edut/launcher
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
42bccf5ed2
launcher/docs/package-verification-spec.md

611 B
Raw Blame History

Package Verification Specification (Launcher)

Objective

Ensure only signed and policy-matching governance packages can install.

Verification Steps

  1. Fetch install token and package metadata.
  2. Download package from signed URL.
  3. Verify package hash.
  4. Verify package signature against trusted signer key set.
  5. Verify policy hash against install token payload.
  6. Persist install evidence and call install confirm endpoint.

Fail-Closed Rules

  1. Hash mismatch blocks install.
  2. Signature mismatch blocks install.
  3. Policy mismatch blocks install.
  4. Expired install token blocks install.