feat: add device public key and fingerprint for cross-layer binding#46
Merged
felippemsc merged 3 commits intomainfrom Feb 17, 2026
Merged
feat: add device public key and fingerprint for cross-layer binding#46felippemsc merged 3 commits intomainfrom
felippemsc merged 3 commits intomainfrom
Conversation
|
🚀 Release Candidate Deployed! Version: The RC has been deployed to the dev environment. Check the /health endpoint to verify. |
|
🚀 Release Candidate Deployed! Version: The RC has been deployed to the dev environment. Check the /health endpoint to verify. |
|
🚀 Release Candidate Deployed! Version: The RC has been deployed to the dev environment. Check the /health endpoint to verify. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
public_key(Base64 uncompressed EC point) inPOST /devicesrequest- Computedevice_public_key_fingerprint(SHA-256 hex of raw key bytes) and store both on the Device model as NOT NULL columnsContext
The sidecar's two layers (Capture Trust JWT + Media Integrity ECDSA proof) were not cryptographically bound.
An attacker could reuse a valid JWT with a forged media integrity proof signed by a different key pair.
Including the device's content-signing public key fingerprint in the JWT closes this gap.
Validators can now verify that the public key in the sidecar matches the one the server saw at registration.
Test plan
test_device.py,test_capture.py)test_device_flow.py,test_capture_flow.py,test_jwks.py)alembic upgrade headapplies cleanly/deviceswithoutpublic_keyreturns 422/deviceswithpublic_keystores both key and fingerprintdevice_public_key_fingerprintclaimSHA-256(base64_decode(public_key))matches the JWT claim