Signed bundle lifecycle
TrustPlane Auth treats trust as data: issuer keys, route policy, allowed sources, signer-class requirements, provenance/context rules, and freshness policy are bundled, reviewed, signed, and mounted beside the verifier.
Build and sign
trustplane bundle build produces a deterministic trustplane-bundle-v1 policy bundle skeleton.
Production-style adapter loading rejects unsigned skeletons by default. Sign reviewed trust
material and policy bundles with an Ed25519 signing key:
trustplane bundle sign \
--trust-material trust-material.json \
--out trust-material.signed.json \
--signer-issuer local://bundle-signer \
--kid bundle-signing-key-1 \
--private-key "$BUNDLE_SIGNING_PRIVATE_KEY_B64URL"
trustplane bundle sign \
--policy-bundle trustplane.bundle.json \
--out trustplane.bundle.signed.json \
--signer-issuer local://bundle-signer \
--kid bundle-signing-key-1 \
--private-key "$BUNDLE_SIGNING_PRIVATE_KEY_B64URL"
Verify signed outputs before mounting:
trustplane bundle verify \
--trust-material trust-material.signed.json \
--public-key "$BUNDLE_SIGNING_PUBLIC_KEY_B64URL"
trustplane bundle verify \
--policy-bundle trustplane.bundle.signed.json \
--public-key "$BUNDLE_SIGNING_PUBLIC_KEY_B64URL"
The signature covers deterministic bundle content. Tampering with routes, sources, freshness, signer metadata, or other bundle fields invalidates verification.
Load fail-closed
The adapter should require signature public keys for production-style loading:
trustplane-adapter \
--bundle trust-material.signed.json \
--bundle-signature-public-key "$BUNDLE_SIGNING_PUBLIC_KEY_B64URL" \
--policy-bundle trustplane.bundle.signed.json \
--policy-bundle-signature-public-key "$BUNDLE_SIGNING_PUBLIC_KEY_B64URL"
Unsigned dev flags are for local skeletons and developer orchestration only. They are not a production default.
Merge, remove, refresh
trustplane bundle merge-sourceappends a client public key and matching route source rule while preserving existing trust material and policy by default.trustplane bundle remove-sourceremoves a key/source selector, requires--confirm-remove, and can append local revocation metadata with--revoke.- After a merge or removal, sign the replacement outputs and refresh the adapter's mounted files.
Freshness classes
| Class | Meaning |
|---|---|
realtime | Requires a current bundle view; stale or unknown age fails closed. |
bounded | Allows a known bundle age up to max_staleness_seconds; after that, fails closed. |
offline-ok | Explicitly allows stale/offline bundle use for lower-risk routes. |
What this does not do
Signed local bundles do not provide managed approval workflow, hosted distribution, tenant registry, audit UI, or hosted revocation service. Those are future Control governance concerns.
→ Next: Trust anchors & sources.