- create-release.sh: assert the freshly built frontend dist actually embeds
the bumped version before packaging — the ui-dist-version guard in
tests/release/run.sh is behind --with-build, which the release path never
passes, so a silently no-opped npm build could ship a stale dist with a
valid sha256. Verified against the real dist (passes on current version,
trips on a missing one).
- publish-release-assets.sh: verify published assets by downloading and
comparing sha256 against the manifest, not just Content-Length — a
size-correct/content-wrong mirror asset now fails the publish gate.
Verified live against the v1.7.99-alpha assets on the vps2 mirror.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
check_for_updates now fetches the manifest as raw JSON and runs
trust::verify_detached before parsing: a tampered or wrong-signer
signature rejects the mirror outright, and unsigned manifests are
offered for MANUAL apply only — the 3 AM auto-apply scheduler refuses
them, closing the unattended remote-root hole (§A of the 1.8.0
hardening plan). UpdateState gains manifest_signed so the UI can
surface authenticity.
Publisher side: create-release.sh signs the manifest during the
release (ceremony, mnemonic via TTY/env only), publish-release-assets
hard-refuses to ship an unsigned manifest (grep + new 'ceremony
verify' cryptographic gate), and scripts/sign-manifest.sh covers
re-signing outside a release run.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>