Michael Chus
efba949afd
Same Ed25519 key now serves dual purpose: - Release binary signing (developers/<name>.pub raw base64) - SSH access to debug LiveCD (~/.keys/<name>.key.pub OpenSSH format) build-debug.sh auto-collects ~/.keys/*.key.pub into authorized_keys. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
1.7 KiB
Release Signing Keys
Centralized public key registry for all mchus.pro projects.
Ed25519 asymmetric signatures. Public keys are safe to commit here. Private keys stay on each developer's machine — never committed, never shared.
How verification works
Release binaries are signed by one developer's private key.
The binary trusts any key in developers/.
Signature valid if at least one trusted key matches.
Setup (new developer, one-time)
sh scripts/keygen.sh <your-name>
This creates:
~/.keys/<your-name>.key— private key PEM, keep secret~/.keys/<your-name>.key.pub— SSH public key (OpenSSH format)developers/<your-name>.pub— raw base64 public key, commit to this repo
One key, two uses:
- Release signing:
developers/<your-name>.pubembedded in binaries via ldflags - SSH access to debug LiveCD:
~/.keys/<your-name>.key.pubauto-loaded bybuild-debug.sh
Then commit and push the .pub file. Next project release will include your key.
Signing a release binary
sh scripts/sign-release.sh <your-name> path/to/binary
Produces path/to/binary.sig — upload both to the Gitea release as assets.
Verifying a signature locally
sh scripts/verify-signature.sh path/to/binary
Checks path/to/binary.sig against all keys in developers/.
Adding / removing a developer
Add: run keygen, commit the .pub file, rebuild affected project releases.
Remove: delete their .pub file, commit, rebuild releases.
Previously signed binaries with their key remain valid (already distributed),
but they cannot sign new releases.
Requirements
- openssl 3.x
- python3 (for verify-signature.sh only)
Projects using this repo
git.mchus.pro/mchus/bee— hardware audit LiveCD