httpd: always use an opaque signing key

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
2025-12-06 22:30:56 +03:00 · 2024-11-12 19:27:34 +01:00
parent 4cb6acefb2
commit 618723c457
1 changed files with 6 additions and 3 deletions
--- a/internal/httpd/httpd.go
+++ b/internal/httpd/httpd.go
@@ -1309,11 +1309,14 @@ func stopCleanupTicker() {
 }

 func getSigningKey(signingPassphrase string) []byte {
+	var key []byte
 	if signingPassphrase != "" {
-		sk := sha256.Sum256([]byte(signingPassphrase))
-		return sk[:]
+		key = []byte(signingPassphrase)
+	} else {
+		key = util.GenerateRandomBytes(32)
 	}
-	return util.GenerateRandomBytes(32)
+	sk := sha256.Sum256(key)
+	return sk[:]
 }

 // SetInstallationCodeResolver sets a function to call to resolve the installation code