signing: arm fail-closed on us-ny1 (zeitghost_require_signing: 1)#13
Open
aaronmarkham wants to merge 1 commit into
Open
signing: arm fail-closed on us-ny1 (zeitghost_require_signing: 1)#13aaronmarkham wants to merge 1 commit into
aaronmarkham wants to merge 1 commit into
Conversation
Closes #6. Flips shard signing from opt-in to required on the us-ny1 builder now that the key is provisioned and verified signing in prod (signer 7c1d34f0…a49b; 14 signed shards observed, none of the pre-key corpus). With this, `env.j2` renders ZEITGHOST_REQUIRE_SIGNING=1 and `ingest` / `reanalyze` exit non-zero if no valid key resolves — so an accidentally-cleared or mangled secret fails the run loudly instead of silently reverting to unsigned shards. Reversible: set back to 0 and redeploy to restore opt-in. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
aaronmarkham
added a commit
that referenced
this pull request
May 31, 2026
…R link at the guide Addresses the PR #14 review: - News proof card no longer claims "every fact, signed and traced" / "each shard is signed." That's an overclaim today: signing is opt-in and only covers shards written since the key landed on us-ny1 (~14 of ~16.9k); require-signing isn't merged yet (PR #13), and trace_ref only attaches to post-deploy shards. Reworded to the universally-true claim — public lineage, every variant linked back to its source — which holds for the whole corpus. - Footer "entity resolution" link now points at docs/entity-resolution.md (the guide) instead of the dense docs/specs/cmc-spec-v0.1.md — a gentler landing for that label. Nav #adopt/#numbers ids confirmed present; responsive @media for .proof / .ends-table already in. Landing + robustness tests green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #6. Arms fail-closed signing on the us-ny1 builder — the final step of the shard-signing rollout from PR #5.
One line in the us-ny1 inventory:
env.j2already templatesZEITGHOST_REQUIRE_SIGNINGfrom this var, andingest/reanalyzealready fail fast (exit non-zero) when signing is required but no valid key resolves. So after this deploys, an accidentally-cleared or mangledZEITGHOST_SIGNING_KEYfails the run loudly instead of silently writing unsigned shards.Why it's safe to arm now
Verified on us-ny1 before flipping:
signed 14of 16877 shards — every write since the key was provisioned is signed; none of the pre-key corpus is (as expected).7c1d34f0720bab10245ebca2f3eb8d540888d1b50e8f0cde73eaf846bde3a49b— matches the key minted bygen-signing-key.So a valid key is present and demonstrably signing; arming
requirewon't break the next ingest cycle.Rollout
Merge → push-to-main runs the Deploy workflow →
env.j2rendersZEITGHOST_REQUIRE_SIGNING=1into the builder's.env→ nextingest/reanalyzeenforces it.Reversible: set
zeitghost_require_signing: 0(or remove the line) and redeploy to restore opt-in.Post-merge check
After the deploy, confirm ingest still succeeds (key present) — it should sign as before, just now mandatory. If a future deploy ever loses the secret, ingest will exit 1 and the builder loop logs the failure rather than serving unsigned shards.
🤖 Generated with Claude Code