Skip to content

Commit 56ee793

Browse files
committed
Add more docs about signing
1 parent e88f8ce commit 56ee793

1 file changed

Lines changed: 17 additions & 1 deletion

File tree

README.md

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -193,7 +193,23 @@ Time/thrust data points for each thrust curve.
193193

194194
## Signing
195195

196-
The GitHub workflow signs `motors.db.gz` after `metadata.json` is generated. Set the private key in:
196+
Signing is done in CI after the database build completes.
197+
198+
What is signed:
199+
- Canonical message: `openrocket-motordb-v1\n{database_version}\n{sha256_gz}\n`
200+
- `sha256_gz` is the SHA-256 of `motors.db.gz` (the compressed DB)
201+
202+
What gets added to `metadata.json` by the signing step:
203+
- `sha256_gz`: SHA-256 of `motors.db.gz` (currently matches `sha256`)
204+
- `sig`: base64-encoded Ed25519 signature of the canonical message
205+
- `key_id` (optional): identifier for key rotation
206+
207+
How CI handles it:
208+
- `.github/workflows/update-motors.yml` installs `cryptography`
209+
- It runs `python scripts/sign_database.py motors.db.gz metadata.json`
210+
- The private key is provided via secrets
211+
212+
Set the private key in:
197213

198214
- `MOTOR_DB_PRIVATE_KEY_BASE64` (Ed25519 private key, DER or PEM encoded, then base64)
199215
- `MOTOR_DB_KEY_ID` (optional, for key rotation)

0 commit comments

Comments
 (0)