58 lines
1.5 KiB
Markdown
58 lines
1.5 KiB
Markdown
# Release Signing Keys
|
|
|
|
Centralized public key registry for all mchus.pro projects.
|
|
|
|
Ed25519 asymmetric signatures. Public keys are safe to commit here.
|
|
Private keys stay on each developer's machine — never committed, never shared.
|
|
|
|
## How verification works
|
|
|
|
Release binaries are signed by one developer's private key.
|
|
The binary trusts **any** key in `developers/`.
|
|
Signature valid if at least one trusted key matches.
|
|
|
|
## Setup (new developer, one-time)
|
|
|
|
```sh
|
|
sh scripts/keygen.sh <your-name>
|
|
```
|
|
|
|
This creates:
|
|
- `~/.keys/<your-name>.key` — private key, keep secret
|
|
- `developers/<your-name>.pub` — public key, commit to this repo
|
|
|
|
Then commit and push the `.pub` file. Next project release will include your key.
|
|
|
|
## Signing a release binary
|
|
|
|
```sh
|
|
sh scripts/sign-release.sh <your-name> path/to/binary
|
|
```
|
|
|
|
Produces `path/to/binary.sig` — upload both to the Gitea release as assets.
|
|
|
|
## Verifying a signature locally
|
|
|
|
```sh
|
|
sh scripts/verify-signature.sh path/to/binary
|
|
```
|
|
|
|
Checks `path/to/binary.sig` against all keys in `developers/`.
|
|
|
|
## Adding / removing a developer
|
|
|
|
**Add:** run keygen, commit the `.pub` file, rebuild affected project releases.
|
|
|
|
**Remove:** delete their `.pub` file, commit, rebuild releases.
|
|
Previously signed binaries with their key remain valid (already distributed),
|
|
but they cannot sign new releases.
|
|
|
|
## Requirements
|
|
|
|
- openssl 3.x
|
|
- python3 (for verify-signature.sh only)
|
|
|
|
## Projects using this repo
|
|
|
|
- `git.mchus.pro/mchus/bee` — hardware audit LiveCD
|