WithAutonomi · jacderida · Mar 31, 2026 · Mar 30, 2026
diff --git a/.github/workflows/ant-cli-release.yml b/.github/workflows/ant-cli-release.yml
@@ -41,21 +41,25 @@ jobs:
         with:
           targets: ${{ matrix.target }}
 
-      - name: install cross-compilation tools
+      - name: install cross
         if: matrix.target == 'aarch64-unknown-linux-musl'
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y musl-tools gcc-aarch64-linux-gnu
-          echo "CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_LINKER=aarch64-linux-gnu-gcc" >> $GITHUB_ENV
+        run: cargo install cross --git https://github.com/cross-rs/cross
 
       - name: install musl tools
         if: matrix.target == 'x86_64-unknown-linux-musl'
         run: |
           sudo apt-get update
           sudo apt-get install -y musl-tools
+          echo "CC_x86_64_unknown_linux_musl=musl-gcc" >> $GITHUB_ENV
 
       - name: build
-        run: cargo build --release --target ${{ matrix.target }} --bin ant
+        shell: bash
+        run: |
+          if [ "${{ matrix.target }}" = "aarch64-unknown-linux-musl" ]; then
+            cross build --release --target ${{ matrix.target }} --bin ant
+          else
+            cargo build --release --target ${{ matrix.target }} --bin ant
+          fi
 
       - name: determine version
         id: version
@@ -206,9 +210,79 @@ jobs:
           path: ${{ github.workspace }}\smctl-signing.log
           if-no-files-found: ignore
 
+  sign-releases:
+    name: sign release artifacts
+    runs-on: ubuntu-latest
+    needs: [build, sign-windows]
+    steps:
+      - name: download all build artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: artifacts
+          merge-multiple: true
+
+      - name: download signed windows artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: ant-x86_64-pc-windows-msvc-signed
+          path: artifacts-signed-win
+
+      - name: replace windows archive with signed version
+        run: |
+          rm -f artifacts/ant-*-x86_64-pc-windows-msvc.zip
+          cp artifacts-signed-win/*.zip artifacts/
+
+      - name: download ant-keygen
+        run: |
+          gh release download --repo WithAutonomi/ant-keygen --pattern 'ant-keygen-linux-x64.tar.gz' --dir /tmp
+          tar -xzf /tmp/ant-keygen-linux-x64.tar.gz -C /tmp
+          chmod +x /tmp/ant-keygen
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: decode signing key
+        run: |
+          echo "${{ secrets.ANT_SIGNING_KEY }}" | xxd -r -p > /tmp/signing-key.secret
+          chmod 600 /tmp/signing-key.secret
+
+      - name: sign all release files
+        run: |
+          for file in artifacts/ant-*.tar.gz artifacts/ant-*.zip; do
+            if [ -f "$file" ]; then
+              echo "Signing $file..."
+              /tmp/ant-keygen sign \
+                --key /tmp/signing-key.secret \
+                --input "$file" \
+                --output "${file}.sig" \
+                --context "ant-release-v1"
+            fi
+          done
+
+      - name: clean up signing key
+        if: always()
+        run: shred -u /tmp/signing-key.secret 2>/dev/null || rm -f /tmp/signing-key.secret
+
+      - name: generate checksums
+        run: |
+          cd artifacts
+          files=$(ls ant-*.tar.gz ant-*.zip ant-*.sig 2>/dev/null)
+          if [ -z "$files" ]; then
+            echo "ERROR: No release artifacts found to checksum"
+            exit 1
+          fi
+          sha256sum $files > SHA256SUMS.txt
+          cat SHA256SUMS.txt
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: signed-releases
+          path: artifacts/*
+          retention-days: 1
+
   publish-crate:
     name: publish ant-core to crates.io
     runs-on: ubuntu-latest
+    if: ${{ !contains(github.ref_name, '-rc.') }}
     steps:
       - uses: actions/checkout@v4
 
@@ -223,7 +297,8 @@ jobs:
   release:
     name: create github release
     runs-on: ubuntu-latest
-    needs: [build, sign-windows, publish-crate]
+    needs: [sign-releases, publish-crate]
+    if: ${{ !cancelled() && needs.sign-releases.result == 'success' }}
     steps:
       - uses: actions/checkout@v4
 
@@ -243,23 +318,7 @@ jobs:
 
       - uses: actions/download-artifact@v4
         with:
-          name: ant-x86_64-unknown-linux-musl
-          path: assets/
-      - uses: actions/download-artifact@v4
-        with:
-          name: ant-aarch64-unknown-linux-musl
-          path: assets/
-      - uses: actions/download-artifact@v4
-        with:
-          name: ant-x86_64-apple-darwin
-          path: assets/
-      - uses: actions/download-artifact@v4
-        with:
-          name: ant-aarch64-apple-darwin
-          path: assets/
-      - uses: actions/download-artifact@v4
-        with:
-          name: ant-x86_64-pc-windows-msvc-signed
+          name: signed-releases
           path: assets/
 
       - name: extract changelog entry
@@ -284,6 +343,12 @@ jobs:
           curl -fsSL https://raw.githubusercontent.com/WithAutonomi/ant-client/main/install.sh | bash
           ```
 
+          ### Windows (quick-start)
+
+          ```powershell
+          irm https://raw.githubusercontent.com/WithAutonomi/ant-client/main/install.ps1 | iex
+          ```
+
           ### Manual download
 
           Download the archive for your platform from the assets below, extract it, and place the `ant` binary on your `PATH`. Copy `bootstrap_peers.toml` to the appropriate config directory:
@@ -294,12 +359,18 @@ jobs:
           | macOS | `~/Library/Application Support/ant/bootstrap_peers.toml` |
           | Windows | `%APPDATA%\ant\bootstrap_peers.toml` |
 
-          ### Windows (winget)
+          ## Verification
 
-          ```powershell
-          winget install Autonomi.ant
+          All release archives are signed with ML-DSA-65 (FIPS 204) post-quantum signatures. Download `ant-keygen` from [WithAutonomi/ant-keygen](https://github.com/WithAutonomi/ant-keygen/releases) and the public key from [`resources/release-signing-key.pub`](https://raw.githubusercontent.com/WithAutonomi/ant-client/main/resources/release-signing-key.pub), then verify:
+
+          ```bash
+          ant-keygen verify --key release-signing-key.pub --input <file> --signature <file>.sig --context ant-release-v1
           ```
 
+          The Windows binary (`ant.exe`) is additionally signed with a DigiCert EV code-signing certificate. Windows will verify this signature automatically on download and execution.
+
+          SHA256 checksums provided in `SHA256SUMS.txt`.
+
           HEADER
 
           echo "## Detailed Changes" >> /tmp/release_body.md
@@ -320,4 +391,7 @@ jobs:
             --title "ant ${{ steps.meta.outputs.version }}" \
             --notes-file /tmp/release_body.md \
             $prerelease_flag \
-            assets/*
+            assets/*.tar.gz \
+            assets/*.zip \
+            assets/*.sig \
+            assets/SHA256SUMS.txt
diff --git a/.github/workflows/install-test.yml b/.github/workflows/install-test.yml
@@ -65,69 +65,33 @@ jobs:
           echo "Bootstrap config installed at $config_file"
           cat "$config_file"
 
-  test-winget-manifest:
-    name: validate winget manifest
+  test-install-script-windows:
+    name: test install.ps1 (Windows)
     runs-on: windows-latest
     steps:
       - uses: actions/checkout@v4
 
-      - name: install wingetcreate
+      - name: run install script
         shell: pwsh
-        run: |
-          winget install wingetcreate --accept-source-agreements --accept-package-agreements
-        continue-on-error: true
+        env:
+          ANT_VERSION: ${{ inputs.version }}
+          INSTALL_DIR: ${{ runner.temp }}\ant\bin
+        run: . .\install.ps1
 
-      - name: generate and validate manifest
+      - name: verify binary
         shell: pwsh
         run: |
-          $version = "${{ inputs.version }}"
-          $url = "https://github.com/WithAutonomi/ant-client/releases/download/ant-cli-v${version}/ant-${version}-x86_64-pc-windows-msvc.zip"
-
-          # Download and hash
-          $tempFile = [System.IO.Path]::GetTempFileName()
-          try {
-            Invoke-WebRequest -Uri $url -OutFile $tempFile
-            $hash = (Get-FileHash -Path $tempFile -Algorithm SHA256).Hash
-            Write-Host "SHA256: $hash"
-          } finally {
-            Remove-Item $tempFile -ErrorAction SilentlyContinue
-          }
-
-          # Substitute template
-          $template = Get-Content "resources\winget\Autonomi.ant.yaml" -Raw
-          $manifest = $template `
-            -replace '\$\{VERSION\}', $version `
-            -replace '\$\{SHA256\}', $hash
-          $manifest | Set-Content "winget\Autonomi.ant.installer.yaml" -Encoding UTF8
-
-          Write-Host "Generated manifest:"
-          Get-Content "winget\Autonomi.ant.installer.yaml"
+          $env:Path = "${{ runner.temp }}\ant\bin;$env:Path"
+          ant --help
+          Write-Host "Binary runs successfully"
 
-      - name: test download and extract
+      - name: verify bootstrap config
         shell: pwsh
         run: |
-          $version = "${{ inputs.version }}"
-          $url = "https://github.com/WithAutonomi/ant-client/releases/download/ant-cli-v${version}/ant-${version}-x86_64-pc-windows-msvc.zip"
-          $tempDir = Join-Path $env:RUNNER_TEMP "ant-test"
-          New-Item -ItemType Directory -Path $tempDir -Force | Out-Null
-
-          Invoke-WebRequest -Uri $url -OutFile "$tempDir\ant.zip"
-          Expand-Archive "$tempDir\ant.zip" -DestinationPath $tempDir
-
-          $antExe = Get-ChildItem -Path $tempDir -Recurse -Filter "ant.exe" | Select-Object -First 1
-          if (-not $antExe) {
-            Write-Error "ant.exe not found in archive"
-            exit 1
-          }
-
-          & $antExe.FullName --help
-          Write-Host "Windows binary runs successfully"
-
-          # Check bootstrap config is in archive
-          $config = Get-ChildItem -Path $tempDir -Recurse -Filter "bootstrap_peers.toml" | Select-Object -First 1
-          if (-not $config) {
-            Write-Error "bootstrap_peers.toml not found in archive"
+          $configFile = Join-Path $env:APPDATA "ant\bootstrap_peers.toml"
+          if (-not (Test-Path $configFile)) {
+            Write-Error "bootstrap_peers.toml not found at $configFile"
             exit 1
           }
-          Write-Host "Bootstrap config found in archive"
-          Get-Content $config.FullName
+          Write-Host "Bootstrap config installed at $configFile"
+          Get-Content $configFile
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/README.md b/README.md
@@ -13,8 +13,16 @@ Data on Autonomi is **content-addressed**. Files are split into encrypted chunks
 
 ## Installation
 
+### Linux / macOS
+
 ```bash
-cargo install --path ant-cli
+curl -fsSL https://raw.githubusercontent.com/WithAutonomi/ant-client/main/install.sh | bash
+```
+
+### Windows
+
+```powershell
+irm https://raw.githubusercontent.com/WithAutonomi/ant-client/main/install.ps1 | iex
 ```
 
 ## Quick Start

diff --git a/ant-core/Cargo.toml b/ant-core/Cargo.toml
@@ -44,6 +44,10 @@ tracing-subscriber = { version = "0.3", features = ["env-filter"] }
 
 [target.'cfg(unix)'.dependencies]
 libc = "0.2"
+# Vendored OpenSSL ensures openssl-sys links statically for musl targets.
+# Without this, the musl CI builds fail because the runners lack musl-compatible
+# OpenSSL dev libraries. Not needed on Windows (uses schannel via native-tls).
+openssl = { version = "0.10", features = ["vendored"] }
 
 [target.'cfg(windows)'.dependencies]
 windows-sys = { version = "0.61", features = ["Win32_Foundation", "Win32_System_Console", "Win32_System_Threading"] }