Goal
Walk through Keep's own threshold release-signing process once, end to end, to validate the docs and shake out friction. Not urgent; pick a meaningful tag (a minor/major release) rather than a patch.
Steps
- Generate the release-signing group:
keep frost generate --ed25519 --threshold <t> --shares <n> --name release-signing --pubkey-out release-signing.pub
- Distribute shares to the maintainers (
keep frost export, bech32/QR).
- Commit/publish
release-signing.pub.
- On the chosen release:
gh release download <tag> --pattern SHA256SUMS, then keep sign SHA256SUMS --group <npub-or-hex> -t "release <tag>".
- Verify with stock minisign (
minisign -V -p release-signing.pub -m SHA256SUMS) and with keep verify.
gh release upload <tag> SHA256SUMS.minisig.- Note any rough edges and fix the docs (
docs/RELEASE_SIGNING.md) accordingly.
Context
Follow-up to #335. The capability and docs shipped there; this ticket is the one-time dogfood run to confirm the documented flow actually works. Decision so far: Keep does not sign every release, this is a proof-point / validation pass. Related: #500 (distributed signing).
Goal
Walk through Keep's own threshold release-signing process once, end to end, to validate the docs and shake out friction. Not urgent; pick a meaningful tag (a minor/major release) rather than a patch.
Steps
keep frost generate --ed25519 --threshold <t> --shares <n> --name release-signing --pubkey-out release-signing.pubkeep frost export, bech32/QR).release-signing.pub.gh release download <tag> --pattern SHA256SUMS, thenkeep sign SHA256SUMS --group <npub-or-hex> -t "release <tag>".minisign -V -p release-signing.pub -m SHA256SUMS) and withkeep verify.gh release upload <tag> SHA256SUMS.minisig.docs/RELEASE_SIGNING.md) accordingly.Context
Follow-up to #335. The capability and docs shipped there; this ticket is the one-time dogfood run to confirm the documented flow actually works. Decision so far: Keep does not sign every release, this is a proof-point / validation pass. Related: #500 (distributed signing).