VARASYS/ZDDC
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

docs(website): show inline apps_pubkey: example on releases page

Browse source 
The "Verify your downloads" section now ends with two side-by-side
"Configure your server" cards demonstrating both ways to set the
trusted public key:

  - Env-var path: curl pubkey.pem to disk, point ZDDC_APPS_PUBKEY at it
  - Inline PEM: paste under apps_pubkey: in root .zddc

The cards include the actual PEM bytes of the canonical-channel key
(matching the file at /pubkey.pem) so an operator who picks the
inline form can copy-paste directly. Each card explains when it fits:
env-var for k8s/systemd/Docker plumbing, inline for the
"all-config-in-one-file" mental model.

Replaces the previous trailing prose paragraph, which mentioned both
options but didn't show either concretely. Real example beats prose
explanation when the goal is "get the operator to a working
configuration on first read."

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
ZDDC 2026-05-05 06:58:49 -05:00
parent 52dde0b014
commit c6eaa77c6e
1 changed files with 28 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
build
View file

@ -717,7 +717,34 @@ openssl pkeyutl -verify -pubin -inkey pubkey.pem \
<p style="font-size: 0.85rem;">Output is <code class="inline">Signature Verified Successfully</code> on a clean download. Any other output (or no output and a non-zero exit) means the bytes do not match the published signature — do not trust them.</p>
</div>
</div>
<p style="margin-top: var(--spacing-md); font-size: 0.9rem; color: var(--color-text-muted);">For server deployments, configure the public key once and forget it. Two equivalent ways: pass <code class="inline">ZDDC_APPS_PUBKEY=/path/to/pubkey.pem</code> when starting <code class="inline">zddc-server</code>, or paste the PEM contents inline as <code class="inline">apps_pubkey:</code> in the root <code class="inline">.zddc</code> file (root-only, like <code class="inline">admins:</code>). The resolver fetches the <code class="inline">.sig</code> automatically and rejects any unsigned or invalid-signature artifact, falling back to the embedded copy. Operators wanting to enforce signature verification on locally-saved artifacts (Path A, "drop a copy into your archive") run the <code class="inline">openssl</code> verify command above as part of their save workflow.</p>
<h3 style="margin-top: var(--spacing-lg);">Configure <code class="inline">zddc-server</code> to auto-verify</h3>
<p>For server deployments, configure the public key once and the apps fetcher verifies every <code class="inline">apps:</code>-pinned URL automatically. Two equivalent ways — pick whichever matches how you already manage config:</p>
<div class="grid-2" style="margin-top: var(--spacing-md);">
<div class="pin-card">
<h3>Env var (k8s, systemd, Docker)</h3>
<p>Save <code class="inline">pubkey.pem</code> on your server, then point <code class="inline">zddc-server</code> at it:</p>
<pre>curl -o /etc/zddc/pubkey.pem \
https://zddc.varasys.io/pubkey.pem
ZDDC_APPS_PUBKEY=/etc/zddc/pubkey.pem \
ZDDC_ROOT=/srv/zddc ./zddc-server</pre>
<p style="font-size: 0.85rem;">Fits the deployment shape where env vars are already the config plumbing — Helm chart values, systemd unit-file <code class="inline">Environment=</code>, Docker <code class="inline">-e</code>.</p>
</div>
<div class="pin-card">
<h3>Inline in root <code class="inline">.zddc</code></h3>
<p>Paste the PEM contents under <code class="inline">apps_pubkey:</code> in the root <code class="inline">.zddc</code>:</p>
<pre># &lt;ZDDC_ROOT&gt;/.zddc
admins: [you@yourcompany.com]
acl:
allow: ["*@yourcompany.com"]
apps_pubkey: |
-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEAXXaxIUIyOFnhD1eZs02nEt3xZ8izOi7bURFcpJ9iWZY=
-----END PUBLIC KEY-----</pre>
<p style="font-size: 0.85rem;">Honored only at the root <code class="inline">.zddc</code> (root-only, like <code class="inline">admins:</code>). When both forms are set, the env var wins. Subtree <code class="inline">.zddc</code> files with <code class="inline">apps_pubkey:</code> are silently ignored — the trust anchor doesn't cascade.</p>
</div>
</div>
<p style="margin-top: var(--spacing-md); font-size: 0.9rem; color: var(--color-text-muted);">When configured, the resolver fetches the <code class="inline">.sig</code> automatically on every URL-pinned <code class="inline">apps:</code> entry and rejects any unsigned or invalid-signature artifact, falling back to the embedded copy. Operators enforcing signature verification on locally-saved artifacts (Path A, "drop a copy into your archive") run the <code class="inline">openssl</code> verify command above as part of their save workflow.</p>
</section>
<!-- ───────────── Channels explainer ───────────── -->