From 4f9a9abe17526fcce0385c885a8a0e8d7efe0010 Mon Sep 17 00:00:00 2001
From: David Abutbul <David.a@prompt.security>
Date: Mon, 16 Feb 2026 14:44:23 +0200
Subject: [PATCH] chore(changelog): update to version 0.1.1 and enhance signing
 key drift control documentation

---
 skills/clawsec-suite/CHANGELOG.md | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/skills/clawsec-suite/CHANGELOG.md b/skills/clawsec-suite/CHANGELOG.md
index 596a467..143c9c9 100644
--- a/skills/clawsec-suite/CHANGELOG.md
+++ b/skills/clawsec-suite/CHANGELOG.md
@@ -7,7 +7,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-## [0.1.0] - 2026-02-16
+## [0.1.1] - 2026-02-16
 
 ### Added
 - Added `scripts/discover_skill_catalog.mjs` to dynamically discover installable skills from `https://clawsec.prompt.security/skills/index.json`.
@@ -21,13 +21,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Kept `openclaw-audit-watchdog` as a standalone skill (not embedded in `clawsec-suite`).
 
 ### Security
-- Enforced signing key consistency checks in CI workflows:
-  - `.github/workflows/skill-release.yml`
-  - `.github/workflows/deploy-pages.yml`
-- Added workflow checks that fail when generated public key fingerprints diverge from canonical repo signing key material.
+- **Signing key drift control**: CI now enforces that all public key references (inline SKILL.md PEM, canonical `.pem` files, workflow-generated keys) resolve to the same fingerprint. Prevents stale, fabricated, or rotated-but-not-propagated key material from reaching releases.
+  - Enforced in: `.github/workflows/skill-release.yml`, `.github/workflows/deploy-pages.yml`
+  - Guard script: `scripts/ci/verify_signing_key_consistency.sh`
 
 ### Fixed
-- Corrected release verification documentation mismatches (`checksums.sig` naming and pinned release key fingerprint).
+- **Fixed fabricated signing key in SKILL.md**: The manual installation script contained a hallucinated Ed25519 public key and fingerprint (`35866e1b...`) that never corresponded to the actual release signing key. Replaced with the real public key derived from the GitHub-secret-held private key. The bogus key was introduced in v0.0.10 (`Integration/signing work #20`) and went undetected because no consistency check existed at the time.
+- Corrected `checksums.sig` naming in release verification documentation.
 
 ## [0.0.10] - 2026-02-11