Problem
The parsed KeyInfo model and X.509 chain verifier exist, but callers need a configuration-driven resolver for trusted certificates, named verification keys, optional chain verification, verification time, and maximum path depth.
Release automation also renders every conventional commit from a merge-commit PR, so standalone test commits should not become changelog entries.
Implementation
- Add
VerificationKey, KeyResolverConfig, DefaultKeyResolver, and typed KeyResolutionError public APIs.
- Pass parsed
KeyInfo plus the declared signature algorithm to KeyResolver implementations without reparsing XML.
- Resolve embedded X.509 signing certificates, DSig 1.1 DER-encoded SPKI keys, and configured
KeyName entries in document order.
- Validate RSA/EC key compatibility with the declared signature algorithm before verification.
- Enforce configured X.509 trust anchors, verification time, and maximum path depth when
verify_chains is enabled.
- Preserve custom resolvers that intentionally ignore malformed advisory
KeyInfo.
- Exclude
test commits from release-plz changelog output.
Acceptance criteria
KeyResolverConfig::default() has no trust anchors/named keys, chain verification disabled, system-time selection, and maximum depth 9.
- Embedded X.509, DEREncodedKeyValue, and KeyName sources verify through
VerifyContext end to end.
- Algorithm mismatch and untrusted chains fail closed with typed errors.
- Custom resolvers receive parsed optional KeyInfo and the signature algorithm.
- Raw RSA/EC
KeyValue remains unresolved until its parser model carries key bytes rather than marker variants.
- Release changelogs omit standalone
test commits.
- Workspace fmt, check, clippy, nextest, doc tests, and build pass.
Repository setting follow-up
One changelog entry per PR requires squash-only merges. This repository setting requires explicit owner approval and is not performed by this issue. PR-title validation is intentionally not added to CI.
Estimate
1d 4h: 5h implementation/tests, 2h CI/release validation, 1h review and mentoring overhead.
Problem
The parsed KeyInfo model and X.509 chain verifier exist, but callers need a configuration-driven resolver for trusted certificates, named verification keys, optional chain verification, verification time, and maximum path depth.
Release automation also renders every conventional commit from a merge-commit PR, so standalone test commits should not become changelog entries.
Implementation
VerificationKey,KeyResolverConfig,DefaultKeyResolver, and typedKeyResolutionErrorpublic APIs.KeyInfoplus the declared signature algorithm toKeyResolverimplementations without reparsing XML.KeyNameentries in document order.verify_chainsis enabled.KeyInfo.testcommits from release-plz changelog output.Acceptance criteria
KeyResolverConfig::default()has no trust anchors/named keys, chain verification disabled, system-time selection, and maximum depth 9.VerifyContextend to end.KeyValueremains unresolved until its parser model carries key bytes rather than marker variants.testcommits.Repository setting follow-up
One changelog entry per PR requires squash-only merges. This repository setting requires explicit owner approval and is not performed by this issue. PR-title validation is intentionally not added to CI.
Estimate
1d 4h: 5h implementation/tests, 2h CI/release validation, 1h review and mentoring overhead.