From fe07afbe364aed044fae8df4c4e3126b7d27039b Mon Sep 17 00:00:00 2001
From: Gaspard Kirira <gaspardkirira9@gmail.com>
Date: Tue, 10 Feb 2026 11:05:17 +0300
Subject: [PATCH] v1.34.45: add sha256 + minisign signatures to release assets

---
 .github/workflows/release.yml | 41 +++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6eaabf3..b32b02b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -445,6 +445,47 @@ jobs:
 
           test "$(ls -A dist | wc -l)" -gt 0
 
+      - name: Generate sha256 files
+        shell: bash
+        run: |
+          set -euxo pipefail
+          cd dist
+          for f in vix-*; do
+            [ -f "$f" ] || continue
+            sha256sum "$f" > "$f.sha256"
+          done
+          ls -la
+
+      - name: Sign assets (minisign)
+        shell: bash
+        env:
+          MINISIGN_PRIVATE_KEY_B64: ${{ secrets.MINISIGN_PRIVATE_KEY_B64 }}
+          MINISIGN_PASSWORD: ${{ secrets.MINISIGN_PASSWORD }}
+        run: |
+          set -euxo pipefail
+
+          sudo apt-get update
+          sudo apt-get install -y --no-install-recommends minisign
+
+          cd dist
+
+          keyfile="$(mktemp)"
+          chmod 600 "$keyfile"
+          printf "%s" "$MINISIGN_PRIVATE_KEY_B64" | base64 -d > "$keyfile"
+          test -s "$keyfile"
+
+          for f in vix-*.tar.gz vix-*.zip; do
+            [ -f "$f" ] || continue
+            if [ -n "${MINISIGN_PASSWORD:-}" ]; then
+              printf "%s" "$MINISIGN_PASSWORD" | minisign -S -s "$keyfile" -m "$f"
+            else
+              minisign -S -s "$keyfile" -m "$f"
+            fi
+          done
+
+          rm -f "$keyfile"
+          ls -la
+
       - name: Determine tag
         id: tag
         shell: bash