JSON Analyzer v0.1.8 - The Pinned Key Holds

JSON Analyzer v0.1.8 - The Pinned Key Holds

The Quest

The release road found a quiet trap in its own warding. The installer carried the trusted APT signing key into the published asset, then mistook that same key for an unreplaced placeholder and erased it before verification could begin. This release reforges that check so the pinned key remains pinned.

What Awoke

• The APT repository installer template now keeps its placeholder sentinel separate from the release-injected signing fingerprint.
• The Linux release workflow now renders install-apt-repo.sh into a dedicated release asset directory instead of mutating the source template in place.
• Release validation now checks the generated installer asset directly, including shell syntax, absence of the raw placeholder, presence of the injected fingerprint, and protection against clearing that fingerprint.
• Linux release asset upload now publishes the generated installer from release-assets/, matching the file that validation inspected.

Runes of Assurance

• sh -n scripts/install-apt-repo.sh passed.
• A simulated release substitution with the live APT signing fingerprint kept the default fingerprint and did not create a self-clearing sentinel check.
• .github/workflows/release.yml parsed as YAML.
• git diff --check passed for the installer and release workflow changes.

Known Boundaries

• The hosted release workflow remains the final proof that GitHub Pages, release assets, and package signing all converge.
• Existing broken installer assets from older releases still need to be replaced by publishing this release.
• The APT repository currently publishes Linux amd64 packages only.
• PDF export UI, auto-update metadata, and Windows signing remain outside this release.