Release Signing Keys

Centralized public key registry for all mchus.pro projects.

Ed25519 asymmetric signatures. Public keys are safe to commit here. Private keys stay on each developer's machine — never committed, never shared.

How verification works

Release binaries are signed by one developer's private key. The binary trusts any key in developers/. Signature valid if at least one trusted key matches.

Setup (new developer, one-time)

sh scripts/keygen.sh <your-name>

This creates:

• ~/.keys/<your-name>.key — private key, keep secret
• developers/<your-name>.pub — public key, commit to this repo

Then commit and push the .pub file. Next project release will include your key.

Signing a release binary

sh scripts/sign-release.sh <your-name> path/to/binary

Produces path/to/binary.sig — upload both to the Gitea release as assets.

Verifying a signature locally

sh scripts/verify-signature.sh path/to/binary

Checks path/to/binary.sig against all keys in developers/.

Adding / removing a developer

Add: run keygen, commit the .pub file, rebuild affected project releases.

Remove: delete their .pub file, commit, rebuild releases. Previously signed binaries with their key remain valid (already distributed), but they cannot sign new releases.

Requirements

• openssl 3.x
• python3 (for verify-signature.sh only)

Projects using this repo

• git.mchus.pro/mchus/bee — hardware audit LiveCD