Module signing 

Ed25519 signing for checkpoint authentication.

On first boot, a keypair is generated and stored at {state_dir}/signing_key. Every checkpoint is signed. The public key is embedded in the checkpoint extension line for third-party verification.

Format: sig/ed25519:<pubkey_hex>:<signature_hex>\n

This module does NOT provide PKI, key rotation, or witness cosigning. Those are Phase 2+ concerns. What it provides:

• Identity binding (this checkpoint came from this kernel instance)
• Format readiness (checkpoint structure is ready for TSA/witness upgrades)

Structs

SigningKey

Wrapper around Ed25519 keypair for checkpoint signing.

Functions

parse_sig_extension

Parse a sig/ed25519:<pubkey>:<sig> extension line. Returns (pubkey_hex, sig_hex) if valid.

verify_checkpoint_signature

Verify a checkpoint signature given raw components. Used by jack for offline verification without the private key.