5b805978ff
The audit's signing recommendation, scoped to RPM (apt's signed Release metadata already covers .debs; bootc cosign deferred). packaging/rpm/sign-rpms.sh GPG-signs dist/*.rpm and self-verifies (rpmkeys --checksig), run from rpm.yml between build + publish. Safe to ship: the step is a NO-OP (exit 0, unsigned as today) until RPM_GPG_PRIVATE_KEY is set as a CI secret — so it can't break current CI, and when enabled a bad macro fails loudly via the in-step checksig rather than shipping bad signatures. rpm/README gains the one-time enablement runbook (generate a dedicated passphrase-less key, add the secret, publish the public key, flip gpgcheck=1 only after a signed build lands) and notes step-ca is for TLS, not OpenPGP (it can't sign RPMs). Also fixes the rpm/README version staleness the doc review caught: rolling is 0.2.0-0.ciN (outranks the stray 0.1.1, no pin needed), host releases use host-v* not the client's v*. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>