Root key feature #52
Description
Hydraulic Conveyor offers a very convenient feature: you provide a single root key, typically as a passphrase, and it deterministically derives platform-specific self-signing keys from it. This saves a significant amount of setup and key management effort.
On macOS in particular, this is important because enrolling in the paid Apple Developer Program is not strictly required just to sign your own apps. You can sign macOS applications with your own certificate. The crucial part is that the app is properly signed, not that the certificate was issued by Apple. That often comes as a surprise.
More details about this approach are available here:
https://conveyor.hydraulic.dev/21.1/configs/keys-and-certificates/#root-key
It would be highly beneficial if Nucleus could support a similar model: accept a single root key via environment variables, for example through GitHub Secrets, and automatically derive self-signed binaries for Windows, macOS, and Linux from it.