Skip to content

RELEASING.md

Latest commit

 

History

History
61 lines (46 loc) · 2.68 KB

RELEASING.md

File metadata and controls

61 lines (46 loc) · 2.68 KB

Releasing MDMesh

← README · Deploy · Structure · Contributing · Releasing

Cutting a release is one command — push a semver tag:

git tag v1.2.3 && git push --tags

.github/workflows/release.yml then: runs the agent unit tests + builds the signed release APK, builds & pushes the server and web images to GHCR, builds a minisign-signed manifest, and publishes a GitHub Release with mdmesh-agent.apk, manifest.json, and manifest.json.minisig. The fleet auto-updater (later phases) consumes that signed manifest.

Tags must be strict vMAJOR.MINOR.PATCH; the workflow rejects anything else. versionCode is derived major*10000 + minor*100 + patch (monotonic).

One-time setup (you own the keys — do this offline)

These two key sets are custody-critical. Generate them on a secure machine, store backups in a password manager / HSM, and add them as repo secrets (Settings → Secrets and variables → Actions).

1. APK release keystore — NEVER ROTATE

Android ties the Device-Owner relationship to the APK's signing certificate. If the signing key changes, OTA updates are rejected and every enrolled device must be factory-reset. So this key is generated once and used forever.

keytool -genkeypair -v -keystore mdmesh-release.jks -alias mdmesh \
  -keyalg RSA -keysize 4096 -validity 10000
base64 -w0 mdmesh-release.jks   # value for the MDM_RELEASE_STORE_B64 secret

Secrets: MDM_RELEASE_STORE_B64 (the base64), MDM_RELEASE_STORE_PASSWORD, MDM_RELEASE_KEY_ALIAS (mdmesh), MDM_RELEASE_KEY_PASSWORD.

2. Manifest signing key (minisign)

Establishes release trust: deployments verify the manifest against the committed public key and reject anything unsigned/tampered.

minisign -G -p release/minisign.pub -s mdmesh-release.key   # set a password
  • Commit the generated release/minisign.pub (replace the placeholder in the repo).
  • Secrets: MINISIGN_SECRET_KEY = the full contents of mdmesh-release.key; MINISIGN_PASSWORD = its password.

How a deployment trusts a release

The updater fetches the GitHub Release, verifies manifest.json against the baked release/minisign.pub, then checks each artifact's SHA-256 against the manifest. A release published without the private minisign key fails verification and is refused — so a hijacked repo/account alone can't push code to the fleet.

Verifying locally

release/version.sh 1.2.3            # → 10203
release/apk-checksum.sh some.apk    # → provisioning signature checksum
release/verify-manifest.sh manifest.json   # needs minisign + the real public key