From e4149bf8cd397ef7b81819651f4078efe0f1c1fa Mon Sep 17 00:00:00 2001
From: ZDDC <caseywitt@proton.me>
Date: Mon, 4 May 2026 21:59:20 -0500
Subject: [PATCH] docs: publish Ed25519 pubkey for apps signing

Canonical-channel public key. zddc.varasys.io/releases/<artifact>.sig
files are signed with the matching private key (kept locally on the
maintainer's machine, never in CI).

Operators self-hosting zddc-server who use the canonical channels
(`apps: archive: stable` etc.) download this file and pass the local
path via ZDDC_APPS_PUBKEY. Operators with their own signing
infrastructure publish their own pubkey and configure that path
instead.

The releases-page index includes a "Verify your downloads" section
with the SHA-256 fingerprint and a curl + openssl pkeyutl -verify
example for manual verification. zddc-server's apps fetcher does the
same verification automatically when ZDDC_APPS_PUBKEY is configured.

Fingerprint (SHA-256 of DER-encoded SubjectPublicKeyInfo):
  7766dc8cf963f32156ddcc96825c52ba0333ffe4c243ad54f9eaf26195b065ab

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 pubkey.pem | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 pubkey.pem

diff --git a/pubkey.pem b/pubkey.pem
new file mode 100644
index 0000000..ef8dcec
--- /dev/null
+++ b/pubkey.pem
@@ -0,0 +1,3 @@
+-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEAXXaxIUIyOFnhD1eZs02nEt3xZ8izOi7bURFcpJ9iWZY=
+-----END PUBLIC KEY-----