Files
ObsidianDragon/docs/lite-wallet-backend-signing-policy-2026-05-22.md
dan_s ffe63d3129 docs(lite): add v2 implementation plan, source-hygiene guard, and CLAUDE.md
- docs/lite-wallet-implementation-plan-v2-2026-06-04.md: vertical-slice plan that
  supersedes the v1 plan (now banner-marked); carries over the inherited artifact/
  signing/phase-2 design docs for reference.
- scripts/check-source-hygiene.sh: pre-commit/CI guard rejecting >80-char filenames
  and chained churn-token names, to stop the deleted "_plan"/"_batch" scaffolding
  from regrowing.
- CLAUDE.md: repository guidance for future sessions.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-04 21:15:11 -05:00

3.5 KiB

Lite Wallet Backend Signing Policy - 2026-05-22

Purpose

This Phase 1 policy defines how backend artifact signature verification evidence is recorded without making the wallet sign, upload, publish, mutate, load, resolve, or call backend artifacts.

Policy identifier: dragonx-lite-backend-signature-policy-v1.

Scope

The artifact producer may capture read-only metadata about a signature verification that has already been performed by a release builder. It does not create signatures and does not run wallet runtime code.

The default development and local verification path does not require a signature. Release builders that require signed artifacts must opt in with --signature-required when generating the manifest and DRAGONX_LITE_BACKEND_REQUIRE_SIGNATURE=ON when configuring CMake.

Accepted Evidence

When signature metadata is supplied, all of the following are required:

  • an existing sidecar signature file,
  • signature format minisign, gpg, sigstore, external, or other,
  • verifier tool and version used by the release builder,
  • reviewed public-key fingerprint or reviewed certificate identity,
  • verified artifact SHA-256 equal to the artifact bytes recorded in the manifest.

The manifest records the signature sidecar SHA-256, optional verifier command, optional certificate issuer, optional transparency log URL, and verification_status: "verified". Missing or inconsistent required metadata fails before manifest generation when --signature-required or any signature metadata flag is supplied.

Script Usage

Example metadata capture after an external verifier has already checked the artifact:

scripts/build-lite-backend-artifact.sh \
  --platform linux \
  --artifact build/lite-backend-relative-linux-b/linux/libsilentdragonxlite.a \
  --no-build \
  --out-dir build/lite-backend-signed-inventory \
  --signature-required \
  --signature-file /path/to/libsilentdragonxlite.a.minisig \
  --signature-format minisign \
  --signature-verification-tool "minisign 0.11" \
  --signature-verification-command "minisign -Vm libsilentdragonxlite.a -P <reviewed-public-key>" \
  --signature-key-fingerprint "<reviewed-public-key-fingerprint>" \
  --signature-verified-sha256 "<artifact-sha256>"

For unsigned local inventory, omit all signature flags. The manifest still includes signature_verification.policy_defined: true, metadata_provided: false, and verification_status: "not-provided", while signing_requested remains false.

CMake Gate

DRAGONX_LITE_BACKEND_REQUIRE_SIGNATURE=ON is optional and fail-closed. When enabled, CMake requires DRAGONX_LITE_BACKEND_MANIFEST, parses signature_verification, requires verification_status: "verified", and checks that signature_verification.verified_artifact_sha256 matches artifact.sha256 before importing the backend library.

Contract Helper

LiteBackendArtifactContract accepts unsigned local metadata by default. If signatureVerification.requiredForRelease is true, the helper requires a defined policy, complete metadata, a reviewed trust identity, performed verification, verified status, and a matching artifact SHA-256 before producing resolver input.

Guardrails

  • No signing is performed by the artifact script, CMake, contract helper, or wallet runtime.
  • No artifact upload or publication is performed.
  • No runtime dynamic loading, symbol resolution, SDXL calls, wallet lifecycle, sync, WalletState mutation, or persistence is enabled.
  • Signature evidence is release inventory only and must describe the same artifact bytes identified by the manifest SHA-256.