feat: add export and post-quantum signing#11
Open
akeemjenkins wants to merge 1 commit into
Open
Conversation
- export: deterministic tar.gz archive of entire bundle with per-file SHA-256 manifest and archive hash - sign: post-quantum authentication via ML-KEM-768 (FIPS 203) and HPKE (RFC 9180) using only the Go standard library (crypto/hpke + crypto/mlkem) — no external dependencies - sign keygen: generate ML-KEM-768 key pair - sign sign: seal archive hash with HPKE using public key - sign verify: open HPKE ciphertext with private key, confirm archive hash matches (detects tampering) - Schema entries for both commands (agentic-first discovery) - 9 new tests (5 export, 4 sign) covering happy path, determinism, tampered archive, wrong key, hidden dir skipping - Updated README with export + sign documentation End-to-end verified: export → keygen → sign → verify cycle works.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
okf export— Export an entire OKF bundle as a deterministic.okftar.gz archive. The archive is byte-reproducible (sorted paths, zeroed timestamps) so the same bundle always produces the same bytes. Output includes a manifest with per-file SHA-256 hashes, file count, total bytes, and archive hash.okf sign— Post-quantum authentication for exported archives using ML-KEM-768 (FIPS 203, formerly Kyber) via HPKE (RFC 9180). Uses only the Go standard library (crypto/hpke+crypto/mlkem) — no external dependencies.keygen— generate an ML-KEM-768 key pairsign— seal the archive hash with HPKE using the public keyverify— open the HPKE ciphertext with the private key and confirm the archive hash matches (detects tampering)Both commands are registered in the schema (
okf schema) for agentic-first discovery.How it works
ML-KEM is a key-encapsulation mechanism (KEM), not a digital signature scheme. This feature uses HPKE to achieve authenticated encryption of the archive hash:
hpke.Seal(pubkey, hash)produces a ciphertext containing the encapsulated key + sealed archive hashhpke.Open(privkey, ciphertext)recovers the archive hash; if it doesn't match the actual archive hash, the archive has been tampered withOnly the holder of the corresponding private key can open the ciphertext, proving the archive was sealed for that key and has not been modified.
Test plan
go vetclean