feat(provenance): signature_format field — explicit, extensible signing protocol
Problem: provenance_payload was upgraded from v1 to v2 (prefix + committed_at), but 157 committed commits had no record of which format was used to sign them. The verifier was guessing v2 and failing on all of them.
Solution: explicit signature_format field in CommitRecord / CommitDict.
- CommitDict: signature_format: int (0=unsigned, 2=v2-current) - CommitRecord: signature_format: int = 0 - to_dict / from_msgpack / from_dict: serialize and deserialize the field - commit.py: imports PROVENANCE_PAYLOAD_VERSION; sets signature_format on sign - provenance.py: adds provenance_payload_v1 (documented legacy format) - verify.py: dispatches on commit.signature_format — no fallback guessing; unknown format reports clearly rather than silently failing; BFS keeps walking regardless of signature outcome (no early continue)
Migration: overwrite_commit called on all 157 pre-existing signed commits to set signature_format=2 and re-sign with v2 payload. Future format bumps: increment PROVENANCE_PAYLOAD_VERSION, add provenance_payload_vN, update dispatch in verify.py — no backwards-compat debt accumulates.
0 comments
muse hub commit comment sha256:23963ae9d4f79fd83da99b334b9526c83dbeca73156df65ded14567d647f4c4d --body "your comment"
No comments yet. Be the first to start the discussion.