{"id":51067175,"url":"https://github.com/mokkunsuzuki-code/stage354","last_synced_at":"2026-06-23T07:32:21.966Z","repository":{"id":366289444,"uuid":"1275754442","full_name":"mokkunsuzuki-code/stage354","owner":"mokkunsuzuki-code","description":"Stage354: Signature Key Rotation Ledger Layer with Stage178 Assumption, Threat Model, and Guarantee Binding. Transparent key lifecycle tracking, signature key status recording, ledger chaining, and PQC migration-aware verification metadata.","archived":false,"fork":false,"pushed_at":"2026-06-21T05:17:54.000Z","size":75,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-21T07:15:42.729Z","etag":null,"topics":["audit","compliance","cryptography","cybersecurity","ed25519","evidence","gpg","key-lifecycle","key-rotation","ledger","ml-dsa","pqc","provenance","qsp","signature-verification","sigstore","supply-chain-security","transparency","trust","verification"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mokkunsuzuki-code.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-21T05:14:25.000Z","updated_at":"2026-06-21T05:17:57.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/mokkunsuzuki-code/stage354","commit_stats":null,"previous_names":["mokkunsuzuki-code/stage354"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/mokkunsuzuki-code/stage354","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mokkunsuzuki-code%2Fstage354","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mokkunsuzuki-code%2Fstage354/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mokkunsuzuki-code%2Fstage354/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mokkunsuzuki-code%2Fstage354/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mokkunsuzuki-code","download_url":"https://codeload.github.com/mokkunsuzuki-code/stage354/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mokkunsuzuki-code%2Fstage354/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34680620,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-23T02:00:07.161Z","response_time":65,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["audit","compliance","cryptography","cybersecurity","ed25519","evidence","gpg","key-lifecycle","key-rotation","ledger","ml-dsa","pqc","provenance","qsp","signature-verification","sigstore","supply-chain-security","transparency","trust","verification"],"created_at":"2026-06-23T07:32:19.761Z","updated_at":"2026-06-23T07:32:21.959Z","avatar_url":"https://github.com/mokkunsuzuki-code.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Stage354: Signature Key Rotation Ledger Layer\n\nStage354 adds a transparent signature key lifecycle and rotation ledger on top of Stage353.\n\nThis stage introduces:\n\n- Signature key lifecycle recording\n- Key rotation policy initialization\n- Stage178 Assumption / Threat Model / Guarantee binding\n- Ledger chaining with previous_hash and entry_hash\n- GPG metadata support\n- Sigstore OIDC metadata support\n- Ed25519 metadata support\n- PQC ML-DSA intent metadata support\n- Verification-safe public key status records\n\nThis stage does not publish:\n\n- Private keys\n- Raw secret material\n- Seed values\n- Real PQC private key material\n- Fake active PQC key claims\n- Fake external transparency claims\n\n---\n\n## Stage353 → Stage354\n\nStage353 focused on:\n\n- Verification transparency\n- Verification result chaining\n- Hash-linked audit history\n\nStage354 extends this by tracking:\n\n- Key validity\n- Key rotation\n- Key revocation\n- Key lifecycle state\n- PQC migration readiness\n\n---\n\n## Stage178 Binding\n\nStage354 embeds the Stage178 framework:\n\n### Assumption\n\n- Signing keys are not assumed to remain secure forever.\n- Keys may be rotated, revoked, replaced, or superseded.\n- Verification must consider key validity at signing time.\n\n### Threat Model\n\n- Compromised keys\n- Revoked key misuse\n- Silent key replacement\n- Future PQC algorithm migration\n\n### Guarantee\n\n- Transparent key lifecycle records\n- Rotation history visibility\n- Verification-aware key status checking\n- No publication of private keys\n\n---\n\n## Key Lifecycle States\n\nSupported status examples:\n\n- active\n- rotated\n- revoked\n- expired\n- superseded\n- intent_only\n- not_configured\n\n---\n\n## Ledger Structure\n\nGenerated files:\n\ndocs/keys/stage354_key_rotation_ledger.json\n\ndocs/keys/stage354_key_rotation_result.json\n\ndocs/keys/stage354_key_rotation_summary.txt\n\n---\n\n## Verification Checks\n\nStage354 verifies:\n\n- Stage353 result availability\n- Stage178 binding presence\n- Key record availability\n- No private key publication\n- No fake rotation claims\n- No fake active PQC key claims\n- Ledger chain integrity\n\n---\n\n## Current Decision\n\nCurrent initialization result:\n\naccept_policy_initialization\n\nMeaning:\n\n- Key lifecycle policy initialized\n- Ledger chain established\n- No active production key rotation claimed\n- No private key exposure detected\n\n---\n\n## Safety Boundary\n\nStage354 is a metadata verification layer.\n\nIt does not:\n\n- Manage production private keys\n- Generate cryptographic keys\n- Publish secrets\n- Perform real-world key rotation\n- Claim external transparency inclusion\n\n---\n\n## Relationship to QSP / VEP\n\nStage354 strengthens long-term trust verification by adding:\n\nEvidence\n↓\nVerification\n↓\nTransparency\n↓\nSignature Context\n↓\nKey Lifecycle Tracking\n\nThis allows future verification decisions to consider:\n\n- Was the signing key valid?\n- Was the key revoked?\n- Was the signature created before revocation?\n- Is the signing algorithm still trusted?\n\n---\n\n## License\n\nMIT License\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmokkunsuzuki-code%2Fstage354","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmokkunsuzuki-code%2Fstage354","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmokkunsuzuki-code%2Fstage354/lists"}