From 3b0b3a0a1f902bfb1eca5040212e00c49027e7d1 Mon Sep 17 00:00:00 2001 From: librelad Date: Thu, 28 May 2026 20:20:38 +0100 Subject: [PATCH] feat(release): activate release signing with the production minisign key Replaces the REPLACE_ME placeholder public key in libreportal.pub and install.sh with the real LibrePortal release-signing public key (id BC92526B3ECA7F41). The secret half is held offline by the maintainer. This activates the signature-required path everywhere it was wired but inert: install.sh now REQUIRES a valid tarball signature on release installs, the updater (fetch.sh) requires it on update, and the integrity check (verify.sh) will report a real "Verified" state once a signed release is installed. Co-Authored-By: Claude Opus 4.7 Signed-off-by: librelad --- install.sh | 2 +- libreportal.pub | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/install.sh b/install.sh index 3314ec0..8913f5e 100644 --- a/install.sh +++ b/install.sh @@ -28,7 +28,7 @@ NO_VERIFY_SIG=0 # paste the public key here AND into libreportal.pub. While it contains REPLACE_ME, # signature verification is skipped (the sha256 still runs); once replaced, a valid # signature becomes REQUIRED for release installs. -LP_MINISIGN_PUBKEY="RWREPLACE_ME_run_minisign_-G_then_paste_the_public_key_here_and_in_install.sh" +LP_MINISIGN_PUBKEY="RWRBf8o+a1KSvF08fA3oKrVz/71D60YeF4GO66ntVeJvzAkI57sjgM1S" usage() { sed -n '3,12p' "$0" | sed 's/^# \{0,1\}//' diff --git a/libreportal.pub b/libreportal.pub index 896cf4c..4c1b36c 100644 --- a/libreportal.pub +++ b/libreportal.pub @@ -1,2 +1,2 @@ -untrusted comment: LibrePortal release signing key — REPLACE_ME (run `minisign -G`) -RWREPLACE_ME_run_minisign_-G_then_paste_the_public_key_here_and_in_install.sh +untrusted comment: LibrePortal release signing key (id BC92526B3ECA7F41) +RWRBf8o+a1KSvF08fA3oKrVz/71D60YeF4GO66ntVeJvzAkI57sjgM1S