pub struct ReceiptSigner { /* private fields */ }Expand description
Registry-side receipt minting identity: the signing key plus the DID URL it is published under in the registry’s own DID document.
Lifecycle rule (RFC-ACDP-0010, normative): retired receipt keys
MUST remain in the registry DID document’s verificationMethod
indefinitely — rotation removes them from assertionMethod only
(stops new receipts, keeps every previously minted receipt
verifiable). Deleting an old key bricks every receipt it signed.
Implementations§
Source§impl ReceiptSigner
impl ReceiptSigner
Sourcepub fn mint_log_checkpoint(
&self,
log_id: &str,
tree_size: u64,
root_hash: &str,
timestamp: DateTime<Utc>,
) -> Result<LogCheckpoint, AcdpError>
pub fn mint_log_checkpoint( &self, log_id: &str, tree_size: u64, root_hash: &str, timestamp: DateTime<Utc>, ) -> Result<LogCheckpoint, AcdpError>
Mint a signed log checkpoint (RFC-ACDP-0012 §6): the
registry’s commitment that, as of timestamp (truncated here to
milliseconds), the log log_id has tree_size leaves and
Merkle root root_hash.
Signs with the same receipt signing key as
ReceiptSigner::mint — the log introduces no new key role
(§2, §6); checkpoint_version inside the preimage is what
domain-separates checkpoints from both receipt kinds.
Refuses an internally inconsistent checkpoint: a log_id whose
registry DID is not this signer’s, a malformed log_id
instance, or a malformed root_hash.
Source§impl ReceiptSigner
impl ReceiptSigner
Sourcepub fn new(
key: impl Into<AcdpSigningKey>,
registry_did: impl Into<String>,
key_id: impl Into<String>,
) -> Result<Self, AcdpError>
pub fn new( key: impl Into<AcdpSigningKey>, registry_did: impl Into<String>, key_id: impl Into<String>, ) -> Result<Self, AcdpError>
Create a signer. key_id’s DID portion MUST equal
registry_did, which MUST be the did:web form of the
registry’s serving authority.
Sourcepub fn registry_did(&self) -> &str
pub fn registry_did(&self) -> &str
The registry DID this signer mints under.
Sourcepub fn key_id(&self) -> &str
pub fn key_id(&self) -> &str
The DID URL the signing key is published under (e.g.
did:web:registry.example.com#receipt-key-1).
Sourcepub fn mint(
&self,
ctx_id: &CtxId,
lineage_id: &LineageId,
origin_registry: &str,
created_at: DateTime<Utc>,
content_hash: &ContentHash,
producer_key_fingerprint: &str,
) -> Result<RegistryReceipt, AcdpError>
pub fn mint( &self, ctx_id: &CtxId, lineage_id: &LineageId, origin_registry: &str, created_at: DateTime<Utc>, content_hash: &ContentHash, producer_key_fingerprint: &str, ) -> Result<RegistryReceipt, AcdpError>
Mint a signed receipt for an accepted publication.
producer_key_fingerprint MUST be the fingerprint of the key
the validator actually used for producer-signature
verification — not re-resolved later (that is the whole
historical-validity guarantee).
Sourcepub fn mint_lineage_head(
&self,
lineage_id: &LineageId,
head_ctx_id: &CtxId,
head_version: u32,
head_status: &Status,
as_of: DateTime<Utc>,
) -> Result<LineageHeadReceipt, AcdpError>
pub fn mint_lineage_head( &self, lineage_id: &LineageId, head_ctx_id: &CtxId, head_version: u32, head_status: &Status, as_of: DateTime<Utc>, ) -> Result<LineageHeadReceipt, AcdpError>
Mint a signed lineage-head receipt (RFC-ACDP-0011 §5–§6):
the registry’s attestation that, as of as_of (its response-time
clock, truncated here to milliseconds), the head of lineage_id
is head_ctx_id at head_version with head_status.
Signs with the same receipt signing key as Self::mint — head
receipts introduce no new key role (RFC-ACDP-0011 §5, §8); the
receipt_version member inside the preimage is what domain-
separates the two receipt kinds.
Refuses to mint an internally inconsistent receipt: a
superseded head (never the head, RFC-ACDP-0011 §4), a
head_version of 0, or a head_ctx_id whose authority is not
this signer’s registry (§4: lineages are single-registry).