blocked 4

scripts/mirror/check_signing_prereqs.sh

@@ -2,6 +2,10 @@
 # Verifies signing prerequisites without requiring the actual key contents.
 set -euo pipefail
 if [[ -z "${MIRROR_SIGN_KEY_B64:-}" ]]; then
+  if [[ "${REQUIRE_PROD_SIGNING:-0}" == "1" ]]; then
+    echo "[error] MIRROR_SIGN_KEY_B64 is required for production signing; set the secret before running." >&2
+    exit 2
+  fi
   echo "[warn] MIRROR_SIGN_KEY_B64 is not set; ci-sign.sh will fall back to embedded test key (non-production)." >&2
 fi
 # basic base64 sanity check

scripts/mirror/ci-sign.sh

@@ -1,8 +1,13 @@
 #!/usr/bin/env bash
 set -euo pipefail
-# Allow CI to fall back to a deterministic test key when MIRROR_SIGN_KEY_B64 is unset.
+# Allow CI to fall back to a deterministic test key when MIRROR_SIGN_KEY_B64 is unset,
+# but forbid this on release/tag builds when REQUIRE_PROD_SIGNING=1.
 DEFAULT_TEST_KEY_B64="LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1DNENBUUF3QlFZREsyVndCQ0lFSUhLbjhWMjJ5ZEpwbkZTY3k5VlNsdTczNXZBQ1NFdFFIWlBRR3pSNzcyUGcKLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo="
 if [[ -z "${MIRROR_SIGN_KEY_B64:-}" ]]; then
+  if [[ "${REQUIRE_PROD_SIGNING:-0}" == "1" ]]; then
+    echo "[error] MIRROR_SIGN_KEY_B64 is required for production signing; refusing to use test key." >&2
+    exit 1
+  fi
   echo "[warn] MIRROR_SIGN_KEY_B64 not set; using embedded test key (non-production) for CI signing" >&2
   MIRROR_SIGN_KEY_B64="$DEFAULT_TEST_KEY_B64"
 fi