openfused 0.3.18 → 0.3.20
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli.js +4 -7
- package/package.json +1 -1
package/dist/cli.js
CHANGED
|
@@ -635,12 +635,9 @@ program
|
|
|
635
635
|
const reg = registry.resolveRegistry(opts.registry);
|
|
636
636
|
try {
|
|
637
637
|
const manifest = await registry.discover(name, reg);
|
|
638
|
-
// Auto-import key
|
|
639
|
-
//
|
|
640
|
-
|
|
641
|
-
// NOTE: manifest data comes from the registry and is attacker-controlled.
|
|
642
|
-
// The endpoint URL is stored as-is; a malicious entry could point at an internal
|
|
643
|
-
// service. Sync will pull from it — consider validating URL scheme/host.
|
|
638
|
+
// Auto-import key + add as peer. Keys are untrusted by default.
|
|
639
|
+
// Trust is a local decision — use `openfuse key trust <name>` after verifying.
|
|
640
|
+
const dnsDiscovered = false; // never auto-trust — user must explicitly trust
|
|
644
641
|
let config = await store.readConfig();
|
|
645
642
|
if (!config.keyring.some((e) => e.signingKey === manifest.publicKey)) {
|
|
646
643
|
config.keyring.push({
|
|
@@ -649,7 +646,7 @@ program
|
|
|
649
646
|
signingKey: manifest.publicKey,
|
|
650
647
|
encryptionKey: manifest.encryptionKey,
|
|
651
648
|
fingerprint: manifest.fingerprint,
|
|
652
|
-
trusted:
|
|
649
|
+
trusted: dnsDiscovered,
|
|
653
650
|
added: new Date().toISOString(),
|
|
654
651
|
});
|
|
655
652
|
}
|