init: keys repo with keygen, sign, verify scripts and mchusavitin public key

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

README.md

@@ -0,0 +1,57 @@
+# Release Signing Keys
+
+Centralized public key registry for all mchus.pro projects.
+
+Ed25519 asymmetric signatures. Public keys are safe to commit here.
+Private keys stay on each developer's machine — never committed, never shared.
+
+## How verification works
+
+Release binaries are signed by one developer's private key.
+The binary trusts **any** key in `developers/`.
+Signature valid if at least one trusted key matches.
+
+## Setup (new developer, one-time)
+
+```sh
+sh scripts/keygen.sh <your-name>
+```
+
+This creates:
+- `~/.keys/<your-name>.key` — private key, keep secret
+- `developers/<your-name>.pub` — public key, commit to this repo
+
+Then commit and push the `.pub` file. Next project release will include your key.
+
+## Signing a release binary
+
+```sh
+sh scripts/sign-release.sh <your-name> path/to/binary
+```
+
+Produces `path/to/binary.sig` — upload both to the Gitea release as assets.
+
+## Verifying a signature locally
+
+```sh
+sh scripts/verify-signature.sh path/to/binary
+```
+
+Checks `path/to/binary.sig` against all keys in `developers/`.
+
+## Adding / removing a developer
+
+**Add:** run keygen, commit the `.pub` file, rebuild affected project releases.
+
+**Remove:** delete their `.pub` file, commit, rebuild releases.
+Previously signed binaries with their key remain valid (already distributed),
+but they cannot sign new releases.
+
+## Requirements
+
+- openssl 3.x
+- python3 (for verify-signature.sh only)
+
+## Projects using this repo
+
+- `git.mchus.pro/mchus/bee` — hardware audit LiveCD