Skip to content

chore: pin minisign release public key in installer#29

Merged
kenlacroix merged 2 commits into
mainfrom
chore/installer-minisign-pubkey
Jun 23, 2026
Merged

chore: pin minisign release public key in installer#29
kenlacroix merged 2 commits into
mainfrom
chore/installer-minisign-pubkey

Conversation

@kenlacroix

Copy link
Copy Markdown
Owner

Bakes the release signing public key into site/public/install (MINISIGN_PUBKEY default), completing the signed-release chain now that MINISIGN_SECRET_KEY is provisioned as a repo secret.

  • Installer verifies SHA256SUMS.minisig against the pinned key; PALISADE_REQUIRE_SIGNATURE=1 makes a missing signature fatal.
  • Validated key structure: 42 bytes, Ed prefix.
  • Updated the manual-verification example in docs/release-signing.md with the real key.

Note: the existing v0.1.2 release is unsigned (it was built before the secret existed). A follow-up v0.1.3 tag will produce the first signed release with SHA256SUMS.minisig.

🤖 Generated with Claude Code

Bake the release signing public key into site/public/install so `curl | sh`
verifies the SHA256SUMS signature against a pinned key (fails closed with
PALISADE_REQUIRE_SIGNATURE). Update the manual-verification example with the
real key.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jun 23, 2026

Copy link
Copy Markdown

Deploying palisade-api with  Cloudflare Pages  Cloudflare Pages

Latest commit: 8544a2b
Status: ✅  Deploy successful!
Preview URL: https://502f1014.palisade-api.pages.dev
Branch Preview URL: https://chore-installer-minisign-pub.palisade-api.pages.dev

View logs

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jun 23, 2026

Copy link
Copy Markdown

Deploying palisade-marketing with  Cloudflare Pages  Cloudflare Pages

Latest commit: 8544a2b
Status: ✅  Deploy successful!
Preview URL: https://7bbbb9ca.palisade-cg7.pages.dev
Branch Preview URL: https://chore-installer-minisign-pub.palisade-cg7.pages.dev

View logs

Guard against committing the release secret/public key files; the secret key
belongs in GitHub Actions secrets only.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@kenlacroix kenlacroix merged commit c05c33d into main Jun 23, 2026
17 checks passed
@kenlacroix kenlacroix deleted the chore/installer-minisign-pubkey branch June 23, 2026 00:10
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant