[bug] Make remote RPC server identity verification fail closed #347
Description
Affected component
imagod
Summary
Remote RPC currently performs silent TOFU for remote server keys. If a remote authority is not already pinned in , the first presented key is accepted and persisted automatically.
Steps to reproduce
- Configure a remote RPC authority that is not yet present in .
- Connect to it through the remote RPC path.
- Observe that an unknown presented key is accepted and written into .
Expected behavior
Unknown remote server identities should fail closed, or at minimum require an explicit confirmation/update path that is separate from the connection attempt.
Actual behavior
reports , and persists the presented key into before returning success.
Version
Environment
other
Resource impact (optional)
unknown
Additional context
Evidence:
Security impact:
- A MITM or malicious endpoint on first contact can permanently poison the trust store.
Suggested direction:
- Require pre-pinned keys for first contact, or split "connect" from "trust this key" so persistence only happens via an explicit operator action.