Add key id based m2p rotation support

src/PackLib/M2Pack.cpp

@@ -40,12 +40,6 @@ bool ReadPod(const uint8_t* bytes, std::size_t size, std::size_t& offset, T& out
 
 bool CM2Pack::Load(const std::string& path)
 {
-	if (!HasM2PackRuntimeKeysForArchiveLoad())
-	{
-		TraceError("CM2Pack::Load: runtime master key required for '%s'", path.c_str());
-		return false;
-	}
-
 	std::error_code ec;
 	m_file.map(path, ec);
 
@@ -75,6 +69,15 @@ bool CM2Pack::Load(const std::string& path)
 		return false;
 	}
 
+	if (!HasM2PackRuntimeKeysForArchiveLoad(m_header.key_id))
+	{
+		TraceError("CM2Pack::Load: runtime master key with key_id=%u required for '%s' (active key_id=%u)",
+			m_header.key_id,
+			path.c_str(),
+			GetM2PackActiveMasterKeyId());
+		return false;
+	}
+
 	if (m_header.manifest_offset + m_header.manifest_size > m_file.size())
 	{
 		TraceError("CM2Pack::Load: manifest out of bounds in '%s'", path.c_str());
@@ -111,11 +114,18 @@ bool CM2Pack::ValidateManifest()
 		return false;
 	}
 
-		if (crypto_sign_verify_detached(
+	const auto* publicKey = GetM2PackPublicKeyForKeyId(m_header.key_id);
+	if (!publicKey)
+	{
+		TraceError("CM2Pack::ValidateManifest: no public key configured for key_id=%u", m_header.key_id);
+		return false;
+	}
+
+	if (crypto_sign_verify_detached(
 		m_header.manifest_signature,
 		m_manifest_bytes.data(),
 		m_manifest_bytes.size(),
-		GetM2PackActivePublicKey().data()) != 0)
+		publicKey->data()) != 0)
 	{
 		TraceError("CM2Pack::ValidateManifest: manifest signature mismatch");
 		return false;