Summary
Implement the public key registry for attestation verification.
Phases
- Now: JSON file in this repo (
keys/ directory) — maintainer-managed
- Soon: Hosted at keys.forge-alloy.dev with API
- Later: Certificate-based registration (auditor must sign key)
Registry entry schema
{
"keyId": "continuum-ai/forge-runner-001",
"algorithm": "ES256",
"publicKey": "base64url...",
"owner": "continuum-ai",
"registeredAt": "2026-03-01T00:00:00Z",
"expiresAt": "2027-03-01T00:00:00Z",
"revokedAt": null,
"supersededBy": null,
"registrationAuthority": "forge-alloy-maintainers"
}Verification semantics
- Superseded (not revoked): old attestations still valid if signed before supersession
- Revoked: ALL attestations suspect regardless of timestamp
- Short-lived keys (90-day default) + registry polling for revocation propagation
References
- docs/ATTESTATION.md — Key Registry section
Summary
Implement the public key registry for attestation verification.
Phases
keys/directory) — maintainer-managedRegistry entry schema
{ "keyId": "continuum-ai/forge-runner-001", "algorithm": "ES256", "publicKey": "base64url...", "owner": "continuum-ai", "registeredAt": "2026-03-01T00:00:00Z", "expiresAt": "2027-03-01T00:00:00Z", "revokedAt": null, "supersededBy": null, "registrationAuthority": "forge-alloy-maintainers" }Verification semantics
References