From 4f5d6e79fa1fdcf4e19d0f6733a6b363888fba2a Mon Sep 17 00:00:00 2001 From: Sami Mechkor Date: Sun, 12 Jul 2026 02:19:41 +1000 Subject: [PATCH] docs: record Rust verifier 1.0.2 release --- README.md | 30 ++++++++++++++++++++---------- SECURITY.md | 46 ++++++++++++++++++++++++++++++++++------------ 2 files changed, 54 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index cbc5cc6..f893ca8 100644 --- a/README.md +++ b/README.md @@ -16,19 +16,28 @@ policy. The former signing key `df-ed25519-4cb32e72f333` is now classified **com conservative boundary `2026-07-11T00:00:00Z`. Its public bytes are retained so historical signature mathematics remain inspectable, but that key must never produce a live policy-accepted result. -The hardened versions in this repository are release targets, not evidence that package registries -have already been updated: +The hardened Python and npm versions in this repository remain release targets. The Rust target +has been published and independently installed from crates.io; that Rust release does not complete +the multi-ecosystem package rotation: -| Ecosystem | Affected published version(s) | Hardened source target | Published by this PR? | +| Ecosystem | Affected version/source | Hardened version | Release status | |---|---:|---:|---| -| PyPI `dynamicfeed-verify` | `<= 1.0.2` | `1.0.3` | No | -| npm `@dynamicfeed/verify` | `<= 1.0.1` | `1.0.2` | No | -| crates.io `dynamicfeed-verify` | `1.0.0` (and affected prior source `1.0.1`) | `1.0.2` | No | +| PyPI `dynamicfeed-verify` | `<= 1.0.2` | `1.0.3` | Pending; publishing credentials unavailable | +| npm `@dynamicfeed/verify` | `<= 1.0.1` | `1.0.2` | Pending; publishing credentials unavailable | +| crates.io `dynamicfeed-verify` | `1.0.0` (and affected prior source `1.0.1`) | `1.0.2` | Published and registry-verified 2026-07-11 | | C# sample | all current source | quarantined, transport-only | Not a package | -Do not announce a clean package rotation until the target artifacts are built from the reviewed -commit, published through their normal release controls, installed from each registry into a clean -environment, and the advisory is updated with artifact digests and provenance. +Rust `dynamicfeed-verify` `1.0.2` was built from source/tag commit +`95e033efd252e9e97029c0ef97a3ccddad9b6351` and tagged `rust-v1.0.2`. crates.io records +`published_at` as `2026-07-11T16:14:45.939696Z` and a crate size of `29597` bytes. The crates.io +artifact and GitHub release asset have the same SHA-256 digest: +`798bc660b4e9abe25c7f62bcd8007cf1897ca0d8607d975d8b9ba0b8d841d019`. A clean install from +crates.io returned `POLICY_ACCEPTED` for the active signer and `CRYPTO_VALID` with +`LIFECYCLE_REJECTED` for the former compromised signer. + +Do not announce a clean multi-ecosystem package rotation until the pending Python and npm artifacts +are built from their reviewed commits, published through their normal release controls, installed +from each registry into a clean environment, and recorded with artifact digests and provenance. See [SECURITY.md](SECURITY.md) for the full advisory. @@ -42,7 +51,8 @@ See [SECURITY.md](SECURITY.md) for the full advisory. - The production service compatibility endpoint `/.well-known/keys` is active-key-only following the 2026-07-11 service cutover. The former key is absent from active discovery and is retained only in the lifecycle registry with `compromised` status. This repository records verifier - source; that completed service cutover does not mean the target package versions are published. + source; that completed service cutover does not mean the pending Python and npm target package + versions are published. The current-domain registry is an operational disclosure, not an independent trust root. A security-sensitive verifier should pin a reviewed registry out of band, authenticate updates, and diff --git a/SECURITY.md b/SECURITY.md index 6499e64..94ebcba 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,8 +2,9 @@ ## Advisory DFF-2026-07-11-01 — signer lifecycle bypass -Status: production service cutover completed 2026-07-11; hardened source merged; package -publication remains a separate, incomplete release gate. +Status: production service cutover completed 2026-07-11; hardened source merged; Rust +`dynamicfeed-verify` `1.0.2` published and registry-verified; Python and npm publications remain +incomplete. Earlier Python, JavaScript, and Rust verifiers could treat successful Ed25519 mathematics against a flat key map as an overall accepted result. Flat key bytes contain no lifecycle status. After a key @@ -17,15 +18,16 @@ artifact cannot rehabilitate it. ### Affected and target versions -| Package/source | Affected | Hardened target | -|---|---:|---:| -| PyPI `dynamicfeed-verify` | `<= 1.0.2` | `1.0.3` | -| npm `@dynamicfeed/verify` | `<= 1.0.1` | `1.0.2` | -| crates.io `dynamicfeed-verify` | published `1.0.0`; prior repository source `1.0.1` | `1.0.2` | -| C# sample | all current source | quarantined pending a conformant implementation | +| Package/source | Affected | Hardened version | Release status | +|---|---:|---:|---| +| PyPI `dynamicfeed-verify` | `<= 1.0.2` | `1.0.3` | Pending; publishing credentials unavailable | +| npm `@dynamicfeed/verify` | `<= 1.0.1` | `1.0.2` | Pending; publishing credentials unavailable | +| crates.io `dynamicfeed-verify` | published `1.0.0`; prior repository source `1.0.1` | `1.0.2` | Published and registry-verified 2026-07-11 | +| C# sample | all current source | quarantined pending a conformant implementation | Not a package | -These target numbers describe source in this repository. They are not release attestations. Check -the package registry and the final release advisory before depending on them. +The Rust row is a release attestation backed by the evidence recorded below. The Python and npm +version numbers describe source targets only; check their package registries and this advisory +before depending on them. ### Corrected behavior @@ -60,6 +62,24 @@ The C# sample is not a reference verifier. It lacks conformance-tested canonical and anti-rollback logic. Its network response is explicitly unverified; compatibility methods that could return an actionable verdict throw `NotSupportedException`. +### Rust `1.0.2` release evidence + +The crates.io package was built from source commit +`95e033efd252e9e97029c0ef97a3ccddad9b6351`, which is also the commit tagged `rust-v1.0.2`. +crates.io records `published_at` as `2026-07-11T16:14:45.939696Z` and the crate size as `29597` +bytes. The crates.io artifact and GitHub release asset have the identical SHA-256 digest +`798bc660b4e9abe25c7f62bcd8007cf1897ca0d8607d975d8b9ba0b8d841d019`. + +A clean environment installed `dynamicfeed-verify` `1.0.2` from the crates.io registry. Verification +returned `POLICY_ACCEPTED` for the active signer and `CRYPTO_VALID` with `LIFECYCLE_REJECTED` for +the former compromised signer. These checks attest to the Rust registry artifact only. PyPI +`dynamicfeed-verify` `1.0.3` and npm `@dynamicfeed/verify` `1.0.2` remain pending because publishing +credentials were unavailable, so the overall package rotation is not complete. + +This release evidence does not establish full RFC 3161 or OpenTimestamps proof verification. The +libraries continue to distinguish signed anchor attachment from independent timestamp-proof +validation. + ### Service cutover and package-release criteria The production service cutover is complete: `/.well-known/keys` exposes only the active key, while @@ -67,7 +87,8 @@ the lifecycle registry retains the former public key with `compromised` status. logs, and rollback were verified as part of that deployment. Those service facts do not publish or attest to any package-registry artifact. -Do not call the verifier **package** rotation complete until all of the following are recorded: +Do not call the multi-ecosystem verifier **package** rotation complete until all of the following +are recorded for every package: 1. the reviewed source commit and passing CI; 2. package builds from that exact commit; @@ -76,7 +97,8 @@ Do not call the verifier **package** rotation complete until all of the followin 5. artifact hashes and source provenance; 6. advisory update naming the released versions and completion time. -Merging source in this repository does not publish packages. The target versions above remain +Merging source in this repository does not publish packages. The Rust `1.0.2` publication and +clean-install checks are recorded above; the Python `1.0.3` and npm `1.0.2` targets remain unreleased until their registry publications and clean-install checks are recorded. ## Reporting a vulnerability