add SchemaPin signature files and fix verification key lookup

Sign all 7 signature JSON files with ECDSA-P256-SHA256. Fix
_verify_signature to accept both public_key and public_key_pem
fields in .sig files.

Author: symbibot

agentsniff/signatures/__init__.py

@@ -52,7 +52,7 @@ def _verify_signature(data: Any, sig_filename: str) -> str:
             sig_data = json.load(f)
 
         signature_b64 = sig_data.get("signature", "")
-        public_key_pem = sig_data.get("public_key_pem", "")
+        public_key_pem = sig_data.get("public_key_pem", "") or sig_data.get("public_key", "")
 
         if not signature_b64 or not public_key_pem:
             return UNVERIFIED

agentsniff/signatures/agent_infra_domains.sig

@@ -0,0 +1,5 @@
+{
+  "signature": "MEQCIHjmHYSqhYGGuJYId/u7NXZiy0m0bdbROGEuC/xsvV7ZAiA1vcDnhOjRli6mH5RxuXsbT8gMb1FoG9zedSJ1B661VA==",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtWBDdK89Cr/0slpX6WuNDCj9nHJ/\nnGaueO0f7RhDViZLQIZ5GN8NakL85/doQIa1ct53WHhrvx5sihXFyrumhA==\n-----END PUBLIC KEY-----\n",
+  "algorithm": "ECDSA-P256-SHA256"
+}

agentsniff/signatures/domain_suffixes.sig

@@ -0,0 +1,5 @@
+{
+  "signature": "MEYCIQDDJ+j4c7AzbxFHKhZ2zklUes6XiH+amQZ6fXdHiO3/HAIhAOBlUMqBtZiYL31u4dVtFMcsxcaeufiC3cFeqArcAQx0",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtWBDdK89Cr/0slpX6WuNDCj9nHJ/\nnGaueO0f7RhDViZLQIZ5GN8NakL85/doQIa1ct53WHhrvx5sihXFyrumhA==\n-----END PUBLIC KEY-----\n",
+  "algorithm": "ECDSA-P256-SHA256"
+}

agentsniff/signatures/frameworks.sig

@@ -0,0 +1,5 @@
+{
+  "signature": "MEQCIBRiBqB73OTA/fkzgETYqh/gN5czrgCHW0Ypo8FuTY8KAiBE4wJQMOurx4FGcAbRpo2UR+6v9FKbBHp3j/JF6xGm0A==",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtWBDdK89Cr/0slpX6WuNDCj9nHJ/\nnGaueO0f7RhDViZLQIZ5GN8NakL85/doQIa1ct53WHhrvx5sihXFyrumhA==\n-----END PUBLIC KEY-----\n",
+  "algorithm": "ECDSA-P256-SHA256"
+}

agentsniff/signatures/llm_domains.sig

@@ -0,0 +1,5 @@
+{
+  "signature": "MEUCIESJmDHcRRKK71ho79n/z/T9QOVcbeqmh2WDW+52NjQZAiEA38cAfO7HXObFHZkqr1ij0IFeTwu1I+nXz26vx/5tuuo=",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtWBDdK89Cr/0slpX6WuNDCj9nHJ/\nnGaueO0f7RhDViZLQIZ5GN8NakL85/doQIa1ct53WHhrvx5sihXFyrumhA==\n-----END PUBLIC KEY-----\n",
+  "algorithm": "ECDSA-P256-SHA256"
+}

agentsniff/signatures/mcp_methods.sig

@@ -0,0 +1,5 @@
+{
+  "signature": "MEUCIQDpBijmsIhG0ho3PPcwOQgX1/D84JaBwIwtI8Awaw2SfAIgLgve835keNGo9cPlKZuiKi+vHItqYBJCOlCYg5gcFDA=",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtWBDdK89Cr/0slpX6WuNDCj9nHJ/\nnGaueO0f7RhDViZLQIZ5GN8NakL85/doQIa1ct53WHhrvx5sihXFyrumhA==\n-----END PUBLIC KEY-----\n",
+  "algorithm": "ECDSA-P256-SHA256"
+}

agentsniff/signatures/ports.sig

@@ -0,0 +1,5 @@
+{
+  "signature": "MEUCIQDpCoHXGDMBqTWQ5mCeRMSfy2u+03fW80ir7+iXlAyoPQIgdOfJBpVEav81pZ90pJAghSpWhwu/8dq2gkIAhD3q5+U=",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtWBDdK89Cr/0slpX6WuNDCj9nHJ/\nnGaueO0f7RhDViZLQIZ5GN8NakL85/doQIa1ct53WHhrvx5sihXFyrumhA==\n-----END PUBLIC KEY-----\n",
+  "algorithm": "ECDSA-P256-SHA256"
+}

agentsniff/signatures/signing_key.pub

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtWBDdK89Cr/0slpX6WuNDCj9nHJ/
+nGaueO0f7RhDViZLQIZ5GN8NakL85/doQIa1ct53WHhrvx5sihXFyrumhA==
+-----END PUBLIC KEY-----

agentsniff/signatures/tls_fingerprints.sig

@@ -0,0 +1,5 @@
+{
+  "signature": "MEUCIGFiEp09R1lEi1aZzEIwODNhSGbux9H/vbaRfpoFfWn1AiEAilYk1+8Dg+oEd6J0iU2m3f9iNWalFjZEB4IKR3rlPKA=",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtWBDdK89Cr/0slpX6WuNDCj9nHJ/\nnGaueO0f7RhDViZLQIZ5GN8NakL85/doQIa1ct53WHhrvx5sihXFyrumhA==\n-----END PUBLIC KEY-----\n",
+  "algorithm": "ECDSA-P256-SHA256"
+}