22 lines
611 B
Markdown
22 lines
611 B
Markdown
# Package Verification Specification (Launcher)
|
|
|
|
## Objective
|
|
|
|
Ensure only signed and policy-matching governance packages can install.
|
|
|
|
## Verification Steps
|
|
|
|
1. Fetch install token and package metadata.
|
|
2. Download package from signed URL.
|
|
3. Verify package hash.
|
|
4. Verify package signature against trusted signer key set.
|
|
5. Verify policy hash against install token payload.
|
|
6. Persist install evidence and call install confirm endpoint.
|
|
|
|
## Fail-Closed Rules
|
|
|
|
1. Hash mismatch blocks install.
|
|
2. Signature mismatch blocks install.
|
|
3. Policy mismatch blocks install.
|
|
4. Expired install token blocks install.
|