file in more places.
Check STH signature in storagegc.py

7 files changed, 26 insertions, 1 deletions

diff --git a/test/catlfish-test-local-1.cfg b/test/catlfish-test-local-1.cfg
index adc3e84..1795649 100644
--- a/test/catlfish-test-local-1.cfg
+++ b/test/catlfish-test-local-1.cfg
@@ -30,5 +30,9 @@ paths:
 ratelimits:
         add_chain: 10 per second
 
+logadminkey: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQ
+    Ah9sZ2CD+JeLbprS6AFcZbo0TGCH0rtEnr2Q3JW0ylhfA+
+    0/WLu755b3soVX/wI23vqCVGC7N9fOB2WUltveQ==
+
 #options:
 #        - sctcaching
diff --git a/test/catlfish-test-local-merge-2.cfg b/test/catlfish-test-local-merge-2.cfg
index 579e360..b871313 100644
--- a/test/catlfish-test-local-merge-2.cfg
+++ b/test/catlfish-test-local-merge-2.cfg
@@ -18,3 +18,7 @@ paths:
         publickeys: publickeys
         logpublickey: keys/logkey.pem
         privatekeys: privatekeys
+
+logadminkey: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQ
+    Ah9sZ2CD+JeLbprS6AFcZbo0TGCH0rtEnr2Q3JW0ylhfA+
+    0/WLu755b3soVX/wI23vqCVGC7N9fOB2WUltveQ==
diff --git a/test/catlfish-test-local-merge.cfg b/test/catlfish-test-local-merge.cfg
index 273b68e..3b4d45f 100644
--- a/test/catlfish-test-local-merge.cfg
+++ b/test/catlfish-test-local-merge.cfg
@@ -8,3 +8,7 @@ paths:
         privatekeys: privatekeys
         verifycert_bin: ../bin/verifycert.erl.escript
         known_roots: known_roots/
+
+logadminkey: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQ
+    Ah9sZ2CD+JeLbprS6AFcZbo0TGCH0rtEnr2Q3JW0ylhfA+
+    0/WLu755b3soVX/wI23vqCVGC7N9fOB2WUltveQ==
diff --git a/test/catlfish-test-local-signing.cfg b/test/catlfish-test-local-signing.cfg
index 386001e..df91bcd 100644
--- a/test/catlfish-test-local-signing.cfg
+++ b/test/catlfish-test-local-signing.cfg
@@ -19,3 +19,7 @@ paths:
 #        slot: 0
 #        label: mylabel
 #        pin: ffff
+
+logadminkey: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQ
+    Ah9sZ2CD+JeLbprS6AFcZbo0TGCH0rtEnr2Q3JW0ylhfA+
+    0/WLu755b3soVX/wI23vqCVGC7N9fOB2WUltveQ==
diff --git a/test/logadminkey-private.pem b/test/logadminkey-private.pem
new file mode 100644
index 0000000..4464169
--- /dev/null
+++ b/test/logadminkey-private.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIKoa7p5gnAgd9L2t5N1L73MJ1OCj/zItvGoVMtsKPy4JoAoGCCqGSM49
+AwEHoUQDQgAEQAh9sZ2CD+JeLbprS6AFcZbo0TGCH0rtEnr2Q3JW0ylhfA+0/WLu
+755b3soVX/wI23vqCVGC7N9fOB2WUltveQ==
+-----END EC PRIVATE KEY-----
diff --git a/test/logadminkey.pem b/test/logadminkey.pem
new file mode 100644
index 0000000..43ff2c4
--- /dev/null
+++ b/test/logadminkey.pem
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQAh9sZ2CD+JeLbprS6AFcZbo0TGC
+H0rtEnr2Q3JW0ylhfA+0/WLu755b3soVX/wI23vqCVGC7N9fOB2WUltveQ==
+-----END PUBLIC KEY-----
diff --git a/test/scripts/light-system-test-prepare.sh b/test/scripts/light-system-test-prepare.sh
index df45d25..84b06cd 100755
--- a/test/scripts/light-system-test-prepare.sh
+++ b/test/scripts/light-system-test-prepare.sh
@@ -50,7 +50,6 @@ printf 0 > mergedb-secondary/verifiedsize
 mkdir known_roots
 cp ${top_srcdir}/tools/testcerts/roots/* known_roots
 mkdir privatekeys
-mkdir publickeys
 echo "apikeys:" > api-keys.cfg
 for node in ${NODES}; do \
     (cd privatekeys ; ${top_srcdir}/tools/create-key.sh ${node})
@@ -66,6 +65,7 @@ echo "cafingerprint: ${cafingerprint}" >> api-keys.cfg
 
 
 cat ${top_srcdir}/test/catlfish-test.cfg.in api-keys.cfg > ${top_srcdir}/test/catlfish-test.cfg
+openssl dgst -sha256 -sign ${top_srcdir}/test/logadminkey-private.pem -out ${top_srcdir}/test/catlfish-test.cfg.sig ${top_srcdir}/test/catlfish-test.cfg
 for machine in ${MACHINES}; do \
     ${top_srcdir}/tools/compileconfig.py --config ${top_srcdir}/test/catlfish-test.cfg --localconfig ${top_srcdir}/test/catlfish-test-local-${machine}.cfg
     mkdir -p machine/machine-${machine}/db