feat(keygen): export SSH public key alongside signing key

Same Ed25519 key now serves dual purpose:
- Release binary signing (developers/<name>.pub raw base64)
- SSH access to debug LiveCD (~/.keys/<name>.key.pub OpenSSH format)

build-debug.sh auto-collects ~/.keys/*.key.pub into authorized_keys.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

README.md

@@ -18,8 +18,13 @@ sh scripts/keygen.sh <your-name>
 ```
 
 This creates:
-- `~/.keys/<your-name>.key` — private key, keep secret
+- `~/.keys/<your-name>.key` — private key PEM, keep secret
-- `developers/<your-name>.pub` — public key, commit to this repo
+- `~/.keys/<your-name>.key.pub` — SSH public key (OpenSSH format)
+- `developers/<your-name>.pub` — raw base64 public key, commit to this repo
+
+**One key, two uses:**
+- Release signing: `developers/<your-name>.pub` embedded in binaries via ldflags
+- SSH access to debug LiveCD: `~/.keys/<your-name>.key.pub` auto-loaded by `build-debug.sh`
 
 Then commit and push the `.pub` file. Next project release will include your key.
 

scripts/keygen.sh

@@ -1,14 +1,16 @@
 #!/bin/sh
-# keygen.sh — generate an Ed25519 keypair for signing release binaries
+# keygen.sh — generate an Ed25519 keypair for signing release binaries and SSH access
 #
 # Usage:
 #   sh scripts/keygen.sh <developer-name>
 #
 # Output:
-#   ~/.keys/<developer-name>.key   — private key (KEEP SECRET, never commit)
+#   ~/.keys/<developer-name>.key      — private key PEM (KEEP SECRET, never commit)
-#   developers/<developer-name>.pub — public key (safe to commit here)
+#   ~/.keys/<developer-name>.key.pub  — SSH public key (OpenSSH format, for authorized_keys)
+#   developers/<developer-name>.pub   — raw base64 public key (for binary signing, commit this)
 #
-# Requirements: openssl 3.x
+# The same key is used for both release signing and SSH access to debug LiveCD.
+# Requirements: openssl 3.x, python3
 
 set -e
 
@@ -35,15 +37,49 @@ chmod 700 "$HOME/.keys"
 openssl genpkey -algorithm ed25519 -out "$PRIVATE_KEY_PATH"
 chmod 600 "$PRIVATE_KEY_PATH"
 
-# Extract raw 32-byte public key and base64-encode it
+SSH_PUB_PATH="${HOME}/.keys/${NAME}.key.pub"
+
+# Extract raw 32-byte public key and base64-encode it (for release signing)
 openssl pkey -in "$PRIVATE_KEY_PATH" -pubout -outform DER \
     | tail -c 32 \
     | base64 > "$PUBLIC_KEY_PATH"
 
-echo "Private key: $PRIVATE_KEY_PATH  (DO NOT share or commit)"
+# Export OpenSSH public key (for authorized_keys / SSH access to debug LiveCD)
-echo "Public key:  $PUBLIC_KEY_PATH   (commit this to the keys repo)"
+# openssl can write SSH format directly in 3.x
+openssl pkey -in "$PRIVATE_KEY_PATH" -pubout -outform PEM \
+    | python3 - "$NAME" "$SSH_PUB_PATH" <<'PYEOF'
+# Convert OpenSSH-compatible PEM public key to authorized_keys line format
+import sys, base64, struct, hashlib
+
+name = sys.argv[1]
+out_path = sys.argv[2]
+pem_lines = sys.stdin.read().strip().splitlines()
+der = base64.b64decode("".join(pem_lines[1:-1]))
+
+# Ed25519 DER SubjectPublicKeyInfo: last 32 bytes are the raw key
+raw = der[-32:]
+
+# Build OpenSSH wire format: length-prefixed "ssh-ed25519" + length-prefixed key
+def pack(b):
+    return struct.pack(">I", len(b)) + b
+
+wire = pack(b"ssh-ed25519") + pack(raw)
+b64 = base64.b64encode(wire).decode()
+line = f"ssh-ed25519 {b64} {name}\n"
+
+with open(out_path, "w") as f:
+    f.write(line)
+print(f"SSH public key: {out_path}")
+PYEOF
+
+chmod 600 "$SSH_PUB_PATH"
+
+echo "Private key:     $PRIVATE_KEY_PATH   (DO NOT share or commit)"
+echo "Signing pub key: $PUBLIC_KEY_PATH    (commit this to the keys repo)"
+echo "SSH pub key:     $SSH_PUB_PATH       (add to LiveCD authorized_keys)"
 echo ""
 echo "Next steps:"
 echo "  1. git add developers/${NAME}.pub && git commit -m 'add ${NAME} public key'"
 echo "  2. git push"
 echo "  3. Rebuild any release binaries to include the new key"
+echo "  4. To SSH into debug LiveCD: sh iso/builder/build-debug.sh --authorized-keys ${SSH_PUB_PATH}"