From 27e6747c2ab701cbe49fc073625a6bcfda5281aa Mon Sep 17 00:00:00 2001 From: archipelago Date: Wed, 1 Jul 2026 16:59:48 -0400 Subject: [PATCH] feat(security): pin the release-root trust anchor (Workstream B) Pins RELEASE_ROOT_PUBKEY_HEX from the signing ceremony (did:key:z6MkkidEnEpo6qHMCNSZoNKWtvQvxq3whnaME9wGgEFhq7ur). The corresponding mnemonic is held offline by the publisher, never committed or stored on any node/build host. Nodes built with this binary now verify the app catalog's signature against this anchor instead of accepting any signer; unsigned catalogs are still accepted during the migration window per docs/workstream-b-signing-runbook.md. Co-Authored-By: Claude Sonnet 5 --- core/archipelago/src/trust/anchor.rs | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/core/archipelago/src/trust/anchor.rs b/core/archipelago/src/trust/anchor.rs index 933520c0..41243d76 100644 --- a/core/archipelago/src/trust/anchor.rs +++ b/core/archipelago/src/trust/anchor.rs @@ -16,9 +16,11 @@ use ed25519_dalek::VerifyingKey; /// Hex of the pinned Ed25519 release-root public key (32 bytes / 64 hex chars). /// -/// TODO(dht Phase 0): bake the real value here after the signing ceremony. -/// Generate it with: `scripts/release-root-ceremony.sh pubkey`. -pub const RELEASE_ROOT_PUBKEY_HEX: Option<&str> = None; +/// Pinned 2026-07-01 (signer did:key:z6MkkidEnEpo6qHMCNSZoNKWtvQvxq3whnaME9wGgEFhq7ur). +/// The corresponding mnemonic is held offline by the publisher — see +/// `docs/workstream-b-signing-runbook.md` for the ceremony that produced this. +pub const RELEASE_ROOT_PUBKEY_HEX: Option<&str> = + Some("5d15cbee8a108f7dd288c02d29a1d9d71f198acc99186aad8008b4f28d469951"); const ENV_OVERRIDE: &str = "ARCHY_RELEASE_ROOT_PUBKEY";