Security

Security

The full security guide lives in the repository:

• https://github.com/the-ora/browser/blob/main/SECURITY.md

Key Rules

• Never commit private keys or secrets
• ora_public_key.pem is public and safe to commit
• Private signing material belongs in .env and must stay out of git
• Treat release signing as part of the trusted build pipeline

Security Checks

Before releasing or committing sensitive changes:

• inspect git status
• verify .env is still ignored
• confirm no private key material is staged

If private key material appears in git status, stop and fix that before doing anything else.

Related

• Release Process
• Sparkle Updates