Skip to content

security: harden signing-key lifecycle verification#2

Merged
Dynamicfeedai merged 4 commits into
mainfrom
codex/clean-signing-key-rotation
Jul 11, 2026
Merged

security: harden signing-key lifecycle verification#2
Dynamicfeedai merged 4 commits into
mainfrom
codex/clean-signing-key-rotation

Conversation

@Dynamicfeedai

@Dynamicfeedai Dynamicfeedai commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

Summary

  • replace flat trusted-key handling with a versioned signing-key lifecycle registry
  • enforce active-key, registry-revision, source-authentication, strict parsing, and no-redirect policy across Python, JavaScript, and Rust verifiers
  • reject noncanonical base64url signature and public-key spellings, including unused-bit aliases, with exact Ed25519 length checks
  • quarantine the C# client as transport-only until it has equivalent verification semantics
  • update examples, shared vectors, security guidance, and release guardrails

Security model

Live verification succeeds only for an active signer from an authenticated lifecycle-registry source at or above the retained revision floor. Compromised and retired keys remain available only for explicit, non-actionable historical inspection. Current-domain discovery is operational discovery, not an independent trust root.

Release targets

  • Python dynamicfeed-verify: 1.0.3
  • npm @dynamicfeed/verify: 1.0.2
  • Rust dynamicfeed-verify: 1.0.2

These are source targets. No package is published by this PR.

Validation

  • Python 3.8 and 3.12 lifecycle, anchor, malformed-encoding, unused-bit, exact-length, shared-vector, and clean-wheel tests
  • JavaScript lifecycle, shared-vector, unused-bit, exact-length, and clean-tarball tests
  • Rust fmt, Clippy with warnings denied, unit/conformance/doc tests, cargo package, and extracted-crate tests
  • verified-agent and reliability self-tests
  • signing-rotation policy guardrail
  • frozen receipt byte/hash verification and git diff --check
  • independent release audit: source merge GO

Production state

The server-first cutover is live on Dynamic-Feed main. Active-only discovery serves df-ed25519-6ca0de29113b; the former key remains public as compromised in lifecycle registry revision 1.

Remaining package-release gates

  • merge this source change
  • reconcile the production advisory for the fixed Rust 1.0.2 line
  • publish through authenticated registry processes and record exact artifact hashes/provenance
  • clean-install each public registry artifact and rerun active/compromised policy checks
  • npm and PyPI credentials are not currently available in this environment

Rollback

Revert the squash merge. This PR performs no database migration, package publication, signing-key mutation, or production service deployment.

@Dynamicfeedai Dynamicfeedai marked this pull request as ready for review July 11, 2026 16:03
@Dynamicfeedai Dynamicfeedai merged commit 90a42e1 into main Jul 11, 2026
5 checks passed
@Dynamicfeedai Dynamicfeedai deleted the codex/clean-signing-key-rotation branch July 11, 2026 16:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant