Pin RELEASE_ROOT_PUBKEY_HEX from the 2026-07-02 release-root signing ceremony
(signer did🔑z6MkkidEnEpo6qHMCNSZoNKWtvQvxq3whnaME9wGgEFhq7ur) so nodes verify
the publisher identity of the app-catalog. Sign releases/app-catalog.json in place.
Fix two floats that made the catalog unsignable: archy-btcpay-db manifest version
-> string, fedimint-clientd cpu_limit 0.25 -> 1 (u32). Add scripts/sign-catalog.sh
helper, the 1.8.0 release-hardening plan/tracker, and the commit-and-push project
rule in CLAUDE.md.
Backward-compatible: old binaries still accept the signed catalog; the pinned-anchor
binary ships in the next build/OTA.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
44 lines
2.0 KiB
Bash
Executable File
44 lines
2.0 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# One-step release-catalog signer.
|
|
#
|
|
# Run: bash scripts/sign-catalog.sh
|
|
# Then: paste your 24-word release master mnemonic, press Enter, then Ctrl-D.
|
|
#
|
|
# It signs releases/app-catalog.json in place and checks the signature was made
|
|
# by the expected release-root key. Your mnemonic is read from the terminal only
|
|
# (never stored, never in shell history, never passed to Claude).
|
|
set -euo pipefail
|
|
|
|
REPO="/home/archipelago/Projects/archy"
|
|
CATALOG="$REPO/releases/app-catalog.json"
|
|
EXPECTED_DID="did:key:z6MkkidEnEpo6qHMCNSZoNKWtvQvxq3whnaME9wGgEFhq7ur"
|
|
|
|
# Use ONLY the prebuilt signer. If it isn't ready, stop cleanly — never compile
|
|
# here (compiling caused the earlier hangs). Claude builds it in the background.
|
|
BIN="/tmp/archy-sign-bin/release/archipelago"
|
|
if [[ ! -x "$BIN" ]]; then
|
|
echo "⏳ The signer isn't ready yet — Claude is still building it."
|
|
echo " Wait until Claude says 'READY', then run this again. Nothing was changed."
|
|
exit 0
|
|
fi
|
|
SIGN=("$BIN" ceremony sign "$CATALOG")
|
|
|
|
echo "════════════════════════════════════════════════════════════════"
|
|
echo " Paste your 24-word release master mnemonic below, press Enter,"
|
|
echo " then press Ctrl-D on a new line."
|
|
echo "════════════════════════════════════════════════════════════════"
|
|
"${SIGN[@]}"
|
|
|
|
# Verify the signature is present and made by the expected key.
|
|
echo
|
|
if grep -q "\"signed_by\": \"$EXPECTED_DID\"" "$CATALOG" \
|
|
&& grep -q '"signature":' "$CATALOG"; then
|
|
echo "✅ SUCCESS — catalog signed by the correct release-root key."
|
|
echo " Tell Claude \"signed\" and it will commit + push for you."
|
|
else
|
|
echo "❌ Something is off — the catalog is NOT signed by the expected key."
|
|
echo " Expected signer: $EXPECTED_DID"
|
|
echo " Do NOT commit. Check the mnemonic and re-run, or ask Claude."
|
|
exit 1
|
|
fi
|