From 0c527a674dc9ec591f4216fbd858785a82f4866d Mon Sep 17 00:00:00 2001
From: Nico Burniske <nicoburniske@gmail.com>
Date: Tue, 2 Dec 2025 07:19:28 -0500
Subject: [PATCH 1/7] reproducible update construction

---
 scripts/make_release_input_dir.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/make_release_input_dir.sh b/scripts/make_release_input_dir.sh
index 716149f..fd72862 100755
--- a/scripts/make_release_input_dir.sh
+++ b/scripts/make_release_input_dir.sh
@@ -71,7 +71,7 @@ fi
 cd "$KEYOS_DIR"
 
 info "generating firmware components in 'keyos'"
-cargo xtask build-all --dont-sign
+cargo xtask build --dont-sign --reproducible
 
 cd "$START_DIR"
 

From 66d27aec225c49b89ed8e4624af65ceb73994a23 Mon Sep 17 00:00:00 2001
From: Nico Burniske <nicoburniske@gmail.com>
Date: Tue, 2 Dec 2025 07:20:07 -0500
Subject: [PATCH 2/7] ensure keyos repo clean and add commit file

---
 scripts/make_release_input_dir.sh | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/scripts/make_release_input_dir.sh b/scripts/make_release_input_dir.sh
index fd72862..2e858e2 100755
--- a/scripts/make_release_input_dir.sh
+++ b/scripts/make_release_input_dir.sh
@@ -70,6 +70,20 @@ fi
 
 cd "$KEYOS_DIR"
 
+info "checking 'keyos' git status"
+
+if [ ! -d .git ]; then
+    error "keyos directory at '$(pwd)' is not a git repository"
+    exit 1
+fi
+
+if [ -n "$(git status --porcelain)" ]; then
+    error "keyos repository at '$(pwd)' has uncommitted changes. Please commit or stash them before running this script."
+    exit 1
+fi
+
+KEYOS_COMMIT=$(git rev-parse HEAD)
+
 info "generating firmware components in 'keyos'"
 cargo xtask build --dont-sign --reproducible
 
@@ -78,6 +92,8 @@ cd "$START_DIR"
 info "preparing release input directory"
 mkdir "$FIRMWARE_VERSION"
 
+echo "$KEYOS_COMMIT" > "$FIRMWARE_VERSION/keyos-commit.txt"
+
 cp "$KEYOS_DIR/target/armv7a-unknown-xous-elf/release/images/app.bin" "$FIRMWARE_VERSION"
 cp -r "$KEYOS_DIR/target/armv7a-unknown-xous-elf/release/apps/" "$FIRMWARE_VERSION"
 

From b36fcc00ecb7316532503e38fb948f26e004f1d2 Mon Sep 17 00:00:00 2001
From: Nico Burniske <nicoburniske@gmail.com>
Date: Tue, 2 Dec 2025 07:33:47 -0500
Subject: [PATCH 3/7] move output artifacts into "updates" dir

---
 scripts/make_release.sh | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/scripts/make_release.sh b/scripts/make_release.sh
index c76202f..fcfe6d1 100755
--- a/scripts/make_release.sh
+++ b/scripts/make_release.sh
@@ -108,6 +108,8 @@ elif [ "$#" -ge 4 ] && [ "$4" = "--reboot-required" ]; then
 fi
 
 START_DIR=$(pwd)
+OUTPUT_DIR="updates"
+mkdir -p "$OUTPUT_DIR"
 
 info "checking required directories and tools"
 
@@ -178,7 +180,7 @@ RELEASE_DATE=$(date +%Y-%m-%d)
 UPDATE_FILENAME="release-${OLD_VERSION}-${NEW_VERSION}.tar"
 SIGNATURE_FILENAME="release-${OLD_VERSION}-${NEW_VERSION}.tar.sig"
 
-cat > "manifest-${OLD_VERSION}-${NEW_VERSION}.json" <<EOF
+cat > "$OUTPUT_DIR/manifest-${OLD_VERSION}-${NEW_VERSION}.json" <<EOF
 {
 	"baseVersion": "${OLD_VERSION_NO_V}",
 	"version": "${NEW_VERSION_NO_V}",
@@ -204,11 +206,11 @@ cargo xtask build-firmware-image
 cd "$START_DIR"
 
 # Then copy the image over.
-cp "$KEYOS_DIR/boot.img" "boot-$OLD_VERSION-$NEW_VERSION.img"
+cp "$KEYOS_DIR/boot.img" "$OUTPUT_DIR/boot-$OLD_VERSION-$NEW_VERSION.img"
 
 info "compressing 'boot.img'"
-gzip -c "boot-$OLD_VERSION-$NEW_VERSION.img" > "boot-$OLD_VERSION-$NEW_VERSION.img.gz"
+gzip -c "$OUTPUT_DIR/boot-$OLD_VERSION-$NEW_VERSION.img" > "$OUTPUT_DIR/boot-$OLD_VERSION-$NEW_VERSION.img.gz"
 
-mv release.tar "release-$OLD_VERSION-$NEW_VERSION.tar"
+mv release.tar "$OUTPUT_DIR/release-$OLD_VERSION-$NEW_VERSION.tar"
 
 info "done"

From b0e644a6a11a5967b0f552fabfd8ef4cb1b49655 Mon Sep 17 00:00:00 2001
From: Nico Burniske <nicoburniske@gmail.com>
Date: Tue, 2 Dec 2025 07:49:02 -0500
Subject: [PATCH 4/7] commit file in root

---
 scripts/make_release_input_dir.sh | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/scripts/make_release_input_dir.sh b/scripts/make_release_input_dir.sh
index 2e858e2..2d8a684 100755
--- a/scripts/make_release_input_dir.sh
+++ b/scripts/make_release_input_dir.sh
@@ -92,7 +92,13 @@ cd "$START_DIR"
 info "preparing release input directory"
 mkdir "$FIRMWARE_VERSION"
 
-echo "$KEYOS_COMMIT" > "$FIRMWARE_VERSION/keyos-commit.txt"
+COMMITS_FILE="$START_DIR/keyos-commits.txt"
+if [ -f "$COMMITS_FILE" ]; then
+    tmp_file="${COMMITS_FILE}.tmp"
+    grep -v -F "$FIRMWARE_VERSION " "$COMMITS_FILE" > "$tmp_file" || true
+    mv "$tmp_file" "$COMMITS_FILE"
+fi
+echo "$FIRMWARE_VERSION $KEYOS_COMMIT" >> "$COMMITS_FILE"
 
 cp "$KEYOS_DIR/target/armv7a-unknown-xous-elf/release/images/app.bin" "$FIRMWARE_VERSION"
 cp -r "$KEYOS_DIR/target/armv7a-unknown-xous-elf/release/apps/" "$FIRMWARE_VERSION"

From 45c7cec9ebc2fcb77afa6fa5ea7a695d9cac131c Mon Sep 17 00:00:00 2001
From: Nico Burniske <nicoburniske@gmail.com>
Date: Tue, 2 Dec 2025 08:46:56 -0500
Subject: [PATCH 5/7] group update files in subdir

---
 scripts/make_release.sh | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/scripts/make_release.sh b/scripts/make_release.sh
index fcfe6d1..1f81b21 100755
--- a/scripts/make_release.sh
+++ b/scripts/make_release.sh
@@ -108,8 +108,8 @@ elif [ "$#" -ge 4 ] && [ "$4" = "--reboot-required" ]; then
 fi
 
 START_DIR=$(pwd)
-OUTPUT_DIR="updates"
-mkdir -p "$OUTPUT_DIR"
+OUTPUT_ROOT_DIR="updates"
+mkdir -p "$OUTPUT_ROOT_DIR"
 
 info "checking required directories and tools"
 
@@ -147,6 +147,9 @@ fi
 OLD_VERSION=${OLD_VERSION_DIR##*/}
 NEW_VERSION=${NEW_VERSION_DIR##*/}
 
+UPDATE_DIR="$OUTPUT_ROOT_DIR/${OLD_VERSION}-${NEW_VERSION}"
+mkdir -p "$UPDATE_DIR"
+
 # Strip the 'v'.
 OLD_VERSION_NO_V=${OLD_VERSION#v}
 NEW_VERSION_NO_V=${NEW_VERSION#v}
@@ -177,10 +180,10 @@ SIGNED_SHA256=$(sha256sum ./release.tar | awk '{print $1}')
 
 info "generating @manifest.json"
 RELEASE_DATE=$(date +%Y-%m-%d)
-UPDATE_FILENAME="release-${OLD_VERSION}-${NEW_VERSION}.tar"
-SIGNATURE_FILENAME="release-${OLD_VERSION}-${NEW_VERSION}.tar.sig"
+UPDATE_FILENAME="release.tar"
+SIGNATURE_FILENAME="release.tar.sig"
 
-cat > "$OUTPUT_DIR/manifest-${OLD_VERSION}-${NEW_VERSION}.json" <<EOF
+cat > "$UPDATE_DIR/manifest.json" <<EOF
 {
 	"baseVersion": "${OLD_VERSION_NO_V}",
 	"version": "${NEW_VERSION_NO_V}",
@@ -206,11 +209,14 @@ cargo xtask build-firmware-image
 cd "$START_DIR"
 
 # Then copy the image over.
-cp "$KEYOS_DIR/boot.img" "$OUTPUT_DIR/boot-$OLD_VERSION-$NEW_VERSION.img"
+cp "$KEYOS_DIR/boot.img" "$UPDATE_DIR/boot.img"
 
 info "compressing 'boot.img'"
-gzip -c "$OUTPUT_DIR/boot-$OLD_VERSION-$NEW_VERSION.img" > "$OUTPUT_DIR/boot-$OLD_VERSION-$NEW_VERSION.img.gz"
+gzip -c "$UPDATE_DIR/boot.img" > "$UPDATE_DIR/boot.img.gz"
 
-mv release.tar "$OUTPUT_DIR/release-$OLD_VERSION-$NEW_VERSION.tar"
+if [ -f release.tar.sig ]; then
+    mv release.tar.sig "$UPDATE_DIR/release.tar.sig"
+fi
+mv release.tar "$UPDATE_DIR/release.tar"
 
 info "done"

From 7a5dd371b35fa6a31f950f669198f1dcc5950764 Mon Sep 17 00:00:00 2001
From: Nico Burniske <nicoburniske@gmail.com>
Date: Thu, 11 Dec 2025 11:20:28 -0500
Subject: [PATCH 6/7] update nix flake

---
 flake.lock | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/flake.lock b/flake.lock
index a09b72c..3f863b4 100644
--- a/flake.lock
+++ b/flake.lock
@@ -28,11 +28,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1760007940,
-        "narHash": "sha256-Y9DWYZCSFCdPmgK9W9SkYrUreAV7+5y8RIzAO7eRhvA=",
-        "ref": "refs/heads/dev-v0.10.0",
-        "rev": "522f9548c77de5691eca3bd69ee177209b927f01",
-        "revCount": 13727,
+        "lastModified": 1765468009,
+        "narHash": "sha256-P3TSUFom4WpHuTuNvPiIn2Dz6Pg95PKs7qIJhkVfg8Q=",
+        "ref": "refs/heads/dev-v0.11.0",
+        "rev": "0dcb8add1fcc4a7f1eb1b4b00859cb6ad0eaf0a8",
+        "revCount": 14883,
         "type": "git",
         "url": "ssh://git@github.com/Foundation-Devices/KeyOS"
       },

From 3fde66b40a34f116dc2655fed8cc11a9cc89ae8e Mon Sep 17 00:00:00 2001
From: Nico Burniske <nicoburniske@gmail.com>
Date: Mon, 22 Dec 2025 14:01:28 -0500
Subject: [PATCH 7/7] release-gen: include patch action size

---
 tools/release-gen/src/main.rs | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/tools/release-gen/src/main.rs b/tools/release-gen/src/main.rs
index 32f5585..982cc8f 100644
--- a/tools/release-gen/src/main.rs
+++ b/tools/release-gen/src/main.rs
@@ -169,6 +169,11 @@ Please make sure it's in your PATH or specify the path where it is installed. Se
                     String::from_utf8_lossy(&output.stderr)
                 );
 
+                let patch_metadata = fs::metadata(&patch_file).with_context(|| {
+                    format!("Reading patch file metadata: {}", abs_path(&patch_file))
+                })?;
+                let patch_size = patch_metadata.len();
+
                 let file = base_file.to_str().expect(PATH_TO_STR_ERROR).to_string();
 
                 actions.push(Action::Patch {
@@ -177,7 +182,11 @@ Please make sure it's in your PATH or specify the path where it is installed. Se
                     base_version: args.base_version.clone(),
                     new_version: args.new_version.clone(),
                 });
-                println!("[INFO] action/patch: {}", base_file.display());
+                println!(
+                    "[INFO] action/patch ({}): {}",
+                    format_size(patch_size),
+                    base_file.display(),
+                );
             }
         }
     }
@@ -343,3 +352,16 @@ fn abs_path<P: AsRef<Path>>(path: P) -> impl Display {
         .to_string_lossy()
         .to_string()
 }
+
+fn format_size(bytes: u64) -> String {
+    const KB: u64 = 1024;
+    const MB: u64 = KB * 1024;
+
+    if bytes >= MB {
+        format!("{:.2} MB", bytes as f64 / MB as f64)
+    } else if bytes >= KB {
+        format!("{:.0} KB", bytes as f64 / KB as f64)
+    } else {
+        format!("{bytes} B")
+    }
+}