Skip to content

Auto-verify on ocx install / ocx pull (policy-gated) #99

Description

@michael-herwig

Part of #24. Depends on #98 ([trust.policy]), #196 (offline semantics), #194 (pipeline implementation).

Why

Verify is opt-in today (ocx package verify is a separate command). Users won't run it. The defaults must be secure.

What

  1. Seam: after resolve, before download — the metadata-first pull pipeline's resolve stage, NOT a post-pull hook in tasks/{install,pull}.rs. Verify needs only the resolved manifest digest. This makes no-partial-state trivial (no package-store or symlink writes exist yet; content-addressed blob-cache writes are acceptable/inert) and saves download bandwidth on rejected artifacts.
  2. Matching [trust.policy] entry for the artifact's scope → run verify; failure aborts before download. PackageManager::verify_one scaffold exists — call it from the resolve seam.
  3. No matching policy → INFO log, continue (opt-in trust model; do not block).
  4. Bypass: --no-verify flag on install + pull; OCX_NO_VERIFY=1 env mirrors it for CI. Flag wins over env. Bypass logs WARN once per invocation. No positive re-enable form (--verify) in v1.
  5. Offline: behavior per Offline and air-gapped verify: trust-root cache + refresh #196's decided semantics (fail vs skip-with-warn; never silent skip).
  6. Env wiring: OCX_NO_VERIFY into Env::apply_ocx_config.

Doc surfaces:

  • website/src/docs/reference/environment.mdOCX_NO_VERIFY
  • website/src/docs/reference/command-line.md--no-verify on install/pull

Acceptance criteria

  • test/tests/test_install_auto_verify.py — install respects [trust.policy] — green in task test, reusing test/tests/fixtures/fake_sigstore.py with minimal extensions, covering each path:
    • Policy-scoped package with valid signature → install succeeds.
    • Mismatched identity → fails before download; no package-store or symlink state written.
    • Package outside any policy scope → proceeds with INFO log.
    • --no-verify / OCX_NO_VERIFY=1 → bypass with a single WARN; flag takes precedence over env.
    • Offline behavior matches Offline and air-gapped verify: trust-root cache + refresh #196's documented semantics.
  • environment.md + command-line.md updated; task website:build green.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/package-managerSubsystem: package-managerpriority/highShould land in next releasesecuritySecurity-relevant change or hardening

    Fields

    No fields configured for Feature.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions