File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -193,7 +193,23 @@ Time/thrust data points for each thrust curve.
193193
194194## Signing
195195
196- The GitHub workflow signs ` motors.db.gz ` after ` metadata.json ` is generated. Set the private key in:
196+ Signing is done in CI after the database build completes.
197+
198+ What is signed:
199+ - Canonical message: ` openrocket-motordb-v1\n{database_version}\n{sha256_gz}\n `
200+ - ` sha256_gz ` is the SHA-256 of ` motors.db.gz ` (the compressed DB)
201+
202+ What gets added to ` metadata.json ` by the signing step:
203+ - ` sha256_gz ` : SHA-256 of ` motors.db.gz ` (currently matches ` sha256 ` )
204+ - ` sig ` : base64-encoded Ed25519 signature of the canonical message
205+ - ` key_id ` (optional): identifier for key rotation
206+
207+ How CI handles it:
208+ - ` .github/workflows/update-motors.yml ` installs ` cryptography `
209+ - It runs ` python scripts/sign_database.py motors.db.gz metadata.json `
210+ - The private key is provided via secrets
211+
212+ Set the private key in:
197213
198214- ` MOTOR_DB_PRIVATE_KEY_BASE64 ` (Ed25519 private key, DER or PEM encoded, then base64)
199215- ` MOTOR_DB_KEY_ID ` (optional, for key rotation)
You can’t perform that action at this time.
0 commit comments