docs: publish Ed25519 pubkey for apps signing
All checks were successful
Deploy content to live site / deploy (push) Successful in 2s
All checks were successful
Deploy content to live site / deploy (push) Successful in 2s
Canonical-channel public key. zddc.varasys.io/releases/<artifact>.sig files are signed with the matching private key (kept locally on the maintainer's machine, never in CI). Operators self-hosting zddc-server who use the canonical channels (`apps: archive: stable` etc.) download this file and pass the local path via ZDDC_APPS_PUBKEY. Operators with their own signing infrastructure publish their own pubkey and configure that path instead. The releases-page index includes a "Verify your downloads" section with the SHA-256 fingerprint and a curl + openssl pkeyutl -verify example for manual verification. zddc-server's apps fetcher does the same verification automatically when ZDDC_APPS_PUBKEY is configured. Fingerprint (SHA-256 of DER-encoded SubjectPublicKeyInfo): 7766dc8cf963f32156ddcc96825c52ba0333ffe4c243ad54f9eaf26195b065ab Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
90aca07539
commit
e4149bf8cd
1 changed files with 3 additions and 0 deletions
3
pubkey.pem
Normal file
3
pubkey.pem
Normal file
|
|
@ -0,0 +1,3 @@
|
||||||
|
-----BEGIN PUBLIC KEY-----
|
||||||
|
MCowBQYDK2VwAyEAXXaxIUIyOFnhD1eZs02nEt3xZ8izOi7bURFcpJ9iWZY=
|
||||||
|
-----END PUBLIC KEY-----
|
||||||
Loading…
Reference in a new issue