From 91084b83b4964dfe1b4ce8830aabeb49ec9254f4 Mon Sep 17 00:00:00 2001
From: gudvinr <gudvinr@gmail.com>
Date: Mon, 18 Dec 2023 22:47:57 +0300
Subject: [PATCH] lib/upgrade: Extract signing key to embedded file (fixes
 #9247) (#9296)

### Purpose

Instead of hardcoding `SigningKey` as text use `go:embed`. Fixes #9247.

### Testing

* Building syncthing
* Trying to upgrade (signature verification)
---
 lib/upgrade/signingkey.go  | 11 +++++------
 lib/upgrade/signingkey.pem |  6 ++++++
 2 files changed, 11 insertions(+), 6 deletions(-)
 create mode 100644 lib/upgrade/signingkey.pem

diff --git a/lib/upgrade/signingkey.go b/lib/upgrade/signingkey.go
index 57daa3227..df59c3946 100644
--- a/lib/upgrade/signingkey.go
+++ b/lib/upgrade/signingkey.go
@@ -6,14 +6,13 @@
 
 package upgrade
 
+import _ "embed"
+
 // SigningKey is the public key used to verify signed upgrades. It must match
 // the private key used to sign binaries for the built in upgrade mechanism to
 // accept an upgrade. Keys and signatures can be created and verified with the
 // stsigtool utility. The build script creates signed binaries when given the
 // -sign option.
-var SigningKey = []byte(`-----BEGIN EC PUBLIC KEY-----
-MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQA1iRk+p+DsmolixxVKcpEVlMDPOeQ
-1dWthURMqsjxoJuDAe5I98P/A0kXSdBI7avm5hXhX2opJ5TAyBZLHPpDTRoBg4WN
-7jUpeAjtPoVVxvOh37qDeDVcjCgJbbDTPKbjxq/Ae3SHlQMRcoes7lVY1+YJ8dPk
-2oPfjA6jtmo9aVbf/uo=
------END EC PUBLIC KEY-----`)
+//
+//go:embed signingkey.pem
+var SigningKey []byte
diff --git a/lib/upgrade/signingkey.pem b/lib/upgrade/signingkey.pem
new file mode 100644
index 000000000..5f9f30649
--- /dev/null
+++ b/lib/upgrade/signingkey.pem
@@ -0,0 +1,6 @@
+-----BEGIN EC PUBLIC KEY-----
+MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQA1iRk+p+DsmolixxVKcpEVlMDPOeQ
+1dWthURMqsjxoJuDAe5I98P/A0kXSdBI7avm5hXhX2opJ5TAyBZLHPpDTRoBg4WN
+7jUpeAjtPoVVxvOh37qDeDVcjCgJbbDTPKbjxq/Ae3SHlQMRcoes7lVY1+YJ8dPk
+2oPfjA6jtmo9aVbf/uo=
+-----END EC PUBLIC KEY-----
\ No newline at end of file