Skip to content

[2.8.0] Sign plaintext licensed/ham traffic #10966

Description

@RCGV1

Description

Implement the authenticated-plaintext licensed/ham-mode design from meshtastic/design#122 as a separate follow-up to the packet authenticity policy stack.

Licensed traffic must remain unencrypted and readable on air, while publishing an identity public key and carrying verifiable XEdDSA signatures on signable broadcast and directed packets.

Required changes

  • Allow identity key generation/restoration for licensed users without enabling PKI encryption.
  • Stop stripping User.public_key from licensed NodeInfo.
  • Use the normal key-derived NodeNum = crc32(public_key) identity and migration path.
  • Sign all locally originated licensed, non-PKI Data packets that fit, including plaintext unicast/direct messages.
  • Keep channel PSKs removed, the admin channel disabled, and shouldUsePkiEncryption() false for licensed traffic.
  • Preserve callsign fields and existing licensed rebroadcast restrictions.
  • Update the packet-policy warnings/tests so verified licensed traffic works in Strict.

Safety and compatibility

  • Existing licensed nodes without keys will undergo a one-time NodeNum migration. Preserve valid keys and warn/document the impact.
  • A signature provides origin/integrity authentication, not confidentiality. Direct-message payloads must remain plaintext on the wire.
  • A signed callsign-bearing NodeInfo self-binds that label to a key; it does not validate the amateur licence or replace required station identification.
  • Operators remain responsible for local licence conditions and permitted modes.

Acceptance criteria

  • Licensed NodeInfo publishes a 32-byte public key and verifies through first-contact identity binding.
  • Licensed broadcast and directed packets are signed whenever the encoded Data fits.
  • Packet captures demonstrate that licensed direct-message payloads are not PKI- or channel-encrypted.
  • Strict accepts verified licensed traffic and rejects unsigned/invalid/unverifiable licensed traffic.
  • PKI encryption is unreachable for licensed senders even when keys are available.
  • Tests cover licensed-mode entry/exit, identity migration, key preservation/regeneration, all relevant portnums/destinations, oversized packets, and plaintext wire semantics.
  • Draft PR remains unmerged until representative hardware capture and cross-version testing are recorded.

Dependencies

Metadata

Metadata

Assignees

Labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions