init: keys repo with keygen, sign, verify scripts and mchusavitin public key

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

scripts/sign-release.sh

@@ -0,0 +1,49 @@
+#!/bin/sh
+# sign-release.sh — sign a release binary with your Ed25519 private key
+#
+# Usage:
+#   sh scripts/sign-release.sh <developer-name> <binary-path>
+#
+# Output:
+#   <binary-path>.sig — raw 64-byte Ed25519 signature
+#
+# The .sig file must be uploaded alongside the binary to the Gitea release.
+#
+# Requirements: openssl 3.x
+
+set -e
+
+NAME="$1"
+BINARY="$2"
+
+if [ -z "$NAME" ] || [ -z "$BINARY" ]; then
+    echo "Usage: sh scripts/sign-release.sh <developer-name> <binary-path>" >&2
+    echo "Example: sh scripts/sign-release.sh mchusavitin dist/bee-audit-linux-amd64" >&2
+    exit 1
+fi
+
+PRIVATE_KEY_PATH="$HOME/.keys/${NAME}.key"
+SIG_PATH="${BINARY}.sig"
+
+if [ ! -f "$PRIVATE_KEY_PATH" ]; then
+    echo "Private key not found: $PRIVATE_KEY_PATH" >&2
+    echo "Run scripts/keygen.sh $NAME first." >&2
+    exit 1
+fi
+
+if [ ! -f "$BINARY" ]; then
+    echo "Binary not found: $BINARY" >&2
+    exit 1
+fi
+
+# Sign: produce raw 64-byte Ed25519 signature
+openssl pkeyutl -sign \
+    -inkey "$PRIVATE_KEY_PATH" \
+    -rawin \
+    -in "$BINARY" \
+    -out "$SIG_PATH"
+
+echo "Signed:    $BINARY"
+echo "Signature: $SIG_PATH"
+echo ""
+echo "Upload both files to the Gitea release as assets."