auth: Make luci-go services trust signatures produced by the token server.

server/auth/delegation/checker_test.go

Index: server/auth/delegation/checker_test.go
diff --git a/server/auth/delegation/checker_test.go b/server/auth/delegation/checker_test.go
index 2756690a279f59bf891035de992af326adf53630..474f1ff748c4f30fdb43d81566c7502f337e4f49 100644
--- a/server/auth/delegation/checker_test.go
+++ b/server/auth/delegation/checker_test.go
@@ -104,6 +104,19 @@ func TestCheckToken(t *testing.T) {
 		So(err, ShouldEqual, ErrMalformedDelegationToken)
 	})
 
+	Convey("Untrusted signer", t, func() {
+		tok := minter.mintToken(c, subtoken(c, "user:from@example.com", "user:to@example.com"))
+		minter.signerID = "service:nah-i-renamed-myself"
+		_, err := CheckToken(c, CheckTokenParams{
+			Token:                tok,
+			PeerID:               "user:to@example.com",
+			CertificatesProvider: minter,
+			GroupsChecker:        &fakeGroups{},
+			OwnServiceIdentity:   "service:service-id",
+		})
+		So(err, ShouldEqual, ErrUnsignedDelegationToken)
+	})
+
 	Convey("Bad signature", t, func() {
 		tok := minter.mintToken(c, subtoken(c, "user:from@example.com", "user:to@example.com"))
 		// An offset in serialized token that points to Subtoken field. Replace one
@@ -188,7 +201,10 @@ func newFakeTokenMinter() *fakeTokenMinter {
 	}
 }
 
-func (f *fakeTokenMinter) GetAuthServiceCertificates(c context.Context) (*signing.PublicCertificates, error) {
+func (f *fakeTokenMinter) GetCertificates(c context.Context, id identity.Identity) (*signing.PublicCertificates, error) {
+	if string(id) != f.signerID {
+		return nil, nil
+	}
 	return f.signer.Certificates(c)
 }