Security

Threat model · v1.0 · 2026-05-09

This page is the short version. The exhaustive document lives in SECURITY.md in the repository, alongside the audit log of cryptographic decisions.

What zz-drop protects

What zz-drop does not protect — yet

Out of scope

Verifying release artifacts

Every release artifact on GitHub — per-platform tarballs and the zz-drop-installer.sh shell installer — is signed with minisign. Each artifact ships alongside a matching .minisig signature file. Verify before installing:

BASE=https://github.com/zz-drop/zz-drop/releases/latest/download
curl -fsSLO $BASE/zz-drop-installer.sh
curl -fsSLO $BASE/zz-drop-installer.sh.minisig
minisign -Vm zz-drop-installer.sh -P RWQIGvqA37VpcZcJanzhRYdOzbcQAl4jAVcBIBRQ5WmjEHcZBZbiRSyA
sh zz-drop-installer.sh

The same public key signs the per-platform tarballs (zz-drop-aarch64-apple-darwin.tar.xz, etc.). The canonical copy of the key lives in the repository as release-key.pub.

Public key

untrusted comment: minisign public key 7169B5DF80FA1A08 RWQIGvqA37VpcZcJanzhRYdOzbcQAl4jAVcBIBRQ5WmjEHcZBZbiRSyA

The same key signs every release tarball and the shell installer. Key rotation, if it ever happens, will be announced via a signed advisory in the repository and a new key published here with a 30-day overlap.

Reporting a vulnerability

Email security@zz-drop.net. PGP fingerprint and disclosure window are in SECURITY.md. We aim to acknowledge within 72 hours and ship a fix within 30 days for severity high or critical.