update: docs + publish script for the self-update feature
README gets a top-level Updating section; docs/privileges.md gains a step-by-step trust-model writeup of `banger update`. The new scripts/publish-banger-release.sh drives the manual release cut: build, tar, sha256sum, cosign sign-blob, verify against the embedded public key, jq-merge into manifest.json, rclone upload to the R2 bucket. Refuses outright if the embedded key is still the placeholder so we can't accidentally publish an unverifiable release. Also folds in gofmt drift accumulated across the updater package and a few sibling files. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
8ed351ea47
commit
fae28e3d8b
10 changed files with 310 additions and 33 deletions
|
|
@ -25,25 +25,26 @@ const MaxSignatureBytes int64 = 1024
|
|||
//
|
||||
// Production-cut workflow (for the maintainer cutting v0.1.0):
|
||||
//
|
||||
// 1. Generate the keypair (one-time, store the private key offline):
|
||||
// cosign generate-key-pair
|
||||
// Produces cosign.key (private) and cosign.pub (public). The
|
||||
// private key is password-protected; remember the password.
|
||||
// 1. Generate the keypair (one-time, store the private key offline):
|
||||
// cosign generate-key-pair
|
||||
// Produces cosign.key (private) and cosign.pub (public). The
|
||||
// private key is password-protected; remember the password.
|
||||
//
|
||||
// 2. Replace the PEM block below with the contents of cosign.pub.
|
||||
// Commit. From this point on, every banger CLI baked from this
|
||||
// repo will only trust signatures made with cosign.key.
|
||||
// 2. Replace the PEM block below with the contents of cosign.pub.
|
||||
// Commit. From this point on, every banger CLI baked from this
|
||||
// repo will only trust signatures made with cosign.key.
|
||||
//
|
||||
// 3. At release time, sign SHA256SUMS:
|
||||
// cosign sign-blob --key cosign.key --output-signature \
|
||||
// SHA256SUMS.sig SHA256SUMS
|
||||
// Publish SHA256SUMS.sig alongside SHA256SUMS in the bucket;
|
||||
// the manifest's `sha256sums_sig_url` field references it.
|
||||
// 3. At release time, sign SHA256SUMS:
|
||||
// cosign sign-blob --key cosign.key --output-signature \
|
||||
// SHA256SUMS.sig SHA256SUMS
|
||||
// Publish SHA256SUMS.sig alongside SHA256SUMS in the bucket;
|
||||
// the manifest's `sha256sums_sig_url` field references it.
|
||||
//
|
||||
// 4. Rotating the key after publication means publishing a new
|
||||
// banger release that embeds the new key, then re-signing
|
||||
// every release artifact with the new key. v0.1.x is too
|
||||
// early to design a clean rotation story; defer.
|
||||
//
|
||||
// 4. Rotating the key after publication means publishing a new
|
||||
// banger release that embeds the new key, then re-signing
|
||||
// every release artifact with the new key. v0.1.x is too
|
||||
// early to design a clean rotation story; defer.
|
||||
// var (rather than const) only because tests need to swap it for an
|
||||
// in-test-generated key; production sets it at compile time and
|
||||
// never mutates it.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue