feat(release): activate release signing with the production minisign key
Replaces the REPLACE_ME placeholder public key in libreportal.pub and install.sh with the real LibrePortal release-signing public key (id BC92526B3ECA7F41). The secret half is held offline by the maintainer. This activates the signature-required path everywhere it was wired but inert: install.sh now REQUIRES a valid tarball signature on release installs, the updater (fetch.sh) requires it on update, and the integrity check (verify.sh) will report a real "Verified" state once a signed release is installed. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
This commit is contained in:
parent
1c3531b932
commit
3b0b3a0a1f
@ -28,7 +28,7 @@ NO_VERIFY_SIG=0
|
|||||||
# paste the public key here AND into libreportal.pub. While it contains REPLACE_ME,
|
# paste the public key here AND into libreportal.pub. While it contains REPLACE_ME,
|
||||||
# signature verification is skipped (the sha256 still runs); once replaced, a valid
|
# signature verification is skipped (the sha256 still runs); once replaced, a valid
|
||||||
# signature becomes REQUIRED for release installs.
|
# signature becomes REQUIRED for release installs.
|
||||||
LP_MINISIGN_PUBKEY="RWREPLACE_ME_run_minisign_-G_then_paste_the_public_key_here_and_in_install.sh"
|
LP_MINISIGN_PUBKEY="RWRBf8o+a1KSvF08fA3oKrVz/71D60YeF4GO66ntVeJvzAkI57sjgM1S"
|
||||||
|
|
||||||
usage() {
|
usage() {
|
||||||
sed -n '3,12p' "$0" | sed 's/^# \{0,1\}//'
|
sed -n '3,12p' "$0" | sed 's/^# \{0,1\}//'
|
||||||
|
|||||||
@ -1,2 +1,2 @@
|
|||||||
untrusted comment: LibrePortal release signing key — REPLACE_ME (run `minisign -G`)
|
untrusted comment: LibrePortal release signing key (id BC92526B3ECA7F41)
|
||||||
RWREPLACE_ME_run_minisign_-G_then_paste_the_public_key_here_and_in_install.sh
|
RWRBf8o+a1KSvF08fA3oKrVz/71D60YeF4GO66ntVeJvzAkI57sjgM1S
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user