auths-dev
diff --git a/‎crates/auths-cli/src/commands/artifact/mod.rs‎
Lines changed: 113 additions & 85 deletions b/‎crates/auths-cli/src/commands/artifact/mod.rs‎
Lines changed: 113 additions & 85 deletions
diff --git a/‎crates/auths-cli/src/commands/artifact/sign.rs‎
Lines changed: 43 additions & 2 deletions b/‎crates/auths-cli/src/commands/artifact/sign.rs‎
Lines changed: 43 additions & 2 deletions
diff --git a/‎crates/auths-cli/src/commands/device/pair/join.rs‎
Lines changed: 6 additions & 1 deletion b/‎crates/auths-cli/src/commands/device/pair/join.rs‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎crates/auths-cli/src/commands/device/verify_attestation.rs‎
Lines changed: 25 additions & 12 deletions b/‎crates/auths-cli/src/commands/device/verify_attestation.rs‎
Lines changed: 25 additions & 12 deletions
diff --git a/‎crates/auths-cli/src/commands/publish.rs‎
Lines changed: 2 additions & 0 deletions b/‎crates/auths-cli/src/commands/publish.rs‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎crates/auths-cli/src/commands/sign.rs‎
Lines changed: 2 additions & 0 deletions b/‎crates/auths-cli/src/commands/sign.rs‎
Lines changed: 2 additions & 0 deletions
@@ -195,6 +195,108 @@ fn rate_limit_secs(err: &auths_sdk::workflows::log_submit::LogSubmitError) -> u6
     }
 }
 
+/// Re-export DSSE PAE from the SDK for use in CLI signing paths.
+pub use auths_sdk::domains::signing::service::dsse_pae;
+
+/// Submit an attestation to a transparency log and return the JSON to embed.
+///
+/// The `dsse_signature` is the signature over the DSSE PAE of the attestation,
+/// computed by the caller while the signing key is still available.
+///
+/// Returns `None` if `allow_unlogged` is set or `--log` wasn't passed.
+fn submit_to_log(
+    attestation_json: &str,
+    log: &Option<String>,
+    allow_unlogged: bool,
+    dsse_signature: Option<&[u8]>,
+) -> Result<Option<serde_json::Value>> {
+    if allow_unlogged {
+        eprintln!(
+            "WARNING: Signing without transparency log. \
+             This artifact will not be verifiable against any log."
+        );
+        return Ok(None);
+    }
+
+    // If --log wasn't passed, skip silently (non-CI default behavior)
+    if log.is_none() {
+        return Ok(None);
+    }
+
+    let sig_bytes = dsse_signature
+        .ok_or_else(|| anyhow::anyhow!("DSSE signature required for log submission"))?;
+
+    let attestation_value: serde_json::Value = serde_json::from_str(attestation_json)
+        .map_err(|e| anyhow::anyhow!("Failed to parse attestation: {e}"))?;
+
+    // device_public_key may be a hex string or {"curve": "...", "key": "..."}
+    let pk_hex = if let Some(s) = attestation_value["device_public_key"].as_str() {
+        s.to_string()
+    } else if let Some(key_field) = attestation_value["device_public_key"]["key"].as_str() {
+        key_field.to_string()
+    } else {
+        return Err(anyhow::anyhow!("missing device_public_key"));
+    };
+    let pk_bytes =
+        hex::decode(&pk_hex).map_err(|e| anyhow::anyhow!("invalid public key hex: {e}"))?;
+
+    let rt = tokio::runtime::Runtime::new()
+        .map_err(|e| anyhow::anyhow!("Failed to create async runtime: {e}"))?;
+
+    let log_client: std::sync::Arc<dyn auths_sdk::ports::TransparencyLog> = match log.as_deref() {
+        Some("sigstore-rekor") => std::sync::Arc::new(
+            auths_infra_rekor::RekorClient::public()
+                .map_err(|e| anyhow::anyhow!("Failed to create Rekor client: {e}"))?,
+        ),
+        Some(other) => bail!("Unknown log '{}'. Available: sigstore-rekor", other),
+        None => unreachable!(),
+    };
+
+    let submit = || {
+        rt.block_on(auths_sdk::workflows::log_submit::submit_attestation_to_log(
+            attestation_json.as_bytes(),
+            &pk_bytes,
+            sig_bytes,
+            log_client.as_ref(),
+        ))
+    };
+
+    let submission_result = match submit() {
+        Ok(bundle) => Ok(bundle),
+        Err(ref e) if is_rate_limited(e) => {
+            let secs = rate_limit_secs(e);
+            eprintln!("Rate limited by transparency log. Retrying in {secs}s...");
+            std::thread::sleep(std::time::Duration::from_secs(secs));
+            submit()
+        }
+        Err(e) => Err(e),
+    };
+
+    match submission_result {
+        Ok(bundle) => {
+            eprintln!(
+                "  Logged to {} at index {}",
+                bundle.log_id, bundle.leaf_index
+            );
+            Ok(Some(serde_json::to_value(&bundle).map_err(|e| {
+                anyhow::anyhow!("Failed to serialize: {e}")
+            })?))
+        }
+        Err(e) => Err(anyhow::anyhow!("Transparency log submission failed: {e}")),
+    }
+}
+
+/// Merge transparency JSON into an attestation and return the final JSON string.
+fn merge_transparency(attestation_json: &str, transparency: serde_json::Value) -> Result<String> {
+    let mut attestation: serde_json::Value = serde_json::from_str(attestation_json)
+        .map_err(|e| anyhow::anyhow!("Failed to re-parse attestation: {e}"))?;
+    if let serde_json::Value::Object(ref mut map) = attestation {
+        map.insert("transparency".to_string(), transparency);
+    }
+    serde_json::to_string_pretty(&attestation)
+        .map_err(|e| anyhow::anyhow!("Failed to serialize attestation: {e}"))
+}
+
 /// Resolve the commit SHA from CLI flags.
 fn resolve_commit_sha_from_flags(
     commit: Option<String>,
@@ -290,93 +392,15 @@ pub fn handle_artifact(
                 .map_err(|e| anyhow::anyhow!("Ephemeral signing failed: {}", e))?;
 
                 // Submit to transparency log (unless --allow-unlogged)
-                let transparency_json = if allow_unlogged {
-                    eprintln!(
-                        "WARNING: Signing without transparency log. \
-                         This artifact will not be verifiable against any log."
-                    );
-                    None
-                } else {
-                    // Parse the attestation to extract public key and signature
-                    let attestation_value: serde_json::Value =
-                        serde_json::from_str(&result.attestation_json)
-                            .map_err(|e| anyhow::anyhow!("Failed to parse attestation: {e}"))?;
-
-                    let identity_sig_hex = attestation_value["identity_signature"]
-                        .as_str()
-                        .ok_or_else(|| anyhow::anyhow!("missing identity_signature"))?;
-                    let sig_bytes = hex::decode(identity_sig_hex)
-                        .map_err(|e| anyhow::anyhow!("invalid signature hex: {e}"))?;
-
-                    let device_pk_hex = attestation_value["device_public_key"]
-                        .as_str()
-                        .ok_or_else(|| anyhow::anyhow!("missing device_public_key"))?;
-                    let pk_bytes = hex::decode(device_pk_hex)
-                        .map_err(|e| anyhow::anyhow!("invalid public key hex: {e}"))?;
-
-                    let rt = tokio::runtime::Runtime::new()
-                        .map_err(|e| anyhow::anyhow!("Failed to create async runtime: {e}"))?;
-
-                    // Build the transparency log client
-                    let log_client: std::sync::Arc<dyn auths_sdk::ports::TransparencyLog> =
-                        match log.as_deref() {
-                            Some("sigstore-rekor") | None => std::sync::Arc::new(
-                                auths_infra_rekor::RekorClient::public().map_err(|e| {
-                                    anyhow::anyhow!("Failed to create Rekor client: {e}")
-                                })?,
-                            ),
-                            Some(other) => {
-                                bail!("Unknown log '{}'. Available: sigstore-rekor", other)
-                            }
-                        };
+                let transparency_json = submit_to_log(
+                    &result.attestation_json,
+                    &log,
+                    allow_unlogged,
+                    result.dsse_signature.as_deref(),
+                )?;
 
-                    let submit = || {
-                        rt.block_on(auths_sdk::workflows::log_submit::submit_attestation_to_log(
-                            result.attestation_json.as_bytes(),
-                            &pk_bytes,
-                            &sig_bytes,
-                            log_client.as_ref(),
-                        ))
-                    };
-
-                    let submission_result = match submit() {
-                        Ok(bundle) => Ok(bundle),
-                        Err(ref e) if is_rate_limited(e) => {
-                            let secs = rate_limit_secs(e);
-                            eprintln!("Rate limited by transparency log. Retrying in {secs}s...");
-                            std::thread::sleep(std::time::Duration::from_secs(secs));
-                            submit()
-                        }
-                        Err(e) => Err(e),
-                    };
-
-                    match submission_result {
-                        Ok(bundle) => {
-                            eprintln!(
-                                "  Logged to {} at index {}",
-                                bundle.log_id, bundle.leaf_index
-                            );
-                            Some(
-                                serde_json::to_value(&bundle)
-                                    .map_err(|e| anyhow::anyhow!("Failed to serialize: {e}"))?,
-                            )
-                        }
-                        Err(e) => {
-                            return Err(anyhow::anyhow!("Transparency log submission failed: {e}"));
-                        }
-                    }
-                };
-
-                // Build final .auths.json with optional transparency section
                 let final_json = if let Some(transparency) = transparency_json {
-                    let mut attestation: serde_json::Value =
-                        serde_json::from_str(&result.attestation_json)
-                            .map_err(|e| anyhow::anyhow!("Failed to re-parse attestation: {e}"))?;
-                    if let serde_json::Value::Object(ref mut map) = attestation {
-                        map.insert("transparency".to_string(), transparency);
-                    }
-                    serde_json::to_string_pretty(&attestation)
-                        .map_err(|e| anyhow::anyhow!("Failed to serialize final JSON: {e}"))?
+                    merge_transparency(&result.attestation_json, transparency)?
                 } else {
                     result.attestation_json.clone()
                 };
@@ -424,6 +448,8 @@ pub fn handle_artifact(
                     repo_opt,
                     passphrase_provider,
                     env_config,
+                    &log,
+                    allow_unlogged,
                 )
             }
         }
@@ -465,6 +491,8 @@ pub fn handle_artifact(
                             repo_opt.clone(),
                             passphrase_provider,
                             env_config,
+                            &None,
+                            false,
                         )?;
                         default_sig
                     }
 
@@ -10,6 +10,7 @@ use auths_sdk::keychain::KeyAlias;
 use auths_sdk::signing::PassphraseProvider;
 
 use super::file::FileArtifact;
+use super::{dsse_pae, merge_transparency, submit_to_log};
 use crate::factories::storage::build_auths_context;
 
 /// Execute the `artifact sign` command.
@@ -25,10 +26,12 @@ pub fn handle_sign(
     repo_opt: Option<PathBuf>,
     passphrase_provider: Arc<dyn PassphraseProvider + Send + Sync>,
     env_config: &EnvironmentConfig,
+    log: &Option<String>,
+    allow_unlogged: bool,
 ) -> Result<()> {
     let repo_path = auths_sdk::storage_layout::resolve_repo_path(repo_opt)?;
 
-    let ctx = build_auths_context(&repo_path, env_config, Some(passphrase_provider))?;
+    let ctx = build_auths_context(&repo_path, env_config, Some(passphrase_provider.clone()))?;
 
     let params = ArtifactSigningParams {
         artifact: Arc::new(FileArtifact::new(file)),
@@ -42,6 +45,44 @@ pub fn handle_sign(
     let result = sign_artifact(params, &ctx)
         .with_context(|| format!("Failed to sign artifact {:?}", file))?;
 
+    // Compute DSSE signature if log submission is requested
+    let dsse_sig = if log.is_some() && !allow_unlogged {
+        let pae = dsse_pae(
+            "application/vnd.auths+json",
+            result.attestation_json.as_bytes(),
+        );
+        let alias = KeyAlias::new_unchecked(device_key);
+        let (_, _role, encrypted) = ctx
+            .key_storage
+            .load_key(&alias)
+            .context("Failed to load device key for log signature")?;
+        let passphrase = passphrase_provider
+            .get_passphrase("Re-enter passphrase for log signature:")
+            .map_err(|e| anyhow::anyhow!("Passphrase error: {e}"))?;
+        let pkcs8 = auths_sdk::crypto::decrypt_keypair(&encrypted, &passphrase)
+            .context("Failed to decrypt key for log signature")?;
+        let parsed = auths_crypto::parse_key_material(&pkcs8)
+            .map_err(|e| anyhow::anyhow!("Failed to parse key: {e}"))?;
+        let sig = auths_crypto::typed_sign(&parsed.seed, &pae)
+            .map_err(|e| anyhow::anyhow!("Failed to sign DSSE PAE: {e}"))?;
+        Some(sig)
+    } else {
+        None
+    };
+
+    let transparency_json = submit_to_log(
+        &result.attestation_json,
+        log,
+        allow_unlogged,
+        dsse_sig.as_deref(),
+    )?;
+
+    let final_json = if let Some(transparency) = transparency_json {
+        merge_transparency(&result.attestation_json, transparency)?
+    } else {
+        result.attestation_json.clone()
+    };
+
     let output_path = output.unwrap_or_else(|| {
         let mut p = file.to_path_buf();
         let new_name = format!(
@@ -52,7 +93,7 @@ pub fn handle_sign(
         p
     });
 
-    std::fs::write(&output_path, &result.attestation_json)
+    std::fs::write(&output_path, &final_json)
         .with_context(|| format!("Failed to write signature to {:?}", output_path))?;
 
     println!(
 
@@ -97,11 +97,16 @@ pub(crate) async fn handle_join(
     let create_spinner = create_wait_spinner(&format!("{GEAR}Creating pairing response..."));
 
     // Create the response + ECDH
+    let pubkey_32: &[u8; 32] = material
+        .public_key
+        .as_slice()
+        .try_into()
+        .map_err(|_| anyhow::anyhow!("Pairing requires Ed25519 (32-byte) key"))?;
     let (pairing_response, shared_secret) = PairingResponse::create(
         now,
         &token,
         &material.seed,
-        &material.public_key,
+        pubkey_32,
         material.device_did.to_string(),
         Some(hostname()),
     )
 
@@ -181,12 +181,19 @@ fn resolve_issuer_key(
     if let Some(ref pk_hex) = cmd.issuer_pk {
         let pk_bytes =
             hex::decode(pk_hex).context("Invalid hex string provided for issuer public key")?;
-        if pk_bytes.len() != 32 {
-            return Err(anyhow!(
-                "Issuer public key must be 32 bytes (64 hex chars), got {} bytes",
-                pk_bytes.len()
-            ));
-        }
+        let curve = match pk_bytes.len() {
+            32 => auths_crypto::CurveType::Ed25519,
+            33 | 65 => auths_crypto::CurveType::P256,
+            _ => {
+                return Err(anyhow!(
+                    "Invalid issuer public key length: {}",
+                    pk_bytes.len()
+                ));
+            }
+        };
+        // Validate via DevicePublicKey type system
+        auths_verifier::DevicePublicKey::try_new(curve, &pk_bytes)
+            .map_err(|e| anyhow!("Invalid issuer public key: {e}"))?;
         return Ok(pk_bytes);
     }
 
@@ -441,12 +448,18 @@ pub async fn handle_verify_attestation(
     let issuer_pk_bytes = hex::decode(issuer_pubkey_hex)
         .context("Invalid hex string provided for issuer public key")?;
 
-    if issuer_pk_bytes.len() != 32 {
-        return Err(anyhow!(
-            "Issuer public key must be 32 bytes (64 hex chars), got {} bytes",
-            issuer_pk_bytes.len()
-        ));
-    }
+    let curve = match issuer_pk_bytes.len() {
+        32 => auths_crypto::CurveType::Ed25519,
+        33 | 65 => auths_crypto::CurveType::P256,
+        _ => {
+            return Err(anyhow!(
+                "Invalid issuer public key length: {}",
+                issuer_pk_bytes.len()
+            ));
+        }
+    };
+    auths_verifier::DevicePublicKey::try_new(curve, &issuer_pk_bytes)
+        .map_err(|e| anyhow!("Invalid issuer public key: {e}"))?;
 
     match verify_with_keys(&att, &issuer_pk_bytes).await {
         Ok(_) => {
 
@@ -61,6 +61,8 @@ impl ExecutableCommand for PublishCommand {
                         ctx.repo_path.clone(),
                         ctx.passphrase_provider.clone(),
                         &ctx.env_config,
+                        &None,
+                        false,
                     )?;
                 }
                 p
 
@@ -192,6 +192,8 @@ pub fn handle_sign_unified(
                 repo_opt,
                 passphrase_provider,
                 env_config,
+                &None,
+                false,
             )
         }
         SignTarget::CommitRange(range) => sign_commit_range(&range),
Original file line number	Diff line number	Diff line change
`@@ -61,6 +61,8 @@ impl ExecutableCommand for PublishCommand {`
`61`	`61`	`ctx.repo_path.clone(),`
`62`	`62`	`ctx.passphrase_provider.clone(),`
`63`	`63`	`&ctx.env_config,`
	`64`	`+ &None,`
	`65`	`+ false,`
`64`	`66`	`)?;`
`65`	`67`	`}`
`66`	`68`	`p`
Original file line number	Diff line number	Diff line change
`@@ -192,6 +192,8 @@ pub fn handle_sign_unified(`
`192`	`192`	`repo_opt,`
`193`	`193`	`passphrase_provider,`
`194`	`194`	`env_config,`
	`195`	`+ &None,`
	`196`	`+ false,`
`195`	`197`	`)`
`196`	`198`	`}`
`197`	`199`	`SignTarget::CommitRange(range) => sign_commit_range(&range),`