Skip to main content
This security guide covers update key management and security best practices for Ora Browser developers and contributors.

Update Key Management

Ora Browser uses Ed25519 cryptographic keys to sign and verify app updates for security.

Public Key (Committed to Git)

ora_public_key.pem

Purpose: Verifies update signatures in the appStatus: Committed to git repositorySafety: Public keys are safe to share

Private Key (Never Commit!)

.env

Contains: ORA_PRIVATE_KEYPurpose: Signs app updates during releaseStatus: Never committed to git (protected by .gitignore)Safety: Keep secure and private at all times

Setup Process

1

First Machine

Keys are automatically generated and saved appropriately when you run the setup script.
2

Additional Machines

Copy the .env file from your first machine securely (never commit it to version control).
3

Release Process

The ./scripts/create-release.sh script handles key management automatically.

Security Notes

Critical Security Requirements:
  • .env is in .gitignore - it will never be committed
  • Public key is committed - this is safe and required
  • Never share your private key with anyone
  • If private key is lost, you’ll need to regenerate keys (breaks update chain)

Security Checks

Run the security check script to verify your configuration: 
./scripts/check-security.sh
This script verifies:
  • Private key exists but is not tracked by git
  • Public key is available for app integration
  • .gitignore properly excludes sensitive files

Security Best Practices

NEVER commit private keys to version controlNEVER share private keys with anyoneNEVER delete private keys once you’ve published releases (breaks update chain)Use secure methods to transfer keys between machines (encrypted USB drives, secure password managers, etc.)
Regularly audit what’s in your git staging area before committing:
git status
git diff --staged
Ensure no sensitive files appear in git status before running git commit.
When contributing:
  • Be mindful of user privacy and data handling
  • Never log sensitive user data
  • Follow secure coding practices for web content handling
  • Assume all user data is sensitive
  • Keep dependencies up to date
  • Review security advisories for Swift packages
  • Use proper input validation
  • Sanitize data before display
  • Follow WebKit security best practices

Security Violations

Stop immediately if you see any of these:
  • Private key files appear in git status
  • Private keys are committed to repository
  • Private keys are shared or transmitted insecurely
  • .env file is tracked by git
If you accidentally commit sensitive data:
1

Stop

Do not push the commit if it hasn’t been pushed yet.
2

Remove

Use git reset or git rebase to remove the commit from history.
3

Rotate Keys

If the commit was pushed, you must rotate the compromised keys immediately.
4

Notify

Contact maintainers on Discord to report the security incident.

Reporting Security Vulnerabilities

If you discover a security vulnerability in Ora Browser:

Responsible Disclosure

  1. Do not open a public GitHub issue
  2. Contact maintainers privately on Discord
  3. Provide details about the vulnerability
  4. Allow time for the team to address the issue before public disclosure
We take security seriously and appreciate responsible disclosure of vulnerabilities.

Additional Resources

Contributing Guide

Development setup and contribution guidelines

GitHub Wiki

Comprehensive project documentation
For questions about security practices, join our Discord community or review the source code on GitHub.

Build docs developers (and LLMs) love

Get started for freeTalk to us