keys/README.md

# Release Signing Keys

Centralized public key registry for all mchus.pro projects.

Ed25519 asymmetric signatures. Public keys are safe to commit here.
Private keys stay on each developer's machine — never committed, never shared.

## How verification works

Release binaries are signed by one developer's private key.
The binary trusts **any** key in `developers/`.
Signature valid if at least one trusted key matches.

## Setup (new developer, one-time)

```sh
sh scripts/keygen.sh <your-name>
```

This creates:
- `~/.keys/<your-name>.key` — private key PEM, keep secret
- `~/.keys/<your-name>.key.pub` — SSH public key (OpenSSH format)
- `developers/<your-name>.pub` — raw base64 public key, commit to this repo

**One key, two uses:**
- Release signing: `developers/<your-name>.pub` embedded in binaries via ldflags
- SSH access to debug LiveCD: `~/.keys/<your-name>.key.pub` auto-loaded by `build-debug.sh`

Then commit and push the `.pub` file. Next project release will include your key.

## Signing a release binary

```sh
sh scripts/sign-release.sh <your-name> path/to/binary
```

Produces `path/to/binary.sig` — upload both to the Gitea release as assets.

## Verifying a signature locally

```sh
sh scripts/verify-signature.sh path/to/binary
```

Checks `path/to/binary.sig` against all keys in `developers/`.

## Adding / removing a developer

**Add:** run keygen, commit the `.pub` file, rebuild affected project releases.

**Remove:** delete their `.pub` file, commit, rebuild releases.
Previously signed binaries with their key remain valid (already distributed),
but they cannot sign new releases.

## Requirements

- openssl 3.x
- python3 (for verify-signature.sh only)

## Projects using this repo

- `git.mchus.pro/mchus/bee` — hardware audit LiveCD