Sign Windows releases with MrTrust certificate
This commit is contained in:
@@ -8,6 +8,7 @@ Release artifacts are not published yet.
|
||||
|
||||
- Connected Library can track public Git-hosted modpack manifests.
|
||||
- Per-pack auto-update can be enabled after a pack is connected.
|
||||
- Windows release artifacts are signed with the MrTrust code-signing certificate.
|
||||
- Gitea Actions are used as the verification runner.
|
||||
|
||||
## Security
|
||||
@@ -15,6 +16,7 @@ Release artifacts are not published yet.
|
||||
- Dependency audit: pending runner/toolchain confirmation.
|
||||
- Secret handling: no tokens are stored by Connected Library v1.
|
||||
- External network calls: public HTTPS manifest and `.mrpack` downloads.
|
||||
- Windows trust: MrTrust-installed users can trust Modrinth Plus only when artifacts are signed with the matching MrSphay certificate chain.
|
||||
|
||||
## Verification
|
||||
|
||||
@@ -23,6 +25,7 @@ Release artifacts are not published yet.
|
||||
| Gitea Actions build | Must pass before release |
|
||||
| Frontend lint | Covered by Gitea build workflow |
|
||||
| Rust clippy | Covered by Gitea build workflow |
|
||||
| MrTrust signing | Required by Gitea build workflow |
|
||||
| Artifact download | Pending release packaging |
|
||||
|
||||
## Notes
|
||||
|
||||
Reference in New Issue
Block a user