Module verify 

Sidecar fetch + verify + freshness-gate.

Structs

Verified

Type-level witness that bytes passed signature + freshness + schema + reject_before gates against trust roots. No public constructor; the only way to obtain one is via a verify_* function in this module. #[derive(Deserialize)] is intentionally omitted so the witness cannot be fabricated from a serialized form.

Enums

VerifyError

Constants

ACCEPTED_SCHEMA_VERSION 🔒

CLOCK_SKEW_SLACK_SECS

Traits

SignedSidecar

Signed sidecar under ciReleaseKey. Drives the canonicalize -> verify -> freshness-gate pipeline.

Functions

canonical_hash_from_bytes

SHA-256 hex of JCS-canonical bytes, from raw input. No parse step, so fields the caller’s proto doesn’t know about are preserved in the canonical bytes - verify side computes the same hash as the producer regardless of additive proto drift.

compute_canonical_hash

SHA-256 hex of JCS-canonical bytes of any serialisable value. Producer path only. FOOTGUN: verifiers MUST use canonical_hash_from_bytes - re-serializing a parsed struct drops fields the consumer’s proto doesn’t know about, breaking content-addressing across additive schema changes.

finish_sidecar_verification 🔒

Schema gate + reject_before + bidirectional freshness check (past + future, both with CLOCK_SKEW_SLACK_SECS slack). reject_before runs first so alerts can distinguish compromise from staleness.

hex_lowercase 🔒

verify_artifact

verify_bootstrap_nonces

Verify a signed bootstrap-nonces allowlist. Same trust class + freshness semantics as revocations.

verify_ecdsa_p256 🔒

FOOTGUN: TPM2_Sign emits ~50% high-s ECDSA signatures; we MUST normalise to low-s before verifying or every other signature fails as BadSignature.

verify_ed25519 🔒

LOADBEARING: uses verify_strict (not verify) - rejects malleable signatures for root-of-trust keys.

verify_revocations

verify_rollout_manifest

Verify a signed rollout manifest. Callers MUST additionally discriminate the parsed manifest’s canonical RolloutId per RFC-0008 §6.3 against the advertised identifier (RolloutId::new(&m.channel, &m.channel_ref).as_str()) before consuming any field.

verify_signature_against_trust_roots 🔒

verify_signed_sidecar

Verify any signed sidecar. trusted_keys tried in declaration order, first match wins; unsupported algorithms skipped silently for forward- compat. reject_before is strict < (equality accepted).

Type Aliases

VerifiedFleet

Concrete alias for the top-level fleet manifest.

VerifiedRolloutManifest

Concrete alias for the per-rollout signed manifest.