From c6eaa77c6e8a2b67e26e3a670c941089a97883ce Mon Sep 17 00:00:00 2001 From: ZDDC Date: Tue, 5 May 2026 06:58:49 -0500 Subject: [PATCH] docs(website): show inline apps_pubkey: example on releases page The "Verify your downloads" section now ends with two side-by-side "Configure your server" cards demonstrating both ways to set the trusted public key: - Env-var path: curl pubkey.pem to disk, point ZDDC_APPS_PUBKEY at it - Inline PEM: paste under apps_pubkey: in root .zddc The cards include the actual PEM bytes of the canonical-channel key (matching the file at /pubkey.pem) so an operator who picks the inline form can copy-paste directly. Each card explains when it fits: env-var for k8s/systemd/Docker plumbing, inline for the "all-config-in-one-file" mental model. Replaces the previous trailing prose paragraph, which mentioned both options but didn't show either concretely. Real example beats prose explanation when the goal is "get the operator to a working configuration on first read." Co-Authored-By: Claude Opus 4.7 (1M context) --- build | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/build b/build index e6b62f1..071a51c 100755 --- a/build +++ b/build @@ -717,7 +717,34 @@ openssl pkeyutl -verify -pubin -inkey pubkey.pem \

Output is Signature Verified Successfully on a clean download. Any other output (or no output and a non-zero exit) means the bytes do not match the published signature — do not trust them.

-

For server deployments, configure the public key once and forget it. Two equivalent ways: pass ZDDC_APPS_PUBKEY=/path/to/pubkey.pem when starting zddc-server, or paste the PEM contents inline as apps_pubkey: in the root .zddc file (root-only, like admins:). The resolver fetches the .sig automatically and rejects any unsigned or invalid-signature artifact, falling back to the embedded copy. Operators wanting to enforce signature verification on locally-saved artifacts (Path A, "drop a copy into your archive") run the openssl verify command above as part of their save workflow.

+

Configure zddc-server to auto-verify

+

For server deployments, configure the public key once and the apps fetcher verifies every apps:-pinned URL automatically. Two equivalent ways — pick whichever matches how you already manage config:

+
+
+

Env var (k8s, systemd, Docker)

+

Save pubkey.pem on your server, then point zddc-server at it:

+
curl -o /etc/zddc/pubkey.pem \
+  https://zddc.varasys.io/pubkey.pem
+
+ZDDC_APPS_PUBKEY=/etc/zddc/pubkey.pem \
+ZDDC_ROOT=/srv/zddc ./zddc-server
+

Fits the deployment shape where env vars are already the config plumbing — Helm chart values, systemd unit-file Environment=, Docker -e.

+
+
+

Inline in root .zddc

+

Paste the PEM contents under apps_pubkey: in the root .zddc:

+
# <ZDDC_ROOT>/.zddc
+admins: [you@yourcompany.com]
+acl:
+  allow: ["*@yourcompany.com"]
+apps_pubkey: |
+  -----BEGIN PUBLIC KEY-----
+  MCowBQYDK2VwAyEAXXaxIUIyOFnhD1eZs02nEt3xZ8izOi7bURFcpJ9iWZY=
+  -----END PUBLIC KEY-----
+

Honored only at the root .zddc (root-only, like admins:). When both forms are set, the env var wins. Subtree .zddc files with apps_pubkey: are silently ignored — the trust anchor doesn't cascade.

+
+
+

When configured, the resolver fetches the .sig automatically on every URL-pinned apps: entry and rejects any unsigned or invalid-signature artifact, falling back to the embedded copy. Operators enforcing signature verification on locally-saved artifacts (Path A, "drop a copy into your archive") run the openssl verify command above as part of their save workflow.