From 0c0fb4fed632bc5548f3c50e9019f8eac9e4d48a Mon Sep 17 00:00:00 2001
From: Robin Krahl <robin@nitrokey.com>
Date: Fri, 20 Mar 2026 16:12:25 +0100
Subject: [PATCH 1/2] Add trusted publishing

---
 .github/workflows/cd-test.yml | 29 ++++++++++++
 .github/workflows/cd.yml      | 88 +++++++++++++++++++++++++++++++++++
 2 files changed, 117 insertions(+)
 create mode 100644 .github/workflows/cd-test.yml
 create mode 100644 .github/workflows/cd.yml

diff --git a/.github/workflows/cd-test.yml b/.github/workflows/cd-test.yml
new file mode 100644
index 0000000..3580992
--- /dev/null
+++ b/.github/workflows/cd-test.yml
@@ -0,0 +1,29 @@
+# Copyright (C) Nitrokey GmbH
+# SPDX-License-Identifier: CC0-1.0
+
+name: Continuous delivery - test
+
+on:
+  pull_request:
+    # opened, reopenened, synchronize are the default types for pull_request
+    # labeled, unlabeled ensure this check is also run if a label is added or removed
+    types: [opened, reopened, synchronize, labeled, unlabeled]
+
+jobs:
+  test-publish:
+    runs-on: ubuntu-latest
+    if: ${{ !contains(github.event.pull_request.labels.*.name, 'skip-publish-check') }}
+    steps:
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+    - run: cargo publish --dry-run --package trussed-chunked
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'skip-publish-check-trussed-chunked') }}
+    - run: cargo publish --dry-run --package trussed-fs-info
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'skip-publish-check-trussed-fs-info') }}
+    - run: cargo publish --dry-run --package trussed-hkdf
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'skip-publish-check-trussed-hkdf') }}
+    - run: cargo publish --dry-run --package trussed-hpke
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'skip-publish-check-trussed-hpke') }}
+    - run: cargo publish --dry-run --package trussed-manage
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'skip-publish-check-trussed-manage') }}
+    - run: cargo publish --dry-run --package trussed-wrap-key-to-file
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'skip-publish-check-trussed-wrap-key-to-file') }}
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
new file mode 100644
index 0000000..83855fb
--- /dev/null
+++ b/.github/workflows/cd.yml
@@ -0,0 +1,88 @@
+# Copyright (C) Nitrokey GmbH
+# SPDX-License-Identifier: CC0-1.0
+
+name: Continuous delivery - crates.io
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  publish-trussed-chunked:
+    runs-on: ubuntu-latest
+    if: ${{ startsWith(github.event.release.tag_name, 'chunked-') }}
+    environment: crates.io
+    permissions:
+      id-token: write
+    steps:
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+    - uses: rust-lang/crates-io-auth-action@b7e9a28eded4986ec6b1fa40eeee8f8f165559ec  # v1.0.3
+      id: auth
+    - run: cargo publish --package trussed-chunked
+      env:
+        CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
+  publish-trussed-fs-info:
+    runs-on: ubuntu-latest
+    if: ${{ startsWith(github.event.release.tag_name, 'fs-info-') }}
+    environment: crates.io
+    permissions:
+      id-token: write
+    steps:
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+    - uses: rust-lang/crates-io-auth-action@b7e9a28eded4986ec6b1fa40eeee8f8f165559ec  # v1.0.3
+      id: auth
+    - run: cargo publish --package trussed-fs-info
+      env:
+        CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
+  publish-trussed-hkdf:
+    runs-on: ubuntu-latest
+    if: ${{ startsWith(github.event.release.tag_name, 'hkdf-') }}
+    environment: crates.io
+    permissions:
+      id-token: write
+    steps:
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+    - uses: rust-lang/crates-io-auth-action@b7e9a28eded4986ec6b1fa40eeee8f8f165559ec  # v1.0.3
+      id: auth
+    - run: cargo publish --package trussed-hkdf
+      env:
+        CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
+  publish-trussed-hpke:
+    runs-on: ubuntu-latest
+    if: ${{ startsWith(github.event.release.tag_name, 'hpke-') }}
+    environment: crates.io
+    permissions:
+      id-token: write
+    steps:
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+    - uses: rust-lang/crates-io-auth-action@b7e9a28eded4986ec6b1fa40eeee8f8f165559ec  # v1.0.3
+      id: auth
+    - run: cargo publish --package trussed-hpke
+      env:
+        CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
+  publish-trussed-manage:
+    runs-on: ubuntu-latest
+    if: ${{ startsWith(github.event.release.tag_name, 'manage-') }}
+    environment: crates.io
+    permissions:
+      id-token: write
+    steps:
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+    - uses: rust-lang/crates-io-auth-action@b7e9a28eded4986ec6b1fa40eeee8f8f165559ec  # v1.0.3
+      id: auth
+    - run: cargo publish --package trussed-manage
+      env:
+        CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
+  publish-trussed-wrap-key-to-file:
+    runs-on: ubuntu-latest
+    if: ${{ startsWith(github.event.release.tag_name, 'wrap-key-to-file-') }}
+    environment: crates.io
+    permissions:
+      id-token: write
+    steps:
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+    - uses: rust-lang/crates-io-auth-action@b7e9a28eded4986ec6b1fa40eeee8f8f165559ec  # v1.0.3
+      id: auth
+    - run: cargo publish --package trussed-wrap-key-to-file
+      env:
+        CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}

From 7e82a4fb11d4ea595b680a9d25b1a807a479d7ae Mon Sep 17 00:00:00 2001
From: Robin Krahl <robin@nitrokey.com>
Date: Mon, 23 Mar 2026 13:41:45 +0100
Subject: [PATCH 2/2] Remove unused associated constant Aead::AEAD_ID in normal
 builds

This fixes a new compiler warning.
---
 src/hpke.rs | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/hpke.rs b/src/hpke.rs
index 7d61ad5..d1bca6d 100644
--- a/src/hpke.rs
+++ b/src/hpke.rs
@@ -122,11 +122,13 @@ trait Aead:
         TagSize = <ChaCha20Poly1305 as AeadCore>::TagSize,
     >
 {
+    #[cfg(test)]
     const AEAD_ID: u16;
     const X25519_HKDF_SHA256_SELF_HPKE_SUITE_ID: &'static [u8];
 }
 
 impl Aead for ChaCha20Poly1305 {
+    #[cfg(test)]
     const AEAD_ID: u16 = 0x0003;
     const X25519_HKDF_SHA256_SELF_HPKE_SUITE_ID: &'static [u8] =
         X25519_HKDF_SHA256_CHACHA20_POLY1305_HPKE_SUITE_ID;
@@ -134,6 +136,7 @@ impl Aead for ChaCha20Poly1305 {
 
 impl Aead for ChaCha8Poly1305 {
     /// Custom non-standard Id
+    #[cfg(test)]
     const AEAD_ID: u16 = 0xFFFE;
     const X25519_HKDF_SHA256_SELF_HPKE_SUITE_ID: &'static [u8] = b"HPKE\x00\x20\x00\x01\xFF\xFE";
 }