I'm legit asking, how do you nostr sign release binaries? Is there a tool for that?
Discussion
https://github.com/mleku/signr
This might be worth looking into (have not tried)
Will check that one out.
Also NIP-46 (on a server, with nak, with Amber on phone, on nostr:npub1dqepr0g4t3ahvnjtnxazvws4rkqjpxl854n29wcew8wph0fmw90qlsmmgt upcoming device, etc)
NIP-94 (kind 1063) for binaries, NIP-51 (kind 30063) for binary sets and NIP-XX (kind 32267) for apps.
As for best UX, that's something I'm trying to figure out with zap.store.
Example of how those events look like: https://github.com/zapstore/zapstore/wiki/Sample-app-events
How are you signing your software? Gave GPG key to a github action?
I download the tarballs locally on my laptop, compute checksums into manifest file and gpg sign the manifest file. Then I upload the manifest and signature asc file to the release.
https://github.com/sommerfelddev/sentrum/blob/master/utils/create-signed-manifest.sh
No way I would give github my pgp key lol.
Good to know you do that, so many devs just stuff it in the GH secrets
As others have posted there seem to be some NIPs for that, but you could “just” secp256k1 Schnorr sign the binary/hash-of-it with the same private key you use on Nostr as its already associated with your Nostr notes