Pear DocsSet up multisig
One-time setup for a multisig production drive: generate signing keys, write multisig.json, compute the multisig link, and point upgrade at it.
Production releases are gated by a multisig drive — a Hypercore whose write access is controlled by a quorum of signing keys instead of one machine's private key. This is what removes the single point of failure from a typical desktop release flow, and it is why a multisig drive is not machine-bound: a quorum of signers can keep producing releases even if every other key is lost.
This guide is the one-time setup. Once it is done, every release uses the repeatable signing flow in Sign with multisig.
This is the production gate of the desktop release flow. You need a working provision link before you set up multisig — the multisig config points at the provision drive as its source.
Create signing keys
Every signer runs:
npm i -g hypercore-sign
hypercore-sign-generate-keysThe public key lands at ~/.hypercore-sign/default.public. Each signer shares their public key with whoever is assembling the multisig config.
Create the multisig config
Write multisig.json with every signer's public key, a quorum count, an arbitrary namespace, and the provision link's key as srcKey:
{
"type": "drive",
"publicKeys": ["pubkey-signer-1", "pubkey-signer-2", "pubkey-signer-3"],
"namespace": "pear-chat",
"quorum": 2,
"srcKey": "q9sopzoqgas9usoiq7uzkkwngm5pzj4zo3n4esjwwbmw6offis8o"
}This example needs two of three signers to release. The quorum is the minimum number of signers whose responses must agree before a release can be committed.
Set upgrade to the multisig link
Install hyper-multisig-cli and compute the multisig link:
npm i -g hyper-multisig-cli
hyper-multisig link
# pear://69qwbihxj4c8te15wt3skj4j1g3ufmbo3mperedjqr1hb55mspooSet upgrade to that link (step 1), bump version (step 2), make, pear build, and pear stage. Then provision again with the multisig link as the third argument:
pear provision pear://0.1082.qxenz5wmspmryjc13m9yzsqj1conqotn8fb4ocbufwtz9mtbqq5o pear://q9sopzoqgas9usoiq7uzkkwngm5pzj4zo3n4esjwwbmw6offis8o pear://0.0.69qwbihxj4c8te15wt3skj4j1g3ufmbo3mperedjqr1hb55mspooThe provision drive's upgrade field now points at the multisig drive. Setup is complete — releases now go through the signing flow.
See also
- Sign with multisig — the repeatable prepare → sign → verify → commit flow for every release.
- Troubleshoot multisig — interrupted commits,
INCOMPATIBLE_SOURCE_AND_TARGET, and recovering lost write access. - Deploy your application — the full eight-step release flow this gates.
- Release pipeline — conceptual diagrams for stage, provision, and multisig.