[Task] Add artifact digest, SBOM, and provenance verification to module installer #210

Closed
opened 2026-07-07 15:03:29 +02:00 by zemion · 1 comment
Owner

Objective

Extend signed catalogs from metadata approval to artifact integrity verification.

Scope

  • Define catalog fields for Python/WebUI artifact digests, SBOM URLs, provenance URLs, and expected registry/git artifact identity.
  • Verify downloaded package artifacts or resolved git refs before applying install commands.
  • Record verified digests/provenance in installer run records.
  • Fail preflight when required integrity metadata is missing in production mode.

Acceptance Criteria

  • Catalog schema documents digest/provenance fields.
  • Installer can verify at least one package artifact path end to end.
  • Run records include verified artifact identity.
  • Production mode blocks unverified artifacts.

Codex-Fingerprint: module-installer-artifact-integrity-sbom-provenance

## Objective Extend signed catalogs from metadata approval to artifact integrity verification. ## Scope - Define catalog fields for Python/WebUI artifact digests, SBOM URLs, provenance URLs, and expected registry/git artifact identity. - Verify downloaded package artifacts or resolved git refs before applying install commands. - Record verified digests/provenance in installer run records. - Fail preflight when required integrity metadata is missing in production mode. ## Acceptance Criteria - [ ] Catalog schema documents digest/provenance fields. - [ ] Installer can verify at least one package artifact path end to end. - [ ] Run records include verified artifact identity. - [ ] Production mode blocks unverified artifacts. Codex-Fingerprint: module-installer-artifact-integrity-sbom-provenance
Author
Owner

Codex State: done

Summary

  • Added artifact integrity metadata for module package catalogs and install plans, with local SHA-256 verification in installer preflight.

Changed Files

  • Catalog entries and install plan items now preserve artifact_integrity for Python/WebUI artifacts; installer preflight records verified artifact identity under preflight.artifact_integrity; GOVOPLAN_MODULE_INSTALLER_REQUIRE_ARTIFACT_INTEGRITY=true blocks missing or unverified artifacts; docs and the example catalog include SHA-256, SBOM, provenance, and source identity fields.

Verification

  • ./.venv/bin/python -m unittest tests.test_module_system
  • ./.venv/bin/python -m json.tool docs/module-package-catalog.example.json >/dev/null
  • ./.venv/bin/python scripts/check_dependency_boundaries.py
## Codex State: done ### Summary - Added artifact integrity metadata for module package catalogs and install plans, with local SHA-256 verification in installer preflight. ### Changed Files - `Catalog entries and install plan items now preserve artifact_integrity for Python/WebUI artifacts; installer preflight records verified artifact identity under preflight.artifact_integrity; GOVOPLAN_MODULE_INSTALLER_REQUIRE_ARTIFACT_INTEGRITY=true blocks missing or unverified artifacts; docs and the example catalog include SHA-256, SBOM, provenance, and source identity fields.` ### Verification - `./.venv/bin/python -m unittest tests.test_module_system` - `./.venv/bin/python -m json.tool docs/module-package-catalog.example.json >/dev/null` - `./.venv/bin/python scripts/check_dependency_boundaries.py`
zemion added the
type
task
status
ready
area/module-system
labels 2026-07-07 23:08:03 +02:00
zemion added the
module/core
label 2026-07-07 23:41:52 +02:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: add-ideas/govoplan-core#210
No description provided.