Skip to main content

@parmanasystems/signing

The Signing package provides the cryptographic primitives used to create and verify signatures throughout Parmana. Every authority verification outcome ultimately depends on cryptographic proof. The signing package provides the trust foundation that allows independent parties to verify attestations without trusting the runtime that produced them.

Installation

npm install @parmanasystems/signing

Responsibilities

The signing layer provides:
  • Ed25519 signature generation
  • Signature verification
  • Signer abstractions
  • Key management interfaces
  • Attestation signing
  • Trust root integration

Why it exists

Authority verification requires more than policy evaluation. A verifier must be able to prove:
  • who issued the attestation
  • that the attestation was not modified
  • that the outcome is authentic
  • that the runtime possessed the correct signing authority
The signing package provides those guarantees.

Trust model

Authority Verification Outcome

      Canonical Form

      Ed25519 Signature

      Execution Attestation

 Independent Verification

Core concepts

Signers

A signer is responsible for producing cryptographic signatures. Typical implementations include:
  • Local development signers
  • Production key-backed signers
  • HSM-backed signers
  • Cloud KMS signers
All implementations produce the same signature format.

Verifiers

Verifiers validate signatures using the corresponding public key. Verification proves:
  • authenticity
  • integrity
  • non-tampering

Ed25519

Parmana uses Ed25519 because it provides:
  • strong security
  • deterministic signatures
  • fast verification
  • broad ecosystem support

Attestation signing

Every execution attestation is signed. The signature covers: 
executionId
policyId
policyVersion
decision
runtimeHash
executionFingerprint
If any field changes, verification fails.

Independent verification

Verification does not require:
  • the original runtime
  • the original database
  • the original deployment
A verifier only needs: 
Attestation
+
Public Key
to validate authenticity.

Relationship to other packages

PackageResponsibility
@parmanasystems/signingCryptographic signatures
@parmanasystems/execution-runtimeAttestation generation
@parmanasystems/verifierIndependent verification
@parmanasystems/canonicalCanonical serialization
@parmanasystems/coreEnd-to-end SDK

Security properties

Integrity

Tampering invalidates the signature.

Authenticity

Only authorized signers can issue attestations.

Non-repudiation

Issued attestations remain verifiable later.

Portability

Verification can occur anywhere.

Design principles

Cryptographic trust

Trust derives from signatures, not infrastructure.

Runtime independence

Verification works without runtime access.

Long-term verifiability

Attestations remain verifiable years later.

Deterministic

The same attestation always verifies the same way.

See also

  • /packages/verifier
  • /packages/canonical
  • /packages/execution-runtime
  • /verification/attestations
  • /architecture/trust-portability