init: keys repo with keygen, sign, verify scripts and mchusavitin public key

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-05 10:23:47 +03:00
commit 9ffc57ec1a
7 changed files with 235 additions and 0 deletions
--- a/scripts/keygen.sh
+++ b/scripts/keygen.sh
@@ -0,0 +1,49 @@
+#!/bin/sh
+# keygen.sh — generate an Ed25519 keypair for signing release binaries
+#
+# Usage:
+#   sh scripts/keygen.sh <developer-name>
+#
+# Output:
+#   ~/.keys/<developer-name>.key   — private key (KEEP SECRET, never commit)
+#   developers/<developer-name>.pub — public key (safe to commit here)
+#
+# Requirements: openssl 3.x
+
+set -e
+
+NAME="$1"
+if [ -z "$NAME" ]; then
+    echo "Usage: sh scripts/keygen.sh <developer-name>" >&2
+    echo "Example: sh scripts/keygen.sh mchusavitin" >&2
+    exit 1
+fi
+
+PRIVATE_KEY_PATH="$HOME/.keys/${NAME}.key"
+PUBLIC_KEY_PATH="$(dirname "$0")/../developers/${NAME}.pub"
+
+if [ -f "$PRIVATE_KEY_PATH" ]; then
+    echo "Private key already exists at $PRIVATE_KEY_PATH" >&2
+    echo "Delete it manually if you want to regenerate." >&2
+    exit 1
+fi
+
+mkdir -p "$HOME/.keys"
+chmod 700 "$HOME/.keys"
+
+# Generate Ed25519 private key (PEM format)
+openssl genpkey -algorithm ed25519 -out "$PRIVATE_KEY_PATH"
+chmod 600 "$PRIVATE_KEY_PATH"
+
+# Extract raw 32-byte public key and base64-encode it
+openssl pkey -in "$PRIVATE_KEY_PATH" -pubout -outform DER \
+    | tail -c 32 \
+    | base64 > "$PUBLIC_KEY_PATH"
+
+echo "Private key: $PRIVATE_KEY_PATH  (DO NOT share or commit)"
+echo "Public key:  $PUBLIC_KEY_PATH   (commit this to the keys repo)"
+echo ""
+echo "Next steps:"
+echo "  1. git add developers/${NAME}.pub && git commit -m 'add ${NAME} public key'"
+echo "  2. git push"
+echo "  3. Rebuild any release binaries to include the new key"