From 618723c457c814b2a8c3b97bc4f38a79264d4fb6 Mon Sep 17 00:00:00 2001
From: Nicola Murino <nicola.murino@gmail.com>
Date: Tue, 12 Nov 2024 19:27:34 +0100
Subject: [PATCH] httpd: always use an opaque signing key

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
---
 internal/httpd/httpd.go | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/internal/httpd/httpd.go b/internal/httpd/httpd.go
index af841670..4cec3a43 100644
--- a/internal/httpd/httpd.go
+++ b/internal/httpd/httpd.go
@@ -1309,11 +1309,14 @@ func stopCleanupTicker() {
 }
 
 func getSigningKey(signingPassphrase string) []byte {
+	var key []byte
 	if signingPassphrase != "" {
-		sk := sha256.Sum256([]byte(signingPassphrase))
-		return sk[:]
+		key = []byte(signingPassphrase)
+	} else {
+		key = util.GenerateRandomBytes(32)
 	}
-	return util.GenerateRandomBytes(32)
+	sk := sha256.Sum256(key)
+	return sk[:]
 }
 
 // SetInstallationCodeResolver sets a function to call to resolve the installation code