- docs/lite-wallet-implementation-plan-v2-2026-06-04.md: vertical-slice plan that supersedes the v1 plan (now banner-marked); carries over the inherited artifact/ signing/phase-2 design docs for reference. - scripts/check-source-hygiene.sh: pre-commit/CI guard rejecting >80-char filenames and chained churn-token names, to stop the deleted "_plan"/"_batch" scaffolding from regrowing. - CLAUDE.md: repository guidance for future sessions. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
3.5 KiB
Lite Wallet Backend Signing Policy - 2026-05-22
Purpose
This Phase 1 policy defines how backend artifact signature verification evidence is recorded without making the wallet sign, upload, publish, mutate, load, resolve, or call backend artifacts.
Policy identifier: dragonx-lite-backend-signature-policy-v1.
Scope
The artifact producer may capture read-only metadata about a signature verification that has already been performed by a release builder. It does not create signatures and does not run wallet runtime code.
The default development and local verification path does not require a signature. Release builders that require signed artifacts must opt in with --signature-required when generating the manifest and DRAGONX_LITE_BACKEND_REQUIRE_SIGNATURE=ON when configuring CMake.
Accepted Evidence
When signature metadata is supplied, all of the following are required:
- an existing sidecar signature file,
- signature format
minisign,gpg,sigstore,external, orother, - verifier tool and version used by the release builder,
- reviewed public-key fingerprint or reviewed certificate identity,
- verified artifact SHA-256 equal to the artifact bytes recorded in the manifest.
The manifest records the signature sidecar SHA-256, optional verifier command, optional certificate issuer, optional transparency log URL, and verification_status: "verified". Missing or inconsistent required metadata fails before manifest generation when --signature-required or any signature metadata flag is supplied.
Script Usage
Example metadata capture after an external verifier has already checked the artifact:
scripts/build-lite-backend-artifact.sh \
--platform linux \
--artifact build/lite-backend-relative-linux-b/linux/libsilentdragonxlite.a \
--no-build \
--out-dir build/lite-backend-signed-inventory \
--signature-required \
--signature-file /path/to/libsilentdragonxlite.a.minisig \
--signature-format minisign \
--signature-verification-tool "minisign 0.11" \
--signature-verification-command "minisign -Vm libsilentdragonxlite.a -P <reviewed-public-key>" \
--signature-key-fingerprint "<reviewed-public-key-fingerprint>" \
--signature-verified-sha256 "<artifact-sha256>"
For unsigned local inventory, omit all signature flags. The manifest still includes signature_verification.policy_defined: true, metadata_provided: false, and verification_status: "not-provided", while signing_requested remains false.
CMake Gate
DRAGONX_LITE_BACKEND_REQUIRE_SIGNATURE=ON is optional and fail-closed. When enabled, CMake requires DRAGONX_LITE_BACKEND_MANIFEST, parses signature_verification, requires verification_status: "verified", and checks that signature_verification.verified_artifact_sha256 matches artifact.sha256 before importing the backend library.
Contract Helper
LiteBackendArtifactContract accepts unsigned local metadata by default. If signatureVerification.requiredForRelease is true, the helper requires a defined policy, complete metadata, a reviewed trust identity, performed verification, verified status, and a matching artifact SHA-256 before producing resolver input.
Guardrails
- No signing is performed by the artifact script, CMake, contract helper, or wallet runtime.
- No artifact upload or publication is performed.
- No runtime dynamic loading, symbol resolution, SDXL calls, wallet lifecycle, sync,
WalletStatemutation, or persistence is enabled. - Signature evidence is release inventory only and must describe the same artifact bytes identified by the manifest SHA-256.