Parent: #123
.deb packages and the APT repository metadata (L4) are signed with a Fallout project GPG key; the key is published with a documented fingerprint and rotation procedure.
Definition of done
- Project GPG key generated (4096-bit RSA or Ed25519 — decision recorded; Ed25519 preferred unless tooling constraint).
- Private key stored in GitHub Actions secret; never committed.
- Public key published at a stable URL on the docs site (and mirrored to a keyserver).
- Fingerprint listed in
README.md install instructions and in docs/.
Release.gpg + InRelease files for the APT repo (L4) signed with this key.- Rotation runbook in
docs/ covering: how to rotate, how to communicate the rotation, transition period (publish under both keys for N weeks).
- Key custody — who holds the private key, and the recovery story if the holder is unavailable — documented (link from umbrella issue).
Parent: #123
.debpackages and the APT repository metadata (L4) are signed with a Fallout project GPG key; the key is published with a documented fingerprint and rotation procedure.Definition of done
README.mdinstall instructions and indocs/.Release.gpg+InReleasefiles for the APT repo (L4) signed with this key.docs/covering: how to rotate, how to communicate the rotation, transition period (publish under both keys for N weeks).