**Optional Ed25519 release signing — supply-chain protection for updates.** Once enabled, every update zip is verified against a bundled public key before WordPress is allowed to install it. A tampered download (compromised mirror, MITM) is rejected with a clear error. \`\`\`sh php tools/generate-signing-key.php \`\`\` Then paste the public key into \`NCM_UPDATE_PUBLIC_KEY\`, upload the secret key to GitLab as the file-type CI variable \`RELEASE_SIGNING_KEY\`, and tag the next release. See README → "Update integrity" for full instructions. \`NCM_UPDATE_PUBLIC_KEY\` ships empty in 2.4.2 — updates install unverified, same as 2.4.1. The whole feature is opt-in. Existing installs upgrade to 2.4.2 cleanly without any operator action. Customer Map → Debug Log → Updates now shows signing status, public-key fingerprint, and whether the latest release has a \`.sig\` asset.