Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 20 additions & 10 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,19 +16,28 @@ policy. The former signing key `df-ed25519-4cb32e72f333` is now classified **com
conservative boundary `2026-07-11T00:00:00Z`. Its public bytes are retained so historical signature
mathematics remain inspectable, but that key must never produce a live policy-accepted result.

The hardened versions in this repository are release targets, not evidence that package registries
have already been updated:
The hardened Python and npm versions in this repository remain release targets. The Rust target
has been published and independently installed from crates.io; that Rust release does not complete
the multi-ecosystem package rotation:

| Ecosystem | Affected published version(s) | Hardened source target | Published by this PR? |
| Ecosystem | Affected version/source | Hardened version | Release status |
|---|---:|---:|---|
| PyPI `dynamicfeed-verify` | `<= 1.0.2` | `1.0.3` | No |
| npm `@dynamicfeed/verify` | `<= 1.0.1` | `1.0.2` | No |
| crates.io `dynamicfeed-verify` | `1.0.0` (and affected prior source `1.0.1`) | `1.0.2` | No |
| PyPI `dynamicfeed-verify` | `<= 1.0.2` | `1.0.3` | Pending; publishing credentials unavailable |
| npm `@dynamicfeed/verify` | `<= 1.0.1` | `1.0.2` | Pending; publishing credentials unavailable |
| crates.io `dynamicfeed-verify` | `1.0.0` (and affected prior source `1.0.1`) | `1.0.2` | Published and registry-verified 2026-07-11 |
| C# sample | all current source | quarantined, transport-only | Not a package |

Do not announce a clean package rotation until the target artifacts are built from the reviewed
commit, published through their normal release controls, installed from each registry into a clean
environment, and the advisory is updated with artifact digests and provenance.
Rust `dynamicfeed-verify` `1.0.2` was built from source/tag commit
`95e033efd252e9e97029c0ef97a3ccddad9b6351` and tagged `rust-v1.0.2`. crates.io records
`published_at` as `2026-07-11T16:14:45.939696Z` and a crate size of `29597` bytes. The crates.io
artifact and GitHub release asset have the same SHA-256 digest:
`798bc660b4e9abe25c7f62bcd8007cf1897ca0d8607d975d8b9ba0b8d841d019`. A clean install from
crates.io returned `POLICY_ACCEPTED` for the active signer and `CRYPTO_VALID` with
`LIFECYCLE_REJECTED` for the former compromised signer.

Do not announce a clean multi-ecosystem package rotation until the pending Python and npm artifacts
are built from their reviewed commits, published through their normal release controls, installed
from each registry into a clean environment, and recorded with artifact digests and provenance.

See [SECURITY.md](SECURITY.md) for the full advisory.

Expand All @@ -42,7 +51,8 @@ See [SECURITY.md](SECURITY.md) for the full advisory.
- The production service compatibility endpoint `/.well-known/keys` is active-key-only following
the 2026-07-11 service cutover. The former key is absent from active discovery and is retained
only in the lifecycle registry with `compromised` status. This repository records verifier
source; that completed service cutover does not mean the target package versions are published.
source; that completed service cutover does not mean the pending Python and npm target package
versions are published.

The current-domain registry is an operational disclosure, not an independent trust root. A
security-sensitive verifier should pin a reviewed registry out of band, authenticate updates, and
Expand Down
46 changes: 34 additions & 12 deletions SECURITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,9 @@

## Advisory DFF-2026-07-11-01 — signer lifecycle bypass

Status: production service cutover completed 2026-07-11; hardened source merged; package
publication remains a separate, incomplete release gate.
Status: production service cutover completed 2026-07-11; hardened source merged; Rust
`dynamicfeed-verify` `1.0.2` published and registry-verified; Python and npm publications remain
incomplete.

Earlier Python, JavaScript, and Rust verifiers could treat successful Ed25519 mathematics against a
flat key map as an overall accepted result. Flat key bytes contain no lifecycle status. After a key
Expand All @@ -17,15 +18,16 @@ artifact cannot rehabilitate it.

### Affected and target versions

| Package/source | Affected | Hardened target |
|---|---:|---:|
| PyPI `dynamicfeed-verify` | `<= 1.0.2` | `1.0.3` |
| npm `@dynamicfeed/verify` | `<= 1.0.1` | `1.0.2` |
| crates.io `dynamicfeed-verify` | published `1.0.0`; prior repository source `1.0.1` | `1.0.2` |
| C# sample | all current source | quarantined pending a conformant implementation |
| Package/source | Affected | Hardened version | Release status |
|---|---:|---:|---|
| PyPI `dynamicfeed-verify` | `<= 1.0.2` | `1.0.3` | Pending; publishing credentials unavailable |
| npm `@dynamicfeed/verify` | `<= 1.0.1` | `1.0.2` | Pending; publishing credentials unavailable |
| crates.io `dynamicfeed-verify` | published `1.0.0`; prior repository source `1.0.1` | `1.0.2` | Published and registry-verified 2026-07-11 |
| C# sample | all current source | quarantined pending a conformant implementation | Not a package |

These target numbers describe source in this repository. They are not release attestations. Check
the package registry and the final release advisory before depending on them.
The Rust row is a release attestation backed by the evidence recorded below. The Python and npm
version numbers describe source targets only; check their package registries and this advisory
before depending on them.

### Corrected behavior

Expand Down Expand Up @@ -60,14 +62,33 @@ The C# sample is not a reference verifier. It lacks conformance-tested canonical
and anti-rollback logic. Its network response is explicitly unverified; compatibility methods that
could return an actionable verdict throw `NotSupportedException`.

### Rust `1.0.2` release evidence

The crates.io package was built from source commit
`95e033efd252e9e97029c0ef97a3ccddad9b6351`, which is also the commit tagged `rust-v1.0.2`.
crates.io records `published_at` as `2026-07-11T16:14:45.939696Z` and the crate size as `29597`
bytes. The crates.io artifact and GitHub release asset have the identical SHA-256 digest
`798bc660b4e9abe25c7f62bcd8007cf1897ca0d8607d975d8b9ba0b8d841d019`.

A clean environment installed `dynamicfeed-verify` `1.0.2` from the crates.io registry. Verification
returned `POLICY_ACCEPTED` for the active signer and `CRYPTO_VALID` with `LIFECYCLE_REJECTED` for
the former compromised signer. These checks attest to the Rust registry artifact only. PyPI
`dynamicfeed-verify` `1.0.3` and npm `@dynamicfeed/verify` `1.0.2` remain pending because publishing
credentials were unavailable, so the overall package rotation is not complete.

This release evidence does not establish full RFC 3161 or OpenTimestamps proof verification. The
libraries continue to distinguish signed anchor attachment from independent timestamp-proof
validation.

### Service cutover and package-release criteria

The production service cutover is complete: `/.well-known/keys` exposes only the active key, while
the lifecycle registry retains the former public key with `compromised` status. Live endpoints,
logs, and rollback were verified as part of that deployment. Those service facts do not publish or
attest to any package-registry artifact.

Do not call the verifier **package** rotation complete until all of the following are recorded:
Do not call the multi-ecosystem verifier **package** rotation complete until all of the following
are recorded for every package:

1. the reviewed source commit and passing CI;
2. package builds from that exact commit;
Expand All @@ -76,7 +97,8 @@ Do not call the verifier **package** rotation complete until all of the followin
5. artifact hashes and source provenance;
6. advisory update naming the released versions and completion time.

Merging source in this repository does not publish packages. The target versions above remain
Merging source in this repository does not publish packages. The Rust `1.0.2` publication and
clean-install checks are recorded above; the Python `1.0.3` and npm `1.0.2` targets remain
unreleased until their registry publications and clean-install checks are recorded.

## Reporting a vulnerability
Expand Down
Loading