diff --git a/install.sh b/install.sh index 8913f5e..a7f6abc 100644 --- a/install.sh +++ b/install.sh @@ -24,10 +24,11 @@ SYSTEM_DIR="" ; CONTAINERS_DIR="" ; BACKUPS_DIR="" ; MANAGER_USER="" ; ALLOW_HOM DRY_RUN=0 NO_VERIFY_SIG=0 -# minisign public key. Keep the SECRET key offline. Once you run `minisign -G`, -# paste the public key here AND into libreportal.pub. While it contains REPLACE_ME, -# signature verification is skipped (the sha256 still runs); once replaced, a valid -# signature becomes REQUIRED for release installs. +# LibrePortal release-signing public key (minisign); the SECRET half is held +# offline by the maintainer. A valid tarball signature is REQUIRED for release +# installs (the sha256 is always checked too). To rotate: generate a new keypair +# (`minisign -G`) and replace this constant AND libreportal.pub. A value +# containing REPLACE_ME disables the signature check (placeholder / dev only). LP_MINISIGN_PUBKEY="RWRBf8o+a1KSvF08fA3oKrVz/71D60YeF4GO66ntVeJvzAkI57sjgM1S" usage() {