Add cryptographic signature verification to install script

[Muktarsadiq]

Problem

The install script does not verify release integrity (#2075), leaving users vulnerable to:

• Compromised or corrupted downloads
• Man-in-the-middle attacks
• Tampered release files

Solution

Implemented cryptographic signature verification using Minisign.

Why Minisign?

While the issue mentioned GPG, I chose Minisign because it:

• Provides the same cryptographic security guarantees as GPG
• Is specifically designed for signing software releases
• Is simpler and less error-prone than GPG
• Is recommended by security experts (used by WireGuard, Tarsnap, etc.)
• Has a smaller attack surface due to its focused design
• Is easier for maintainers to integrate into release workflows

Both GPG and Minisign solve the core security problem: verifying that releases come from legitimate maintainers and haven't been tampered with. Minisign achieves this with a more streamlined, modern approach.

Changes

Modified Files

• dev/unix/volta-install.sh
  • Added Volta_PUBLIC_KEY constant for signature verification
  • Added check_minisign() function for automatic minisign installation
  • Added verify_release_signature() function to verify tarball signatures
  • Modified download_release_from_repo() to download .minisig signature files
  • Modified install_release() to verify signatures before installation
  • Added version check for backward compatibility (skips verification for versions < v2.0.3)

New Files

• RELEASING.md
  • Complete guide for maintainers on signing releases
  • Key generation instructions
  • Signing workflow
  • Key management best practices

Testing

Since existing releases don't have signatures, I tested locally by:

1. Setup: Downloaded actual Volta v2.0.1 release tarball and signed with test minisign keys
2. Modified script temporarily to use local files for testing

Test Results

✅ Test 1: Valid Signature

• Downloaded release with valid signature
• Verification succeeded
• Installation completed successfully

✅ Test 2: Tampered File

• Modified tarball after signing
• Verification correctly failed with clear error message
• Installation was aborted
• Files were cleaned up

✅ Test 3: Missing Signature

• Removed signature file
• Script detected missing signature
• Installation was aborted with helpful error message

✅ Test 4: Minisign Auto-Installation

• Script correctly detects missing minisign
• Attempts automatic installation via package manager
• Falls back to manual instructions if needed

All tests passed ✅

Backward Compatibility

The implementation includes version detection:

• Releases >= v2.0.3: Signature verification required
• Releases < v2.0.3: Verification skipped with warning message
• Old releases can still be installed

Documentation

For Maintainers

Created comprehensive RELEASING.md with:

• Prerequisites and setup
• Key generation (one-time)
• Step-by-step signing process
• Upload and verification steps
• Key management and rotation
• Troubleshooting guide

Questions for Maintainers

1. Version cutoff: I set v2.0.3 as the first signed version. Should this be adjusted?
2. Key generation: Would you like assistance generating official signing keys?
3. Public key: The current Volta_PUBLIC_KEY is from my test key - this needs to be replaced with the official public key once generated
4. CI/CD: Should signature generation be added to the release automation workflow?

Next Steps (for maintainers)

To enable signature verification:

1. Generate official signing keys (see RELEASING.md)
2. Update Volta_PUBLIC_KEY in dev/unix/volta-install.sh with official public key
3. Sign future releases (v2.0.3+) following RELEASING.md guide

Resolves #2075