feat(updater): in-app dragonxd updater + browse-all-releases

Add a full-node daemon updater (util/DaemonUpdater + daemon_download_dialog)
reachable from Settings -> NODE & SECURITY: downloads/verifies (SHA-256 +
enforced ed25519 signature) and atomically installs the latest dragonxd from
the project Gitea, with a "Restart daemon now" step. Add a shared "Browse all
releases..." picker (release_list_view) to both the miner and daemon updaters
so users can pin older/pre-release builds. Pure no-I/O cores
(daemon_updater_core / xmrig_updater_core) are unit-tested; sign-daemon-release.sh
signs release archives offline.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

scripts/sign-daemon-release.sh

@@ -0,0 +1,67 @@
+#!/usr/bin/env bash
+# Sign dragonx full-node release archives for the wallet's in-app daemon updater (ed25519).
+#
+# The wallet verifies a detached ed25519 signature over the EXACT archive bytes against a public
+# key pinned in src/util/daemon_updater.h (kDaemonSignaturePublicKeyBase64). Verification is
+# MANDATORY (kDaemonRequireSignature = true): an in-app update is refused unless a valid signature
+# is published. For each archive <name>.zip this produces <name>.zip.sig holding the base64 of the
+# raw 64-byte ed25519 signature — upload that .sig next to the .zip as a release asset.
+#
+# Uses OpenSSL (>= 1.1.1) only — no Python/PyNaCl needed. OpenSSL's ed25519 is PureEdDSA (RFC 8032),
+# the same primitive libsodium's crypto_sign_verify_detached checks, so signatures are compatible
+# (the same flow the wallet's unit tests verify for the miner updater).
+#
+# Usage:
+#   scripts/sign-daemon-release.sh keygen [out-prefix]        # -> <prefix>.ed25519.{key,pub.b64}
+#   scripts/sign-daemon-release.sh pubkey <secret.key>        # print the base64 public key to pin
+#   scripts/sign-daemon-release.sh sign <secret.key> <file>...# -> <file>.sig per file
+#
+# Keep the secret key (.ed25519.key) OFFLINE. Paste the base64 public key into
+# kDaemonSignaturePublicKeyBase64 in src/util/daemon_updater.h.
+
+set -euo pipefail
+die() { echo "error: $*" >&2; exit 1; }
+command -v openssl >/dev/null || die "openssl not found (need >= 1.1.1 with ed25519)"
+
+# Raw 32-byte ed25519 public key (base64) from a private key file. The DER SubjectPublicKeyInfo for
+# ed25519 is a fixed 12-byte prefix + the 32-byte key, so the trailing 32 bytes are the raw key.
+pubkey_b64() { openssl pkey -in "$1" -pubout -outform DER | tail -c 32 | openssl base64 -A; }
+
+cmd="${1:-}"; shift || true
+case "$cmd" in
+  keygen)
+    prefix="${1:-dragonx-daemon}"
+    [ -e "$prefix.ed25519.key" ] && die "$prefix.ed25519.key already exists — refusing to overwrite"
+    openssl genpkey -algorithm ed25519 -out "$prefix.ed25519.key"
+    chmod 600 "$prefix.ed25519.key"
+    pub="$(pubkey_b64 "$prefix.ed25519.key")"
+    printf '%s\n' "$pub" > "$prefix.ed25519.pub.b64"
+    echo "secret key : $prefix.ed25519.key   (KEEP OFFLINE, mode 600)"
+    echo "public key : $prefix.ed25519.pub.b64"
+    echo
+    echo "Pin this in src/util/daemon_updater.h (kDaemonSignaturePublicKeyBase64):"
+    echo "  $pub"
+    ;;
+  pubkey)
+    [ $# -ge 1 ] || die "usage: pubkey <secret.key>"
+    pubkey_b64 "$1"
+    ;;
+  sign)
+    [ $# -ge 2 ] || die "usage: sign <secret.key> <file>..."
+    key="$1"; shift
+    [ -f "$key" ] || die "no such key: $key"
+    for f in "$@"; do
+      [ -f "$f" ] || die "no such file: $f"
+      raw="$(mktemp)"
+      openssl pkeyutl -sign -inkey "$key" -rawin -in "$f" -out "$raw"
+      openssl base64 -A -in "$raw" > "$f.sig"
+      printf '\n' >> "$f.sig"
+      rm -f "$raw"
+      echo "signed: $f -> $f.sig"
+    done
+    echo "Upload each .sig as a release asset next to its archive."
+    ;;
+  *)
+    die "usage: $0 {keygen [prefix] | pubkey <secret.key> | sign <secret.key> <file>...}"
+    ;;
+esac