Code Signing and Verification
Verify binary authenticity with Ed25519 signatures, macOS notarization, and Windows Authenticode.
Overview
Nefia release binaries are protected with three layers of signing:
- Ed25519 signatures — detached signatures common to all platforms
- macOS Developer ID + Notarization — Gatekeeper-compatible signing
- Windows Authenticode — SmartScreen-compatible DigiCert signing
Verifying Binaries
Verify the Running Binary
bash
nefia verify --selfVerify an Arbitrary Binary
bash
nefia verify /path/to/nefia_linux_amd64
nefia verify ./nefia-agent.exeVerify Against a Specific Version
bash
nefia verify --self --version v1.2.3Verification Flow
1
Download the Manifest
Download manifest.json and manifest.json.sig from GitHub Releases.
2
Verify the Manifest Signature
Verify manifest.json.sig using the Ed25519 public key embedded at build time.
3
Compare File Hashes
Compare the SHA-256 hash of the local file against the expected value in the manifest.
Verification result:
json
{
"status": "pass",
"file": "/usr/local/bin/nefia",
"artifact_name": "nefia_darwin_arm64_v1",
"expected_hash": "sha256:abc...",
"actual_hash": "sha256:abc...",
"version": "v1.2.3"
}Release Manifest
manifest.json contains the SHA-256 hashes of all artifacts included in the release:
json
{
"schema_version": 1,
"version": "v1.2.3",
"artifacts": {
"nefia_darwin_arm64_v1": "sha256:...",
"nefia_linux_amd64_v1": "sha256:...",
"nefia-agent_windows_amd64.exe": "sha256:..."
}
}Signed Artifacts
| Artifact | Signing Method |
|---|---|
nefia (macOS/Linux) | Ed25519 + macOS Developer ID |
nefia.exe (Windows) | Ed25519 + Authenticode |
nefia-agent (all OS) | Ed25519 + OS-specific signing |
nefia-derp (Linux) | Ed25519 |
| Archives (.tar.gz/.zip) | Ed25519 |
| SBOM (CycloneDX) | Ed25519 |
manifest.json | Ed25519 |
checksums.txt | Ed25519 |
CI/CD Signing Sequence
- GoReleaser cross-compiles (darwin/linux/windows x amd64/arm64)
- Ed25519 signs all binaries →
*.sigfiles - rcodesign applies Developer ID signing + Apple Notarization to macOS binaries
- DigiCert ONE (cloud HSM) applies Authenticode signing to Windows binaries
- Manifest generation — SHA-256 hashes of all artifacts
- Manifest signing →
manifest.json.sig
Security Specifications
| Item | Specification |
|---|---|
| Signing algorithm | Ed25519 (detached, 64 bytes) |
| Hash | SHA-256 |
| Maximum binary size | 150 MiB |
| Maximum manifest size | 1 MiB |
| macOS signing | rcodesign 0.29.0+ (Developer ID + Notarization) |
| Windows signing | DigiCert ONE cloud HSM (Authenticode) |
| Public key embedding | Embedded in the binary at build time via -ldflags -X |
| Private key storage | GitHub Secrets (never included in the local repository) |