Security

Signing & Verification

How bundles are signed with Ed25519 or Sigstore and verified at every step.

Every OXP bundle is cryptographically signed. The signature chain ensures that bundles are tamper-proof from the author's machine to the user's IDE.

Signing Algorithms

Ed25519 (default)

Fast, offline-capable signing with an Ed25519 keypair. Keys are generated by oxp keygen and stored at ~/.oxp/keys/.

The signature covers the bundle digest (SHA-256 of the uncompressed tar stream):

json
{
  "alg": "ed25519",
  "keyId": "ed25519:0xABCD...",
  "signature": "base64...",
  "payload": {
    "digest": "sha256:e3b0c44...",
    "signedAt": "2026-05-03T12:00:00Z"
  }
}

Sigstore (keyless)

For maximum trust, OXP supports Sigstore keyless signing:

  • Identity: OIDC token from the publisher's account
  • Certificate: Fulcio short-lived signing certificate
  • Transparency: Rekor inclusion proof (publicly auditable)
  • Storage: Full Sigstore bundle in .oxp/SIGNATURE

Verification Chain

At Pack Time

oxp pack signs the bundle and embeds the signature. The bundle digest is the SHA-256 of the uncompressed tar — stable across recompression.

At Publish Time

The registry:

  1. Verifies the signature against the publisher's registered key
  2. Checks TOFU key pinning (is this the same key they've always used?)
  3. Records the signature and key ID in the version record
  4. Stores the bundle bytes content-addressed by digest

At Install Time

The host runs the full verification pipeline:

  1. Downloads manifest, bundle, and signature from the registry
  2. Re-computes the bundle digest from the downloaded bytes
  3. Verifies the Ed25519 signature (or Sigstore bundle) against the digest
  4. Checks TOFU — is this publisher's key already pinned in trust.json?
  5. Verifies per-file integrity — every file hash in .oxp/integrity.json matches
  6. Validates the WIT pin — for component bundles, the declared WIT hash must match

Any failure in steps 2-6 is a hard install error. The bundle is not extracted.

Key Management

Generating Keys

bash
oxp keygen
# Creates ~/.oxp/keys/ed25519.key and ~/.oxp/keys/ed25519.pub
# Prints: ed25519:0xABCD1234...

Key Registration

Your public key is automatically registered with the registry on first publish. After that, it's pinned — you can't publish with a different key without going through the key rotation flow.

Key Rotation

If you need to rotate your signing key (compromised key, new machine, team changes):

  1. Authenticate with the registry (requires re-auth)
  2. The old key is retired with an audit log entry
  3. New key is pinned server-side
  4. Host-side TOFU stores are updated on next install
Currently this requires a manual flow. A self-service UI is planned for the dashboard.

Trust Policy

The CLI refuses unsigned bundles by default. The flag --unsafe-allow-unsigned is only permitted against localhost registries and during oxp dev. A clear, persistent warning is shown.

Audit Trail

Every publish, signature verification, and key operation is logged. Phase C will add a tamper-evident, hash-chained audit log with a daily public Merkle root.