KEYS
HELM Signing Keys — Key Rotation Policy
Active Keys
| Key ID | Algorithm | Since | Status |
|---|---|---|---|
helm-release-2026-v1 |
Ed25519 | 2026-02-21 | Active |
Key Lifecycle
- Generation: Keys are generated offline using
openssl genpkey -algorithm Ed25519. - Pinning: Public keys are embedded in the CLI source at
src/crypto.ts. - Rotation: New keys are appended. Old keys remain for back-compat verification.
- Retirement: Keys are marked inactive after 12 months. They continue to verify existing signatures.
Verification
The CLI automatically tries all pinned keys in order when verifying an attestation signature. No configuration is needed — the key list is shipped with each CLI release.
Where Keys Live
| Location | Content |
|---|---|
packages/mindburn-helm-cli/src/crypto.ts |
Pinned public keys (PEM format) |
GitHub Secrets (HELM_SIGNING_KEY) |
Private key (never committed) |
scripts/release/build-evidence-bundle.sh |
Uses HELM_SIGNING_KEY env var for signing |
Key Generation
# Generate Ed25519 keypair
openssl genpkey -algorithm Ed25519 -out private.pem
openssl pkey -in private.pem -pubout -out public.pem
# Extract the base64 line for pinning
grep -v "BEGIN\|END" public.pem
Emergency Rotation
If a private key is compromised:
- Generate new keypair
- Append new public key to
PINNED_PUBLIC_KEYSincrypto.ts - Update GitHub Secrets
- Publish CLI patch release
- Mark old key as
compromisedin this document - Re-sign any attestations created with the compromised key