You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Part of #24. Depends on #98 ([trust.policy]), #196 (offline semantics), #194 (pipeline implementation).
Why
Verify is opt-in today (ocx package verify is a separate command). Users won't run it. The defaults must be secure.
What
Seam: after resolve, before download — the metadata-first pull pipeline's resolve stage, NOT a post-pull hook in tasks/{install,pull}.rs. Verify needs only the resolved manifest digest. This makes no-partial-state trivial (no package-store or symlink writes exist yet; content-addressed blob-cache writes are acceptable/inert) and saves download bandwidth on rejected artifacts.
Matching [trust.policy] entry for the artifact's scope → run verify; failure aborts before download. PackageManager::verify_one scaffold exists — call it from the resolve seam.
No matching policy → INFO log, continue (opt-in trust model; do not block).
Bypass: --no-verify flag on install + pull; OCX_NO_VERIFY=1 env mirrors it for CI. Flag wins over env. Bypass logs WARN once per invocation. No positive re-enable form (--verify) in v1.
website/src/docs/reference/command-line.md — --no-verify on install/pull
Acceptance criteria
test/tests/test_install_auto_verify.py — install respects [trust.policy] — green in task test, reusing test/tests/fixtures/fake_sigstore.py with minimal extensions, covering each path:
Policy-scoped package with valid signature → install succeeds.
Mismatched identity → fails before download; no package-store or symlink state written.
Package outside any policy scope → proceeds with INFO log.
--no-verify / OCX_NO_VERIFY=1 → bypass with a single WARN; flag takes precedence over env.
Part of #24. Depends on #98 (
[trust.policy]), #196 (offline semantics), #194 (pipeline implementation).Why
Verify is opt-in today (
ocx package verifyis a separate command). Users won't run it. The defaults must be secure.What
tasks/{install,pull}.rs. Verify needs only the resolved manifest digest. This makes no-partial-state trivial (no package-store or symlink writes exist yet; content-addressed blob-cache writes are acceptable/inert) and saves download bandwidth on rejected artifacts.[trust.policy]entry for the artifact's scope → run verify; failure aborts before download.PackageManager::verify_onescaffold exists — call it from the resolve seam.--no-verifyflag oninstall+pull;OCX_NO_VERIFY=1env mirrors it for CI. Flag wins over env. Bypass logs WARN once per invocation. No positive re-enable form (--verify) in v1.OCX_NO_VERIFYintoEnv::apply_ocx_config.Doc surfaces:
website/src/docs/reference/environment.md—OCX_NO_VERIFYwebsite/src/docs/reference/command-line.md—--no-verifyon install/pullAcceptance criteria
test/tests/test_install_auto_verify.py— install respects[trust.policy]— green intask test, reusingtest/tests/fixtures/fake_sigstore.pywith minimal extensions, covering each path:--no-verify/OCX_NO_VERIFY=1→ bypass with a single WARN; flag takes precedence over env.environment.md+command-line.mdupdated;task website:buildgreen.