Skip to content

security: harden producer-side signing#351

Merged
bordumb merged 10 commits into
mainfrom
loop/foundation-2026-06-23_223638
Jun 24, 2026
Merged

security: harden producer-side signing#351
bordumb merged 10 commits into
mainfrom
loop/foundation-2026-06-23_223638

Conversation

@bordumb

@bordumb bordumb commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

No description provided.

bordumb added 4 commits June 23, 2026 23:01
@bordumb
agent: restrict the listener socket and its directory to the owner
3de37ad 
The agent listener bound its Unix socket without setting any permissions, so
under a default umask both the socket and its parent directory were reachable
by other local users. Create the socket directory as 0o700 and set the bound
socket to 0o600, failing closed if either permission cannot be applied.

Auths-Id: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Device: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Anchor-Seq: 1
@bordumb
agent: reject socket connections from other users
cfa3574 
The agent listener served every connection that reached its socket without
checking who was on the other end. Authorize each connection by peer UID: the
listener now reads the connecting process's credentials and serves only the
user that owns the agent, refusing all requests (sign, list, add, remove) from
any other user and failing closed when the peer's credentials cannot be read.

Auths-Id: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Device: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Anchor-Seq: 1
@bordumb
agent: bound how long a single unlock keeps signing capability
ef01807 
Two gaps left the agent able to sign indefinitely after one unlock. The session
signed by reaching into the key store directly, so it never honored the locked
state or recorded activity; route signing through the handle so a locked agent
refuses to sign and each signature resets the idle timer. The idle timeout was
also never enforced — nothing checked it — so add a background monitor that locks
the agent (clearing its keys) once it has been idle past the timeout.

Auths-Id: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Device: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Anchor-Seq: 1
@bordumb
harden producer-side signing: locked-down agent socket, bounded unloc…
65e429a 
…k window, and refuse revoked/rotated-out keys

Auths-Id: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Device: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Anchor-Seq: 1
@bordumb bordumb self-assigned this Jun 24, 2026
@vercel

vercel Bot commented Jun 24, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
auths Ready Ready Preview, Comment Jun 24, 2026 1:48am

@github-actions

github-actions Bot commented Jun 24, 2026

Copy link
Copy Markdown

Auths Commit Verification

Commit Status Details
65e429a8 ✅ Verified Signed by did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
ef018070 ❌ Failed No signature found
cfa3574d ❌ Failed No signature found
3de37ad6 ❌ Failed No signature found

Result: ❌ 1/4 commits verified

How to fix

Commit ef018070 has no Auths signature (no Auths-Id/Auths-Device trailer).

1. Install auths

macOS: brew install auths
Linux: Download from releases

2. One-time setup (creates your identity and configures Git)

auths init

3. Sign this branch and push

auths sign origin/main..HEAD
git push --force-with-lease

For CI to verify the signer, commit an identity bundle:

auths id export-bundle --alias main --output .auths/ci-bundle.json --max-age-secs 31536000

Quickstart →

@bordumb
tests: fix broken rotation test
713d74d 
Auths-Id: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Device: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Anchor-Seq: 1
@github-actions

github-actions Bot commented Jun 24, 2026

Copy link
Copy Markdown

Auths Commit Verification

Commit Status Details
713d74de ✅ Verified Signed by did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
65e429a8 ✅ Verified Signed by did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
ef018070 ❌ Failed No signature found
cfa3574d ❌ Failed No signature found
3de37ad6 ❌ Failed No signature found

Result: ❌ 2/5 commits verified

How to fix

Commit ef018070 has no Auths signature (no Auths-Id/Auths-Device trailer).

1. Install auths

macOS: brew install auths
Linux: Download from releases

2. One-time setup (creates your identity and configures Git)

auths init

3. Sign this branch and push

auths sign origin/main..HEAD
git push --force-with-lease

For CI to verify the signer, commit an identity bundle:

auths id export-bundle --alias main --output .auths/ci-bundle.json --max-age-secs 31536000

Quickstart →

@bordumb
fix: formatting
986a1ff 
Auths-Id: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Device: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Anchor-Seq: 1
@github-actions

github-actions Bot commented Jun 24, 2026

Copy link
Copy Markdown

Auths Commit Verification

Commit Status Details
986a1ff2 ✅ Verified Signed by did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
713d74de ✅ Verified Signed by did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
65e429a8 ✅ Verified Signed by did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
ef018070 ❌ Failed No signature found
cfa3574d ❌ Failed No signature found
3de37ad6 ❌ Failed No signature found

Result: ❌ 3/6 commits verified

How to fix

Commit ef018070 has no Auths signature (no Auths-Id/Auths-Device trailer).

1. Install auths

macOS: brew install auths
Linux: Download from releases

2. One-time setup (creates your identity and configures Git)

auths init

3. Sign this branch and push

auths sign origin/main..HEAD
git push --force-with-lease

For CI to verify the signer, commit an identity bundle:

auths id export-bundle --alias main --output .auths/ci-bundle.json --max-age-secs 31536000

Quickstart →

@bordumb
fix: issuer signature in golden path dropping
617378f 
Auths-Id: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Device: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Anchor-Seq: 1
@github-actions

github-actions Bot commented Jun 24, 2026

Copy link
Copy Markdown

Auths Commit Verification

Commit Status Details
617378fc ✅ Verified Signed by did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
986a1ff2 ✅ Verified Signed by did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
713d74de ✅ Verified Signed by did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
65e429a8 ✅ Verified Signed by did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
ef018070 ❌ Failed No signature found
cfa3574d ❌ Failed No signature found
3de37ad6 ❌ Failed No signature found

Result: ❌ 4/7 commits verified

How to fix

Commit ef018070 has no Auths signature (no Auths-Id/Auths-Device trailer).

1. Install auths

macOS: brew install auths
Linux: Download from releases

2. One-time setup (creates your identity and configures Git)

auths init

3. Sign this branch and push

auths sign origin/main..HEAD
git push --force-with-lease

For CI to verify the signer, commit an identity bundle:

auths id export-bundle --alias main --output .auths/ci-bundle.json --max-age-secs 31536000

Quickstart →

@bordumb
fix: formatting
4e0fd13 
Auths-Id: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Device: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Anchor-Seq: 1
@github-actions

github-actions Bot commented Jun 24, 2026

Copy link
Copy Markdown

Auths Commit Verification

Commit Status Details
4e0fd13c ✅ Verified Signed by did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
617378fc ✅ Verified Signed by did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
986a1ff2 ✅ Verified Signed by did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
713d74de ✅ Verified Signed by did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
65e429a8 ✅ Verified Signed by did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
ef018070 ❌ Failed No signature found
cfa3574d ❌ Failed No signature found
3de37ad6 ❌ Failed No signature found

Result: ❌ 5/8 commits verified

How to fix

Commit ef018070 has no Auths signature (no Auths-Id/Auths-Device trailer).

1. Install auths

macOS: brew install auths
Linux: Download from releases

2. One-time setup (creates your identity and configures Git)

auths init

3. Sign this branch and push

auths sign origin/main..HEAD
git push --force-with-lease

For CI to verify the signer, commit an identity bundle:

auths id export-bundle --alias main --output .auths/ci-bundle.json --max-age-secs 31536000

Quickstart →

@bordumb
fix: constant time test flakiness
df6cc25 
Auths-Id: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Device: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Anchor-Seq: 1
@github-actions

github-actions Bot commented Jun 24, 2026

Copy link
Copy Markdown

Auths Commit Verification

Commit Status Details
df6cc250 ✅ Verified Signed by did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
4e0fd13c ✅ Verified Signed by did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
617378fc ✅ Verified Signed by did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
986a1ff2 ✅ Verified Signed by did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
713d74de ✅ Verified Signed by did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
65e429a8 ✅ Verified Signed by did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
ef018070 ❌ Failed No signature found
cfa3574d ❌ Failed No signature found
3de37ad6 ❌ Failed No signature found

Result: ❌ 6/9 commits verified

How to fix

Commit ef018070 has no Auths signature (no Auths-Id/Auths-Device trailer).

1. Install auths

macOS: brew install auths
Linux: Download from releases

2. One-time setup (creates your identity and configures Git)

auths init

3. Sign this branch and push

auths sign origin/main..HEAD
git push --force-with-lease

For CI to verify the signer, commit an identity bundle:

auths id export-bundle --alias main --output .auths/ci-bundle.json --max-age-secs 31536000

Quickstart →

@bordumb
docs: refresh error docs
352fa37 
Auths-Id: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Device: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Anchor-Seq: 1
@github-actions

github-actions Bot commented Jun 24, 2026

Copy link
Copy Markdown

Auths Commit Verification

Commit Status Details
352fa375 ✅ Verified Signed by did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
df6cc250 ✅ Verified Signed by did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
4e0fd13c ✅ Verified Signed by did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
617378fc ✅ Verified Signed by did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
986a1ff2 ✅ Verified Signed by did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
713d74de ✅ Verified Signed by did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
65e429a8 ✅ Verified Signed by did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
ef018070 ❌ Failed No signature found
cfa3574d ❌ Failed No signature found
3de37ad6 ❌ Failed No signature found

Result: ❌ 7/10 commits verified

How to fix

Commit ef018070 has no Auths signature (no Auths-Id/Auths-Device trailer).

1. Install auths

macOS: brew install auths
Linux: Download from releases

2. One-time setup (creates your identity and configures Git)

auths init

3. Sign this branch and push

auths sign origin/main..HEAD
git push --force-with-lease

For CI to verify the signer, commit an identity bundle:

auths id export-bundle --alias main --output .auths/ci-bundle.json --max-age-secs 31536000

Quickstart →

@bordumb bordumb merged commit 880c0ff into main Jun 24, 2026
21 of 23 checks passed
@bordumb bordumb deleted the loop/foundation-2026-06-23_223638 branch June 24, 2026 01:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@bordumb bordumb

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bordumb