archy/scripts/sign-catalog.sh
archipelago 1977bdefb5 feat(trust): pin release-root anchor + ship signed app-catalog
Pin RELEASE_ROOT_PUBKEY_HEX from the 2026-07-02 release-root signing ceremony
(signer did🔑z6MkkidEnEpo6qHMCNSZoNKWtvQvxq3whnaME9wGgEFhq7ur) so nodes verify
the publisher identity of the app-catalog. Sign releases/app-catalog.json in place.

Fix two floats that made the catalog unsignable: archy-btcpay-db manifest version
-> string, fedimint-clientd cpu_limit 0.25 -> 1 (u32). Add scripts/sign-catalog.sh
helper, the 1.8.0 release-hardening plan/tracker, and the commit-and-push project
rule in CLAUDE.md.

Backward-compatible: old binaries still accept the signed catalog; the pinned-anchor
binary ships in the next build/OTA.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-02 09:15:43 -04:00

44 lines
2.0 KiB
Bash
Executable File

#!/usr/bin/env bash
# One-step release-catalog signer.
#
# Run: bash scripts/sign-catalog.sh
# Then: paste your 24-word release master mnemonic, press Enter, then Ctrl-D.
#
# It signs releases/app-catalog.json in place and checks the signature was made
# by the expected release-root key. Your mnemonic is read from the terminal only
# (never stored, never in shell history, never passed to Claude).
set -euo pipefail
REPO="/home/archipelago/Projects/archy"
CATALOG="$REPO/releases/app-catalog.json"
EXPECTED_DID="did:key:z6MkkidEnEpo6qHMCNSZoNKWtvQvxq3whnaME9wGgEFhq7ur"
# Use ONLY the prebuilt signer. If it isn't ready, stop cleanly — never compile
# here (compiling caused the earlier hangs). Claude builds it in the background.
BIN="/tmp/archy-sign-bin/release/archipelago"
if [[ ! -x "$BIN" ]]; then
echo "⏳ The signer isn't ready yet — Claude is still building it."
echo " Wait until Claude says 'READY', then run this again. Nothing was changed."
exit 0
fi
SIGN=("$BIN" ceremony sign "$CATALOG")
echo "════════════════════════════════════════════════════════════════"
echo " Paste your 24-word release master mnemonic below, press Enter,"
echo " then press Ctrl-D on a new line."
echo "════════════════════════════════════════════════════════════════"
"${SIGN[@]}"
# Verify the signature is present and made by the expected key.
echo
if grep -q "\"signed_by\": \"$EXPECTED_DID\"" "$CATALOG" \
&& grep -q '"signature":' "$CATALOG"; then
echo "✅ SUCCESS — catalog signed by the correct release-root key."
echo " Tell Claude \"signed\" and it will commit + push for you."
else
echo "❌ Something is off — the catalog is NOT signed by the expected key."
echo " Expected signer: $EXPECTED_DID"
echo " Do NOT commit. Check the mnemonic and re-run, or ask Claude."
exit 1
fi