init: keys repo with keygen, sign, verify scripts and mchusavitin public key

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-05 10:23:47 +03:00
commit 9ffc57ec1a
7 changed files with 235 additions and 0 deletions
--- a/scripts/verify-signature.sh
+++ b/scripts/verify-signature.sh
@@ -0,0 +1,75 @@
+#!/bin/sh
+# verify-signature.sh — verify a release binary signature against any trusted public key
+#
+# Usage:
+#   sh scripts/verify-signature.sh <binary-path>
+#
+# Verifies <binary-path>.sig against all keys in developers/*.pub
+# Exits 0 if any key matches, 1 if none match.
+#
+# Requirements: openssl 3.x, python3 (for base64 decode)
+
+set -e
+
+BINARY="$1"
+SIG_PATH="${BINARY}.sig"
+KEYS_DIR="$(dirname "$0")/../developers"
+
+if [ -z "$BINARY" ]; then
+    echo "Usage: sh scripts/verify-signature.sh <binary-path>" >&2
+    exit 1
+fi
+
+if [ ! -f "$BINARY" ]; then
+    echo "Binary not found: $BINARY" >&2
+    exit 1
+fi
+
+if [ ! -f "$SIG_PATH" ]; then
+    echo "Signature not found: $SIG_PATH" >&2
+    exit 1
+fi
+
+MATCHED=""
+
+for PUBFILE in "$KEYS_DIR"/*.pub; do
+    [ -f "$PUBFILE" ] || continue
+    NAME=$(basename "$PUBFILE" .pub)
+
+    # Decode base64 raw public key → DER SubjectPublicKeyInfo wrapper
+    # Ed25519 DER prefix: 302a300506032b6570032100
+    RAW_B64=$(cat "$PUBFILE")
+    PEM_PATH="/tmp/verify-${NAME}.pem"
+
+    python3 - "$RAW_B64" "$PEM_PATH" <<'PYEOF'
+import sys, base64, binascii
+raw = base64.b64decode(sys.argv[1])
+prefix = bytes.fromhex("302a300506032b6570032100")
+der = prefix + raw
+b64 = base64.b64encode(der).decode()
+with open(sys.argv[2], "w") as f:
+    f.write("-----BEGIN PUBLIC KEY-----\n")
+    for i in range(0, len(b64), 64):
+        f.write(b64[i:i+64] + "\n")
+    f.write("-----END PUBLIC KEY-----\n")
+PYEOF
+
+    if openssl pkeyutl -verify \
+        -pubin -inkey "$PEM_PATH" \
+        -rawin \
+        -in "$BINARY" \
+        -sigfile "$SIG_PATH" \
+        2>/dev/null; then
+        echo "OK: signature verified by key '$NAME'"
+        MATCHED="$NAME"
+        rm -f "$PEM_PATH"
+        break
+    fi
+
+    rm -f "$PEM_PATH"
+done
+
+if [ -z "$MATCHED" ]; then
+    echo "FAIL: signature does not match any trusted key in developers/" >&2
+    exit 1
+fi