pynydus.security.signing

Ed25519 egg signing and verification. Spec §signing.

Provides asymmetric signing so recipients can verify that an egg was created by a known author and has not been modified in transit.

Key storage convention: Private key: ~/.nydus/keys/private.pem (or NYDUS_PRIVATE_KEY env var) Public key: embedded in signature.json inside the .egg archive

Module Contents

Functions

generate_keypair	Generate a new Ed25519 keypair and write PEM files to disk.
load_private_key	Load an Ed25519 private key from PEM file or NYDUS_PRIVATE_KEY.
load_public_key	Load an Ed25519 public key from PEM-encoded bytes.
_canonical_content	Concatenate content parts with length prefixes (big-endian 8-byte length).
compute_content_hash	Return SHA-256 of _canonical_content output.
sign_egg_content	Sign egg content and return a signature.json-compatible dict.
verify_egg_content	Verify an egg signature dict against recomputed content.

Data

DEFAULT_KEY_DIR
DEFAULT_PRIVATE_KEY_PATH
DEFAULT_PUBLIC_KEY_PATH

API

pynydus.security.signing.DEFAULT_KEY_DIR

None

pynydus.security.signing.DEFAULT_PRIVATE_KEY_PATH

None

pynydus.security.signing.DEFAULT_PUBLIC_KEY_PATH

None

pynydus.security.signing.generate_keypair(key_dir: pathlib.Path | None = None) → tuple[pathlib.Path, pathlib.Path]

Generate a new Ed25519 keypair and write PEM files to disk.

Args: key_dir: Directory for private.pem and public.pem. Defaults to ~/.nydus/keys.

Returns: (private_key_path, public_key_path).

pynydus.security.signing.load_private_key(path: pathlib.Path | None = None) → cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey

Load an Ed25519 private key from PEM file or NYDUS_PRIVATE_KEY.

Args: path: PEM file path. Ignored when NYDUS_PRIVATE_KEY is set.

Returns: Parsed private key.

Raises: FileNotFoundError: If no env key and path (default key path) is missing.

pynydus.security.signing.load_public_key(pem_bytes: bytes) → cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey

Load an Ed25519 public key from PEM-encoded bytes.

Args: pem_bytes: PEM text as UTF-8 bytes.

Returns: Parsed public key.

pynydus.security.signing._canonical_content(content_parts: list[bytes]) → bytes

Concatenate content parts with length prefixes (big-endian 8-byte length).

Args: content_parts: Ordered binary blobs to hash.

Returns: Canonical byte string suitable for signing.

pynydus.security.signing.compute_content_hash(content_parts: list[bytes]) → bytes

Return SHA-256 of _canonical_content output.

Args: content_parts: Same ordered parts as used for signing.

Returns: 32-byte digest.

pynydus.security.signing.sign_egg_content(private_key: cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey, content_parts: list[bytes]) → dict

Sign egg content and return a signature.json-compatible dict.

Args: private_key: Key used to sign. content_parts: Ordered blobs, typically [manifest_json, skills_json, memory_json, secrets_json].

Returns: Dict with algorithm, content_hash (hex), signature (base64), and public_key (PEM) for offline verification.

pynydus.security.signing.verify_egg_content(signature_data: dict, content_parts: list[bytes]) → bool

Verify an egg signature dict against recomputed content.

Args: signature_data: Parsed signature.json payload. content_parts: Same ordered parts used when signing.

Returns: True if hash and Ed25519 signature match. False if hash or signature check fails.