Canonical-channel public key. zddc.varasys.io/releases/<artifact>.sig
files are signed with the matching private key (kept locally on the
maintainer's machine, never in CI).
Operators self-hosting zddc-server who use the canonical channels
(`apps: archive: stable` etc.) download this file and pass the local
path via ZDDC_APPS_PUBKEY. Operators with their own signing
infrastructure publish their own pubkey and configure that path
instead.
The releases-page index includes a "Verify your downloads" section
with the SHA-256 fingerprint and a curl + openssl pkeyutl -verify
example for manual verification. zddc-server's apps fetcher does the
same verification automatically when ZDDC_APPS_PUBKEY is configured.
Fingerprint (SHA-256 of DER-encoded SubjectPublicKeyInfo):
7766dc8cf963f32156ddcc96825c52ba0333ffe4c243ad54f9eaf26195b065ab
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
