SHA-256 integrity, registry signature, Sigstore publisher provenance.
The first signing level is content-addressable hashing. Every bundle submitted through arc bundle produces a SHA-256 hash of the tarball contents. This hash travels with the submission envelope and is recorded in the package index.
At install time, arc install fetches the artifact and independently computes the SHA-256 hash. If the computed hash doesn't match the index entry, the install is rejected — the bits have been tampered with or corrupted in transit.
SHA-256 integrity is the foundation that all other signing levels build on. Without a trusted content hash, neither registry signatures nor publisher provenance can be verified meaningfully.
After a blueprint passes the clean room and receives sponsor approval, metafactory signs it with an Ed25519 registry key. This signature covers the package index entry — the hash, version, capabilities, and metadata that arc install will fetch.
The signing ceremony requires dual-control: the signing key is split into two halves, each held by a different operator. Both halves must be present to produce a valid signature. This prevents a single compromised operator from signing malicious packages.
The corresponding public key is compiled into the arc binary at build time. When a consumer runs arc install, the CLI verifies the registry signature before trusting any hash in the index. A compromised mirror or man-in-the-middle can serve stale data, but cannot forge a valid signature.
The third signing level uses Sigstore keyless signing. When a publisher runs arc bundle, the CLI obtains a short-lived signing certificate from Fulcio, tied to the publisher's OIDC identity (their CI environment or verified email). The certificate signs the bundle attestation, and the attestation is recorded in Rekor, a public append-only transparency log.
This means every bundle carries proof of who created it, independently verifiable without trusting metafactory. The Rekor entry cannot be modified or deleted — it's a permanent third-party receipt.
At intake, metafactory verifies the Sigstore bundle and Rekor UUID before any further processing. A submission without valid publisher provenance is rejected at the gate.