fix(i18n): correct German site terminology

Updates the German translation to use "Standort" (site) instead of "Seite" (page) for consistency with the site context.
fix(i18n): correct German translation strings
2026-01-30 06:40:46 +00:00 · 2026-01-29 10:01:30 -08:00 · 2026-01-29 10:01:30 -08:00 · 2026-01-28 15:03:31 -08:00
3 changed files with 62 additions and 13 deletions
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -504,10 +504,55 @@ jobs:
                      }

                      echo "==> cosign verify (public key) ${REF}"
-                      retry_verify "cosign verify --key env://COSIGN_PUBLIC_KEY '${REF}' -o text"
+                      if retry_verify "cosign verify --key env://COSIGN_PUBLIC_KEY '${REF}' -o text"; then
+                        VERIFIED_INDEX=true
+                      else
+                        VERIFIED_INDEX=false
+                      fi

                      echo "==> cosign verify (keyless policy) ${REF}"
-                      retry_verify "cosign verify --certificate-oidc-issuer '${issuer}' --certificate-identity-regexp '${id_regex}' '${REF}' -o text"
+                      if retry_verify "cosign verify --certificate-oidc-issuer '${issuer}' --certificate-identity-regexp '${id_regex}' '${REF}' -o text"; then
+                        VERIFIED_INDEX_KEYLESS=true
+                      else
+                        VERIFIED_INDEX_KEYLESS=false
+                      fi
+
+                      # If index verification fails, attempt to verify child platform manifests
+                      if [ "${VERIFIED_INDEX}" != "true" ] || [ "${VERIFIED_INDEX_KEYLESS}" != "true" ]; then
+                        echo "Index verification not available; attempting child manifest verification for ${BASE_IMAGE}:${IMAGE_TAG}"
+                        CHILD_VERIFIED=false
+
+                        for ARCH in arm64 amd64; do
+                          CHILD_TAG="${IMAGE_TAG}-${ARCH}"
+                          echo "Resolving child digest for ${BASE_IMAGE}:${CHILD_TAG}"
+                          CHILD_DIGEST="$(skopeo inspect --retry-times 3 docker://${BASE_IMAGE}:${CHILD_TAG} | jq -r '.Digest' || true)"
+                          if [ -n "${CHILD_DIGEST}" ] && [ "${CHILD_DIGEST}" != "null" ]; then
+                            CHILD_REF="${BASE_IMAGE}@${CHILD_DIGEST}"
+                            echo "==> cosign verify (public key) child ${CHILD_REF}"
+                            if retry_verify "cosign verify --key env://COSIGN_PUBLIC_KEY '${CHILD_REF}' -o text"; then
+                              CHILD_VERIFIED=true
+                              echo "Public key verification succeeded for child ${CHILD_REF}"
+                            else
+                              echo "Public key verification failed for child ${CHILD_REF}"
+                            fi
+
+                            echo "==> cosign verify (keyless policy) child ${CHILD_REF}"
+                            if retry_verify "cosign verify --certificate-oidc-issuer '${issuer}' --certificate-identity-regexp '${id_regex}' '${CHILD_REF}' -o text"; then
+                              CHILD_VERIFIED=true
+                              echo "Keyless verification succeeded for child ${CHILD_REF}"
+                            else
+                              echo "Keyless verification failed for child ${CHILD_REF}"
+                            fi
+                          else
+                            echo "No child digest found for ${BASE_IMAGE}:${CHILD_TAG}; skipping"
+                          fi
+                        done
+
+                        if [ "${CHILD_VERIFIED}" != "true" ]; then
+                          echo "Failed to verify index and no child manifests verified for ${BASE_IMAGE}:${IMAGE_TAG}"
+                          exit 10
+                        fi
+                      fi

                      echo "✓ Successfully signed and verified ${BASE_IMAGE}:${IMAGE_TAG}"
                    done
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -97,7 +97,7 @@
    "siteGeneralDescription": "Allgemeine Einstellungen für diesen Standort konfigurieren",
    "siteSettingDescription": "Standorteinstellungen konfigurieren",
    "siteSetting": "{siteName} Einstellungen",
-    "siteNewtTunnel": "Neuer Standort (empfohlen)",
+    "siteNewtTunnel": "Newt Standort (empfohlen)",
    "siteNewtTunnelDescription": "Einfachster Weg, einen Einstiegspunkt in jedes Netzwerk zu erstellen. Keine zusätzliche Einrichtung.",
    "siteWg": "Einfacher WireGuard Tunnel",
    "siteWgDescription": "Verwende jeden WireGuard-Client, um einen Tunnel einzurichten. Manuelles NAT-Setup erforderlich.",
@@ -107,7 +107,7 @@
    "siteSeeAll": "Alle Standorte anzeigen",
    "siteTunnelDescription": "Legen Sie fest, wie Sie sich mit dem Standort verbinden möchten",
    "siteNewtCredentials": "Zugangsdaten",
-    "siteNewtCredentialsDescription": "So wird sich die Seite mit dem Server authentifizieren",
+    "siteNewtCredentialsDescription": "So wird sich der Standort mit dem Server authentifizieren",
    "remoteNodeCredentialsDescription": "So wird sich der entfernte Node mit dem Server authentifizieren",
    "siteCredentialsSave": "Anmeldedaten speichern",
    "siteCredentialsSaveDescription": "Du kannst das nur einmal sehen. Stelle sicher, dass du es an einen sicheren Ort kopierst.",
@@ -2503,7 +2503,7 @@
    "deviceModel": "Gerätemodell",
    "serialNumber": "Seriennummer",
    "hostname": "Hostname",
-    "firstSeen": "Erster Blick",
+    "firstSeen": "Zuerst gesehen",
    "lastSeen": "Zuletzt gesehen",
    "biometricsEnabled": "Biometrie aktiviert",
    "diskEncrypted": "Festplatte verschlüsselt",
--- a/server/setup/ensureSetupToken.ts
+++ b/server/setup/ensureSetupToken.ts
@@ -64,16 +64,20 @@ export async function ensureSetupToken() {
                );
            }

-            if (existingToken?.token !== envSetupToken) {
-                console.warn(
-                    "Overwriting existing token in DB since PANGOLIN_SETUP_TOKEN is set"
-                );
+            if (existingToken) {
+                // Token exists in DB - update it if different
+                if (existingToken.token !== envSetupToken) {
+                    console.warn(
+                        "Overwriting existing token in DB since PANGOLIN_SETUP_TOKEN is set"
+                    );

-                await db
-                    .update(setupTokens)
-                    .set({ token: envSetupToken })
-                    .where(eq(setupTokens.tokenId, existingToken.tokenId));
+                    await db
+                        .update(setupTokens)
+                        .set({ token: envSetupToken })
+                        .where(eq(setupTokens.tokenId, existingToken.tokenId));
+                }
            } else {
+                // No existing token - insert new one
                const tokenId = generateId(15);

                await db.insert(setupTokens).values({
Author	SHA1	Message	Date
MoweME	b0566d3c6f	fix(i18n): correct German site terminology Updates the German translation to use "Standort" (site) instead of "Seite" (page) for consistency with the site context.	2026-01-29 10:01:30 -08:00
MoweME	5dda8c384f	fix(i18n): correct German translation strings Corrects mistranslation of device timestamp labels and fixes product name reference in site tunnel settings.	2026-01-29 10:01:30 -08:00
Owen	cb569ff14d	Properly insert PANGOLIN_SETUP_TOKEN into db Fixes #2361	2026-01-28 15:03:31 -08:00