Skip to main content

Signer Profiles

Canonical reference for configuring FleetForge signing surfaces (TRUST, CAPABILITY, C2PA, SCITT). Each profile lists recommended algorithms, required environment variables, and validation commands so teams can reproduce signatures across environments.

Local development (env-ed25519)

  • Use when: running the demo stack, CI smoke tests, or air-gapped sandboxes.
  • Backend: env-ed25519 (embedded in fleetforge-trust).
  • Env file template: 
    export FLEETFORGE_TRUST_SIGNER_BACKEND=env-ed25519
    export FLEETFORGE_TRUST_SIGNER_PRIVATE_KEY_PATH=.fleetforge/trust_dev.key
    export FLEETFORGE_TRUST_SIGNER_PUBLIC_KEY_PATH=.fleetforge/trust_dev.pub
  • Setup: fleetforge-ctl signer gen --output .fleetforge/trust_dev (or use openssl ed25519).
  • Surfaces: reuse the same key for CAPABILITY/C2PA/SCITT during local testing; production must separate keys per surface.

AWS KMS (aws-kms-cli)

  • Use when: running managed runtimes in AWS accounts.
  • Backend: aws-kms-cli (requires the kms-cli-aws feature flag).
  • Env variables: 
    export FLEETFORGE_TRUST_SIGNER_BACKEND=aws-kms-cli
    export FLEETFORGE_TRUST_SIGNER_AWS_KEY_ID=arn:aws:kms:us-east-1:123456789012:key/abcd-1234
    export AWS_PROFILE=fleetforge-runtime
  • Algorithm: RSA-PSS (RSASSA_PSS_SHA_256) or ECDSA P-256 (ECDSA_SHA_256). AWS does not expose Ed25519 via KMS.
  • Testing: fleetforge-ctl signer smoke --surface TRUST verifies the CLI shim can sign/verify payloads before promotion.

Google Cloud KMS (gcp-kms-cli)

  • Use when: deploying runtimes on GCP or needing Ed25519 hardware-backed keys.
  • Backend: gcp-kms-cli (requires the kms-cli-gcp feature flag).
  • Env variables: 
    export FLEETFORGE_CAPABILITY_SIGNER_BACKEND=gcp-kms-cli
    export FLEETFORGE_CAPABILITY_SIGNER_GCP_KEY_VERSION=projects/<proj>/locations/<region>/keyRings/<ring>/cryptoKeys/<key>/cryptoKeyVersions/1
    export GOOGLE_APPLICATION_CREDENTIALS=$HOME/.config/gcloud/application_default_credentials.json
  • Algorithm: PureEdDSA (ED25519) or ECDSA (EC_SIGN_P256_SHA256).
  • Notes: Ensure the service account has cloudkms.cryptoKeyVersions.useToSign.

Azure Key Vault (azure-kv-cli)

  • Use when: hosting runtimes in Azure subscriptions.
  • Backend: azure-kv-cli (requires the kms-cli-azure feature flag).
  • Key types: Azure Key Vault does not support Ed25519. Supported key curves include RSA (2048/3072/4096) and elliptic curves P-256/P-256K/P-384/P-521 (Microsoft Learn reference).
  • Recommendation: prefer RSA-PSS (RSASSA-PSS-SHA256) or ECDSA ES256/ES384 for Trust Mesh surfaces that terminate in Azure.
  • Env variables: 
    export FLEETFORGE_C2PA_SIGNER_BACKEND=azure-kv-cli
    export FLEETFORGE_C2PA_SIGNER_AZURE_VAULT=https://my-vault.vault.azure.net
    export FLEETFORGE_C2PA_SIGNER_AZURE_KEY_NAME=trust-c2pa
    export FLEETFORGE_C2PA_SIGNER_AZURE_KEY_VERSION=<version>
    export AZURE_CLIENT_ID=<app-id>
    export AZURE_TENANT_ID=<tenant-id>
    export AZURE_CLIENT_SECRET=<secret>
  • Testing: az keyvault key sign --vault-name ... --name ... --version ... --algorithm RS256 --digest <sha256> ensures the key is reachable before wiring it into FleetForge.

Feature flags & verification tooling

  • Enable CLI shims at compile time: cargo build --features kms-cli-aws,kms-cli-gcp,kms-cli-azure.
  • Runtime surfaces read shared feature flags via:
    • FLEETFORGE_<SURFACE>_SIGNER_BACKEND
    • FLEETFORGE_<SURFACE>_SIGNER_{AWS|GCP|AZURE}_*
    • FLEETFORGE_<SURFACE>_SIGNER_PUBLIC_KEY[_PATH]
  • Use fleetforge-ctl signer smoke --surface <SURFACE> to run an end-to-end sign/verify loop for any configured backend before promoting changes.
  • All artifacts embed both kid and public_key_jwk, so rotation events stay verifiable without replaying old KMS API calls.

Choosing the right profile

EnvironmentRecommended backendNotes
Local dev / CI smokeenv-ed25519Fast, zero external dependencies. Rotate per developer.
Staging (AWS)aws-kms-cli + RSA-PSSUse distinct keys per surface; fence via IAM policy.
Production (GCP)gcp-kms-cli + Ed25519PureEdDSA gives small signatures; ensure low-latency networking to KMS.
Production (Azure)azure-kv-cli + RSA-PSS/ES256Azure Key Vault lacks Ed25519; pin the curve explicitly and document it in runbooks.

Maintain this page as the single place to update signer instructions; other docs should link here instead of re-describing environment matrices.