Upstream issue: Add --require-signed flag to openfang skill install
Repository: https://github.com/RightNow-AI/openfang
Affects: OpenFang v0.6.4 (SHA 3cce1eb3fb19ad590a0937e039a8bf8bc09aba13)
Filed by: assistant project / Phase 7 (personal-family pilot)
Decision provenance: D-A12 issue 1
Phase 3 carry-forward: RV-03
Summary
The Ed25519 manifest-signing primitive in openfang-types::manifest_signing
is library-correct (3/3 unit tests in manifest_signing::tests pass: sign-and-verify
round-trip, content-tamper detection, wrong-key rejection — all backed by
ed25519-dalek v2). However, the openfang skill install CLI surface does
not enforce signature presence or validity. Unsigned skills install
silently. There is also no openfang skill sign UX for operator-side
signing. Result: the cryptographic floor exists but is unwired from the
ingest path — the strongest form of Pitfall 7 from RESEARCH.md.
This is a Phase 3 RV-03 finding (PASS-WITH-CAVEATS); see
threat-models/personal-family/verification/rv-03.md for the full evidence.
Context
The personal-family pilot (Phase 7+) treats skills as untrusted code by
default and gates installation behind operator-attested Ed25519 signatures
(P-23 lethal-trifecta decomposition; D-A2 in 07-CONTEXT.md). Until the
upstream CLI grows a signature gate, the pilot ships
instances/personal-family/wrappers/skill-install (a thin Rust binary that
verifies an Ed25519 detached signature with ed25519-dalek and only then
delegates to openfang skill install).
Reproduction
# Sign a skill
operator_priv=... # ed25519-dalek SigningKey
openfang skill sign /tmp/test-skill --priv $operator_priv > /tmp/test-skill.sig
# ^ does not exist in v0.6.4
# Install with required-signed
openfang skill install /tmp/test-skill --require-signed --pubkey /tmp/operator.pub
# ^ flag does not exist in v0.6.4 — install proceeds silently regardless of signature
Proposed fix
Add --require-signed --pubkey <path> to openfang skill install. With the
flag set:
- exit 1 if the skill bundle has no detached
.sig companion;
- exit 1 if
ed25519-dalek::Verifier::verify against <path> fails;
- exit 0 only after
verify_integrity of the bundle passes AND the
manifest_signing::verify_signed check passes.
Also expose openfang skill sign --priv <key> as the operator-side surface
(currently library-only).
Affected upstream files
runtimes/openfang-agent/crates/openfang-types/src/manifest_signing.rs
(verifier — already correct; no changes needed)runtimes/openfang-agent/crates/openfang-cli/src/commands/skill.rs
(install/sign subcommands — needs the flag and the verifier wire-up)
Workaround removal trigger
On upstream merge of the --require-signed PR (or equivalent enforcement
on by default), drop instances/personal-family/wrappers/skill-install
per the P-15 floor.
Upstream issue: Add
--require-signedflag toopenfang skill installRepository: https://github.com/RightNow-AI/openfang
Affects: OpenFang v0.6.4 (SHA
3cce1eb3fb19ad590a0937e039a8bf8bc09aba13)Filed by: assistant project / Phase 7 (personal-family pilot)
Decision provenance: D-A12 issue 1
Phase 3 carry-forward: RV-03
Summary
The Ed25519 manifest-signing primitive in
openfang-types::manifest_signingis library-correct (3/3 unit tests in
manifest_signing::testspass: sign-and-verifyround-trip, content-tamper detection, wrong-key rejection — all backed by
ed25519-dalekv2). However, theopenfang skill installCLI surface doesnot enforce signature presence or validity. Unsigned skills install
silently. There is also no
openfang skill signUX for operator-sidesigning. Result: the cryptographic floor exists but is unwired from the
ingest path — the strongest form of Pitfall 7 from RESEARCH.md.
This is a Phase 3 RV-03 finding (
PASS-WITH-CAVEATS); seethreat-models/personal-family/verification/rv-03.mdfor the full evidence.Context
The personal-family pilot (Phase 7+) treats skills as untrusted code by
default and gates installation behind operator-attested Ed25519 signatures
(P-23 lethal-trifecta decomposition; D-A2 in 07-CONTEXT.md). Until the
upstream CLI grows a signature gate, the pilot ships
instances/personal-family/wrappers/skill-install(a thin Rust binary thatverifies an Ed25519 detached signature with
ed25519-dalekand only thendelegates to
openfang skill install).Reproduction
Proposed fix
Add
--require-signed --pubkey <path>toopenfang skill install. With theflag set:
.sigcompanion;ed25519-dalek::Verifier::verifyagainst<path>fails;verify_integrityof the bundle passes AND themanifest_signing::verify_signedcheck passes.Also expose
openfang skill sign --priv <key>as the operator-side surface(currently library-only).
Affected upstream files
runtimes/openfang-agent/crates/openfang-types/src/manifest_signing.rs(verifier — already correct; no changes needed)
runtimes/openfang-agent/crates/openfang-cli/src/commands/skill.rs(install/sign subcommands — needs the flag and the verifier wire-up)
Workaround removal trigger
On upstream merge of the
--require-signedPR (or equivalent enforcementon by default), drop
instances/personal-family/wrappers/skill-installper the P-15 floor.