blockers 2

scripts/mirror/check_signing_prereqs.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+# Verifies signing prerequisites without requiring the actual key contents.
+set -euo pipefail
+if [[ -z "${MIRROR_SIGN_KEY_B64:-}" ]]; then
+  echo "MIRROR_SIGN_KEY_B64 is not set" >&2
+  exit 2
+fi
+# basic base64 sanity check
+if ! printf "%s" "$MIRROR_SIGN_KEY_B64" | base64 -d >/dev/null 2>&1; then
+  echo "MIRROR_SIGN_KEY_B64 is not valid base64" >&2
+  exit 3
+fi
+# ensure scripts exist
+for f in scripts/mirror/ci-sign.sh scripts/mirror/sign_thin_bundle.py scripts/mirror/verify_thin_bundle.py; do
+  [[ -x "$f" || -f "$f" ]] || { echo "$f missing" >&2; exit 4; }
+done
+echo "Signing prerequisites present (key env set, scripts available)."