Specify public key for minisign by URL or asset file name in GitHub Releases

[sapphi-red]

Feature Overview

Support specifying public key for minisign by URL or asset file name in GitHub Releases like public_key_url written in #2978.

Why is the feature needed?

https://github.com/aquaproj/aqua/pull/2994 added support for verifying with minisign. cargo-bins/cargo-binstall signs the artifacts using minisign with an ephemeral key and uploads the generated public key for every release. This means it's not possible to use public_key option, which is a static value.

https://github.com/cargo-bins/cargo-binstall/releases/tag/v1.4.1#:~:text=We%20use%20a%20just%2Din%2Dtime%20ephemeral%20key%20or%20%22keyless%22%20setup%20which%20generates%20a%20brand%20new%20signing%20key%20for%20every%20release.

The v2.31.0 release post's example code includes public_key_url option, but it seems it doesn't work and wasn't implemented by #2994 if I'm not missing anything. At least, the json schema in the PR doesn't include that option.

Workaround

No response

Example Code

An example how to use this feature in the registry config:

minisign:
  type: github_release
  asset: cargo-binstall-{{.Arch}}-{{.OS}}.{{.Format}}.sig
  public_key:
    type: github_release
    asset: minisign.pub

minisign:
  type: github_release
  asset: cargo-binstall-{{.Arch}}-{{.OS}}.{{.Format}}.sig
  public_key:
    type: http
    url: https://github.com/cargo-bins/cargo-binstall/releases/download/v{{.Version}}/minisign.pub

Note

No response

[suzuki-shunsuke]

Thank you for your proposal. Hmm. If we support this feature, I think we need to store public keys somewhere like aqua-checksums.json to prevent them from being tampered.