Stronger manifest integrity (file hashes + optional ed25519 signature) #5

New Issue

44r0n7 · 2025-12-15T00:36:29Z

44r0n7 commented

2025-12-15 00:36:29 +00:00

Problem

Only bundle.tar.gz is hashed; individual files and the manifest itself are not authenticated.

Proposal

Extend manifest.json to include per-file hashes (web assets, API package, entrypoint).
Add optional ed25519 signature over manifest.json; verify if signature + pubkey provided (e.g., /etc/pikit/public.key).
Keep backward compatibility: verify bundle hash today; prefer full-file hashes when present; signature optional but logged when missing.
Document key management and how to rotate keys.

Acceptance

Updater refuses install if any listed file hash or manifest signature fails.
Backward-compatible with existing unsigned manifests.
Tests cover valid, tampered, and missing-signature cases.

Problem - Only bundle.tar.gz is hashed; individual files and the manifest itself are not authenticated. Proposal - Extend manifest.json to include per-file hashes (web assets, API package, entrypoint). - Add optional ed25519 signature over manifest.json; verify if signature + pubkey provided (e.g., /etc/pikit/public.key). - Keep backward compatibility: verify bundle hash today; prefer full-file hashes when present; signature optional but logged when missing. - Document key management and how to rotate keys. Acceptance - Updater refuses install if any listed file hash or manifest signature fails. - Backward-compatible with existing unsigned manifests. - Tests cover valid, tampered, and missing-signature cases.

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: 44r0n7/pi-kit#5