From b2768020e0fed353eff6d4667910b18f7f8c2bd4 Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Sun, 26 Apr 2026 15:16:14 -0400 Subject: [PATCH 1/5] ci: add nlboot M2 fixture validation --- .github/workflows/validate.yml | 35 +++++++++++++++++++++++++++++----- 1 file changed, 30 insertions(+), 5 deletions(-) diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index d4aa123..6969f4c 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -1,10 +1,25 @@ -name: validate +name: nlboot validate on: pull_request: + paths: + - "src/**" + - "tests/**" + - "examples/**" + - "pyproject.toml" + - "Makefile" + - "README.md" + - ".github/workflows/validate.yml" push: - branches: - - main + branches: [main] + paths: + - "src/**" + - "tests/**" + - "examples/**" + - "pyproject.toml" + - "Makefile" + - "README.md" + - ".github/workflows/validate.yml" jobs: validate: @@ -13,6 +28,16 @@ jobs: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 with: - python-version: '3.11' - - name: Validate + python-version: "3.11" + - name: Install nlboot + run: python -m pip install -e . pytest + - name: Run validation run: make validate + - name: Validate M2 demo fixture through CLI + run: | + nlboot-plan \ + --manifest examples/m2-demo/manifest.recovery.json \ + --token examples/m2-demo/enrollment-token.recovery.json \ + --trusted-keys examples/m2-demo/trusted-keys.json \ + --require-fips \ + --now 2026-04-26T14:35:00Z From 56bbb6e44de2e733dcc10a6c201319dba9c1a239 Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Sun, 26 Apr 2026 15:16:32 -0400 Subject: [PATCH 2/5] test: add M2 demo signed boot manifest fixture --- examples/m2-demo/manifest.recovery.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 examples/m2-demo/manifest.recovery.json diff --git a/examples/m2-demo/manifest.recovery.json b/examples/m2-demo/manifest.recovery.json new file mode 100644 index 0000000..9d057ea --- /dev/null +++ b/examples/m2-demo/manifest.recovery.json @@ -0,0 +1,16 @@ +{ + "manifest_id": "urn:srcos:boot-manifest:m2-demo-recovery", + "boot_release_set_id": "urn:srcos:boot-release-set:m2-demo-recovery-2026-04-26", + "base_release_set_ref": "urn:srcos:release-set:m2-demo-2026-04-26", + "boot_mode": "recovery", + "artifacts": { + "kernel_ref": "urn:srcos:artifact:m2-demo-kernel", + "initrd_ref": "urn:srcos:artifact:m2-demo-initrd", + "rootfs_ref": "urn:srcos:artifact:m2-demo-rootfs" + }, + "signature_ref": "urn:srcos:signature:m2-demo-recovery", + "signer_ref": "urn:srcos:key:sourceos-demo-signing-key-v0", + "signature_algorithm": "rsa-pss-sha256", + "crypto_profile": "fips-140-3-compatible", + "signature_hex": "7335ffa2b904c00ddd62cf7ff6cfaeec6147454476b7acf6aedc537a541768be3b323e3d0493d4372a976945d9161e1faecf6cb77fdd09e897e14c7327895ae0c7c65179ff4fe900af547cf517903847e05b680c69711d40b0c5a3413e5e9708b1db3f866c94921bd3d21d37f6f3d299ea34432f0b0312717ea5cff76edc93a6d632f5263a89e8e6b62d2e2f78306c3c30577ee6c3d659d55da504736097b909c96362899685c1d3124d37e40afe3665889d51fc57a55bc36312d992777a469c4775849f0c4be1741f7b155b1f875d2cb32e19a80d12c86a85fb64b392e06ecbbf315882a92d2a695ac8b20b875c0bcf547834b461" +} From 482af9aaa460b02ce5df0313b3031439360ef1a3 Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Sun, 26 Apr 2026 15:16:46 -0400 Subject: [PATCH 3/5] test: add M2 demo enrollment token fixture --- examples/m2-demo/enrollment-token.recovery.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 examples/m2-demo/enrollment-token.recovery.json diff --git a/examples/m2-demo/enrollment-token.recovery.json b/examples/m2-demo/enrollment-token.recovery.json new file mode 100644 index 0000000..28e7384 --- /dev/null +++ b/examples/m2-demo/enrollment-token.recovery.json @@ -0,0 +1,14 @@ +{ + "token_id": "urn:srcos:enrollment-token:m2-demo-recovery", + "purpose": "recovery", + "audience": { + "subject_kind": "device", + "subject_id": "urn:srcos:device:m2-local-demo" + }, + "release_set_ref": "urn:srcos:release-set:m2-demo-2026-04-26", + "boot_release_set_ref": "urn:srcos:boot-release-set:m2-demo-recovery-2026-04-26", + "one_time_use": true, + "issued_at": "2026-04-26T14:31:00Z", + "expires_at": "2026-04-26T14:46:00Z", + "status": "issued" +} From ecd0dda84b300ab8cd851b48e5bfff231ac0b54a Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Sun, 26 Apr 2026 15:17:07 -0400 Subject: [PATCH 4/5] test: add M2 demo trusted keys fixture --- examples/m2-demo/trusted-keys.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 examples/m2-demo/trusted-keys.json diff --git a/examples/m2-demo/trusted-keys.json b/examples/m2-demo/trusted-keys.json new file mode 100644 index 0000000..9b2a64f --- /dev/null +++ b/examples/m2-demo/trusted-keys.json @@ -0,0 +1,12 @@ +{ + "keys": [ + { + "key_ref": "urn:srcos:key:sourceos-demo-signing-key-v0", + "algorithm": "rsa-pss-sha256", + "public_key_pem": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvQjwCweO/3NxqmTSB3Vq\nYyDRFh2SkRT27ddqScUp1pD2l2wiCjAnAjwZf2mM9AfHH3Ur/qrzsmxB+bBs7nXB\nZT/xVSiUWGlB5/XogjpeHbH0SSr9u8O78AqlS3n7IO9tmEr2zIEG8MsLcGaxYYaQ\nK/2mS3QR+HHfsx+9eIKTUow38ewCnQ+ws4h2uL8TmJoJRcBFOM8fVM8J+gkMa/U5\nq+HGGh+F1apJGnrJQqYQ8CTU9EG/c71uRWABi1CzvOs6d4fz8wrvYFR+/xY9te/N\nQpxN2D3ZMlAmzD2HJ+K7zlr+VTIyzhW0EKQy5F+YHZHww8h0g7fXT+yeoxuR0mr7\nQwIDAQAB\n-----END PUBLIC KEY-----\n", + "status": "active", + "not_before": "2026-04-26T00:00:00Z", + "not_after": "2027-04-26T00:00:00Z" + } + ] +} From 706b492046791f37d0b44ed3dff72588c5989b19 Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Sun, 26 Apr 2026 15:17:34 -0400 Subject: [PATCH 5/5] docs: add M2 fixture validation path --- README.md | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f044e2c..505f17b 100644 --- a/README.md +++ b/README.md @@ -7,6 +7,7 @@ This repository implements the safe planning core for the SourceOS / SociOS boot ## What this slice does - validates signed-boot-manifest-shaped objects before planning boot/recovery +- verifies RSA-PSS/SHA-256 manifest signatures against a trusted-key document - validates one-time enrollment token intent, expiry, audience, and release/boot-release binding - produces a boot plan as JSON - records `execute=false` in produced plans @@ -25,6 +26,9 @@ This repository implements the safe planning core for the SourceOS / SociOS boot - `artifacts.rootfs_ref` - `signature_ref` using `urn:srcos:signature:*` - `signer_ref` +- `signature_algorithm`: `rsa-pss-sha256` +- `crypto_profile`: `fips-140-3-compatible` +- `signature_hex`: RSA-PSS/SHA-256 signature over the canonical unsigned manifest payload `EnrollmentToken` requires: @@ -35,11 +39,24 @@ This repository implements the safe planning core for the SourceOS / SociOS boot - matching `boot_release_set_ref` - purpose compatible with the boot mode -## Usage +## M2 demo fixture + +The repository carries a side-effect-free M2 recovery fixture under `examples/m2-demo/`: + +- `manifest.recovery.json` +- `enrollment-token.recovery.json` +- `trusted-keys.json` + +Run it through the planner: ```bash python3 -m pip install -e . -nlboot-plan --manifest manifest.json --token token.json +nlboot-plan \ + --manifest examples/m2-demo/manifest.recovery.json \ + --token examples/m2-demo/enrollment-token.recovery.json \ + --trusted-keys examples/m2-demo/trusted-keys.json \ + --require-fips \ + --now 2026-04-26T14:35:00Z ``` The command emits a safe plan only. Later implementation tranches can add verified artifact fetching and host execution behind explicit policy gates. @@ -49,3 +66,5 @@ The command emits a safe plan only. Later implementation tranches can add verifi ```bash make validate ``` + +The GitHub Actions validation lane runs `make validate` and a CLI smoke over the M2 fixture.