The audit's signing recommendation, scoped to RPM (apt's signed Release metadata already
covers .debs; bootc cosign deferred). packaging/rpm/sign-rpms.sh GPG-signs dist/*.rpm and
self-verifies (rpmkeys --checksig), run from rpm.yml between build + publish.
Safe to ship: the step is a NO-OP (exit 0, unsigned as today) until RPM_GPG_PRIVATE_KEY is
set as a CI secret — so it can't break current CI, and when enabled a bad macro fails loudly
via the in-step checksig rather than shipping bad signatures. rpm/README gains the one-time
enablement runbook (generate a dedicated passphrase-less key, add the secret, publish the
public key, flip gpgcheck=1 only after a signed build lands) and notes step-ca is for TLS,
not OpenPGP (it can't sign RPMs).
Also fixes the rpm/README version staleness the doc review caught: rolling is 0.2.0-0.ciN
(outranks the stray 0.1.1, no pin needed), host releases use host-v* not the client's v*.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
