The production problem
Policy files are high-impact config. They decide deny, approval, throttle, and allow behavior for autonomous jobs. Treating them like unsigned text files is a control gap.
If an attacker or misconfigured pipeline changes policy bytes, your enforcement logic changes instantly. No code deploy is required. That makes policy integrity a first-class security boundary.
Signature verification closes this gap only when enforced, monitored, and rotated correctly.
What top results miss
| Source | Strong coverage | Missing piece |
|---|---|---|
| RFC 8032 (EdDSA: Ed25519 and Ed448) | Algorithm and verification behavior for Ed25519 digital signatures. | No operational playbook for policy reload paths in autonomous AI control planes. |
| Sigstore verify docs | Signature verification workflows, identity constraints, and offline bundle verification. | No guidance for runtime policy file verification before in-process policy evaluation. |
| TUF specification | Signed metadata model, role separation, and threshold-based trust management. | No direct mapping to single-key, env-driven policy verification in hot-reloaded control planes. |
The missing part is policy-engine runtime behavior: exactly when verification runs and what fails closed during reload.
They also skip real rotation pressure: what happens when key and signature rollout are out of sync across replicas.
Signing workflow model
| Stage | Objective | Failure mode |
|---|---|---|
| Build policy artifact | Generate deterministic policy file bytes | Non-deterministic formatting causes signature mismatch |
| Sign policy bytes | Apply Ed25519 private key signature to exact file content | Signing transformed bytes (newline/encoding drift) fails verification |
| Distribute public key | Expose trusted verifier key to runtime via env/config | Missing or malformed key blocks policy load in required mode |
| Verify before parse | Reject unsigned or invalid policies before evaluation pipeline | Late verification can allow temporary unsafe policy use |
| Rotate keypair safely | Roll new key and signatures atomically with rollback plan | Key/signature skew causes startup or reload failures |
Cordum runtime behavior
| Boundary | Current behavior | Operational impact |
|---|---|---|
| Signature requirement | Verification required in production or when `SAFETY_POLICY_SIGNATURE_REQUIRED=true`. | Prevents unsigned policy from entering evaluation path in hardened environments. |
| Public key source | `SAFETY_POLICY_PUBLIC_KEY` accepts base64/hex raw Ed25519 public key. | Operator controls trust root at deployment level. |
| Signature source order | Kernel checks `SAFETY_POLICY_SIGNATURE`, then `SAFETY_POLICY_SIGNATURE_PATH`, then `<policy-file>.sig` fallback. | Supports inline, detached-file, and local file-based workflows. |
| Remote source signature behavior | For `http/https` policy sources, missing explicit signature input returns `no signature provided`. | Remote policy fetch cannot silently rely on local `.sig` conventions. |
| Verification checks | Code validates key/signature length and runs `ed25519.Verify` over exact policy bytes. | Rejects malformed key material and tampered policy artifacts early. |
| Load pipeline order | `loadPolicyBundle` reads source, verifies signature, then parses policy and computes snapshot hash. | No snapshot or policy object is produced for unsigned/invalid payloads. |
| Reload failure semantics | On verification failure during watch reload, kernel logs `policy reload failed` and keeps current snapshot. | Fail-stale behavior protects from unsigned updates but can hide drift unless monitored. |
| Trust threshold | Verifier uses one Ed25519 public key from env; threshold multi-key verification is not implemented. | Rotation needs tight key/signature rollout sequencing to avoid transient reload failures. |
Implementation examples
Minimal signing tool (Go)
sign_policy.go
Go
// sign_policy.go
package main
import (
"crypto/ed25519"
"encoding/base64"
"fmt"
"os"
)
func main() {
policy, _ := os.ReadFile(os.Args[1])
priv, _ := os.ReadFile(os.Args[2]) // raw 64-byte Ed25519 private key
sig := ed25519.Sign(ed25519.PrivateKey(priv), policy)
fmt.Println(base64.StdEncoding.EncodeToString(sig))
}Verification path (Go)
verify_policy_signature.go
Go
func verifyPolicySignature(data []byte, source string) error {
pubRaw := strings.TrimSpace(os.Getenv("SAFETY_POLICY_PUBLIC_KEY"))
requireSignature := env.IsProduction() || env.Bool("SAFETY_POLICY_SIGNATURE_REQUIRED")
if pubRaw == "" {
if requireSignature {
return errors.New("policy signature required but SAFETY_POLICY_PUBLIC_KEY not configured")
}
return nil
}
pubKey, _ := decodeKey(pubRaw)
sig, _ := readSignature(source)
if !ed25519.Verify(ed25519.PublicKey(pubKey), data, sig) {
return errors.New("policy signature verification failed")
}
return nil
}Rotation runbook
policy_signature_rotation.sh
Bash
# 1) Configure verifier key and strict mode export SAFETY_POLICY_SIGNATURE_REQUIRED=true export SAFETY_POLICY_PUBLIC_KEY="<base64-or-hex-ed25519-pubkey>" # 2) Provide detached signature export SAFETY_POLICY_SIGNATURE_PATH=/etc/cordum/policy.sig # 3) Restart safety kernel and verify no signature errors kubectl logs deploy/cordum-safety-kernel -n cordum | grep -E "signature|policy updated" # 4) Rotation drill # - sign with new private key # - roll new public key + new signature together # - validate reload # - keep old key only for rollback window
Reload drift guard
policy_signature_reload_guard.sh
Bash
# Catch fail-stale quickly after key/signature rollout kubectl logs deploy/cordum-safety-kernel -n cordum --since=10m | rg "policy reload failed|policy snapshot updated" # Expected after healthy rollout: # - at least one "policy snapshot updated" # - zero "policy reload failed"
Limitations and tradeoffs
- - Signature enforcement improves integrity but adds key management overhead.
- - Failed verification can block policy reload and temporarily preserve older policy snapshot.
- - Single-key verification has no threshold overlap, so rotation windows are operationally brittle.
- - Inline env signatures are convenient but increase secret-handling risk in deployment pipelines.
- - Fast key rotation requires disciplined artifact handling and rollback rehearsal.
If signature checks are optional in production, attackers only need one path to unsigned policy injection.
Next step
Run this hardening sequence this week:
- 1. Enable required signature mode in production environments.
- 2. Add CI step that signs policy bundle and publishes detached signature artifact.
- 3. Alert on `policy reload failed` to catch fail-stale conditions immediately.
- 4. Rehearse key/signature rollout order on a canary replica before fleet-wide rotation.
- 5. Execute a full key rotation drill with rollback timer and success criteria.
Continue with Policy Decision Cache Invalidation and LLM Safety Kernel.