v1.34.49: passwordless minisign CI key + secure gitignore (#308)

GaspardKirira · web-flow · commit 6d01417366fe · 2026-02-10T13:32:09.000+03:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -460,7 +460,6 @@ jobs:
         shell: bash
         env:
           MINISIGN_PRIVATE_KEY_B64: ${{ secrets.MINISIGN_PRIVATE_KEY_B64 }}
-          MINISIGN_PASSWORD: ${{ secrets.MINISIGN_PASSWORD }}
         run: |
           set -euxo pipefail
           cd dist
@@ -479,13 +478,9 @@ jobs:
           printf "%s" "$MINISIGN_PRIVATE_KEY_B64" | base64 -d > "$keyfile"
           test -s "$keyfile"
 
-          # clé minisign chiffrée -> password obligatoire
-          test -n "${MINISIGN_PASSWORD:-}" || { echo "MINISIGN_PASSWORD missing" >&2; exit 1; }
-
           for f in vix-*.tar.gz vix-*.zip; do
             [ -f "$f" ] || continue
-            # IMPORTANT: pas de -x (c'est le chemin du .minisig), et on envoie un vrai newline
-            printf '%s\n' "$MINISIGN_PASSWORD" | "$MS" -S -s "$keyfile" -m "$f"
+            "$MS" -S -s "$keyfile" -m "$f"
           done
 
           rm -f "$keyfile"
diff --git a/.gitignore b/.gitignore
@@ -77,3 +77,8 @@ create-labels.sh
 *.key
 *.minisig
 *.sha256
+# minisign private keys (CI)
+*.key
+*.key.b64
+minisign_ci.key
+minisign_ci.key.b64
diff --git a/minisign_ci.pub b/minisign_ci.pub
@@ -0,0 +1,2 @@
+untrusted comment: minisign public key 3BD72CED2937E88
+RWSIfpPSznK9A1gWUc8Eg2iXXQwU5d9BYuQNKGOcoujAF2stPu5rKFjQ

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+untrusted comment: minisign public key 3BD72CED2937E88`
	`2`	`+RWSIfpPSznK9A1gWUc8Eg2iXXQwU5d9BYuQNKGOcoujAF2stPu5rKFjQ`