archy/docs/workstream-b-signing-runbook.md

# Workstream B — Signed app-catalog: completion runbook

**Status (2026-06-28):** The registry-distributed manifest pipeline is live — nodes fetch
`releases/app-catalog.json` from the OTA mirror and embed manifests (origin-wins, disk
fallback). What remains for Workstream B is **authenticity**: pin the release-root anchor and
ship a *signed* catalog so nodes can cryptographically verify the publisher.

Today the catalog is **accepted unsigned** ("migration window") and the anchor is **unpinned**
(`core/archipelago/src/trust/anchor.rs:21` → `RELEASE_ROOT_PUBKEY_HEX = None`). Completing B is
a coordinated ceremony that **only the publisher can run** — it needs the offline
`RELEASE_MASTER_MNEMONIC`, which is not (and must not be) stored on any node or build host.

## Why this is gated on you (not automatable)

- The signing key is an **offline mnemonic** you hold (`archipelago ceremony gen` output, backed
  up offline / via `seed.reveal`). It is intentionally absent from the repo and all hosts.
- Order matters: once a binary **pins** the anchor, a catalog carrying a signature from the
  *wrong* key is **hard-rejected fleet-wide** (`trust/signed_doc.rs:79`). Unsigned and
  correctly-signed catalogs are both accepted; only a *mismatched* signature breaks nodes.
- So the pinned pubkey and the signature MUST come from the same key, shipped consistently.

## The ceremony (run from `core/`, with your mnemonic)

```bash
# 0. (only if you don't already have a release-root key) generate one and back the
#    mnemonic up OFFLINE. Prints the pubkey hex + signer did:key.
cargo run --release -p archipelago -- ceremony gen

# 1. Print the release-root pubkey hex for the anchor (idempotent; same mnemonic → same key)
RELEASE_MASTER_MNEMONIC="word1 word2 …" cargo run --release -p archipelago -- ceremony pubkey
#    → copy the 64-char hex.

# 2. Pin it in code:
#    core/archipelago/src/trust/anchor.rs:21
#    -  pub const RELEASE_ROOT_PUBKEY_HEX: Option<&str> = None;
#    +  pub const RELEASE_ROOT_PUBKEY_HEX: Option<&str> = Some("<64-char-hex-from-step-1>");

# 3. Sign the published catalog in place (inserts `signature` + `signed_by` over the
#    canonical JSON — re-run after ANY catalog regen, since signing covers the exact bytes):
RELEASE_MASTER_MNEMONIC="word1 word2 …" \
  cargo run --release -p archipelago -- ceremony sign releases/app-catalog.json

# 4. Verify locally before shipping (optional sanity): a node build with the pinned anchor
#    should log "app-catalog: release-root signature verified (<did>)" rather than
#    "self-consistent but anchor not pinned".
```

## Ship order (backward-compatible)

1. Commit the **signed** `releases/app-catalog.json` + the `anchor.rs` change together.
2. Push the signed catalog to the OTA mirror (gitea-vps2 `main`) — old binaries (no pinned
   anchor) still accept it (verified-but-unconfirmed); nothing breaks.
3. Build + OTA the binary with the pinned anchor. New nodes now **verify** the catalog against
   the anchor. (This is the normal release path — gate the tag per the ship-ritual.)
4. **Later / optional hardening:** once the whole fleet is on the pinned-anchor binary, flip
   the policy from "accept unsigned (migration window)" to "reject unsigned" in
   `container/app_catalog.rs` (the `SignatureStatus::Unsigned` arm). Do this LAST — while any
   node still runs an unsigned catalog it must keep being accepted.

## Env-override escape hatch (no rebuild)

For staging/canary you can pin the anchor without editing code via
`ARCHY_RELEASE_ROOT_PUBKEY=<hex>` (`trust/anchor.rs:23`) on a single node, then sign the catalog
and confirm that node verifies it before baking the constant in.

## What's already done (so this is the only remaining step)

- Catalog distribution + manifest embedding: live (this session's `169ff2e2` published the
  corrected catalog to the mirror).
- `ceremony gen|pubkey|sign` tooling: shipped (`core/archipelago/src/ceremony.rs`).
- Verify path: `trust::verify_detached` accepts unsigned, verifies signed against the anchor,
  hard-rejects mismatches (`trust/signed_doc.rs`).
- Detached-signature schema fields (`signature`/`signed_by`) already part of the signed
  preimage (`container/app_catalog.rs`).
integration: preserve deployed 1.8.0 OTA work 2026-06-30 05:08:17 -04:00			`# Workstream B — Signed app-catalog: completion runbook`

			`Status (2026-06-28): The registry-distributed manifest pipeline is live — nodes fetch`
			`releases/app-catalog.json` from the OTA mirror and embed manifests (origin-wins, disk
			`fallback). What remains for Workstream B is authenticity: pin the release-root anchor and`
			`ship a signed catalog so nodes can cryptographically verify the publisher.`

			`Today the catalog is accepted unsigned ("migration window") and the anchor is unpinned`
			(`core/archipelago/src/trust/anchor.rs:21` → `RELEASE_ROOT_PUBKEY_HEX = None`). Completing B is
			`a coordinated ceremony that only the publisher can run — it needs the offline`
			`RELEASE_MASTER_MNEMONIC`, which is not (and must not be) stored on any node or build host.

			`## Why this is gated on you (not automatable)`

			- The signing key is an offline mnemonic you hold (`archipelago ceremony gen` output, backed
			up offline / via `seed.reveal`). It is intentionally absent from the repo and all hosts.
			`- Order matters: once a binary pins the anchor, a catalog carrying a signature from the`
			wrong key is hard-rejected fleet-wide (`trust/signed_doc.rs:79`). Unsigned and
			`correctly-signed catalogs are both accepted; only a mismatched signature breaks nodes.`
			`- So the pinned pubkey and the signature MUST come from the same key, shipped consistently.`

			## The ceremony (run from `core/`, with your mnemonic)

			```bash
			`# 0. (only if you don't already have a release-root key) generate one and back the`
			`# mnemonic up OFFLINE. Prints the pubkey hex + signer did:key.`
			`cargo run --release -p archipelago -- ceremony gen`

			`# 1. Print the release-root pubkey hex for the anchor (idempotent; same mnemonic → same key)`
			`RELEASE_MASTER_MNEMONIC="word1 word2 …" cargo run --release -p archipelago -- ceremony pubkey`
			`# → copy the 64-char hex.`

			`# 2. Pin it in code:`
			`# core/archipelago/src/trust/anchor.rs:21`
			`# - pub const RELEASE_ROOT_PUBKEY_HEX: Option<&str> = None;`
			`# + pub const RELEASE_ROOT_PUBKEY_HEX: Option<&str> = Some("<64-char-hex-from-step-1>");`

			# 3. Sign the published catalog in place (inserts `signature` + `signed_by` over the
			`# canonical JSON — re-run after ANY catalog regen, since signing covers the exact bytes):`
			`RELEASE_MASTER_MNEMONIC="word1 word2 …" \`
			`cargo run --release -p archipelago -- ceremony sign releases/app-catalog.json`

			`# 4. Verify locally before shipping (optional sanity): a node build with the pinned anchor`
			`# should log "app-catalog: release-root signature verified (<did>)" rather than`
			`# "self-consistent but anchor not pinned".`
			```

			`## Ship order (backward-compatible)`

			1. Commit the signed `releases/app-catalog.json` + the `anchor.rs` change together.
			2. Push the signed catalog to the OTA mirror (gitea-vps2 `main`) — old binaries (no pinned
			`anchor) still accept it (verified-but-unconfirmed); nothing breaks.`
			`3. Build + OTA the binary with the pinned anchor. New nodes now verify the catalog against`
			`the anchor. (This is the normal release path — gate the tag per the ship-ritual.)`
			`4. Later / optional hardening: once the whole fleet is on the pinned-anchor binary, flip`
			`the policy from "accept unsigned (migration window)" to "reject unsigned" in`
			`container/app_catalog.rs` (the `SignatureStatus::Unsigned` arm). Do this LAST — while any
			`node still runs an unsigned catalog it must keep being accepted.`

			`## Env-override escape hatch (no rebuild)`

			`For staging/canary you can pin the anchor without editing code via`
			`ARCHY_RELEASE_ROOT_PUBKEY=<hex>` (`trust/anchor.rs:23`) on a single node, then sign the catalog
			`and confirm that node verifies it before baking the constant in.`

			`## What's already done (so this is the only remaining step)`

			- Catalog distribution + manifest embedding: live (this session's `169ff2e2` published the
			`corrected catalog to the mirror).`
			- `ceremony gen\|pubkey\|sign` tooling: shipped (`core/archipelago/src/ceremony.rs`).
			- Verify path: `trust::verify_detached` accepts unsigned, verifies signed against the anchor,
			hard-rejects mismatches (`trust/signed_doc.rs`).
			- Detached-signature schema fields (`signature`/`signed_by`) already part of the signed
			preimage (`container/app_catalog.rs`).