Omitly · Security

Signing keys

Omitly's trust chain has one cold root and rotating warm keys under it. The root is the only identity anchor — everything else chains to it.

Vendor root

Signs licence payloads and endorses attestation keys. Kept offline. The fingerprint below is the same value the app shows under About; compare them out-of-band before trusting any signed artifact.

Published after the signing-key ceremony.

Attestation keys

Warm keys that sign per-release attestations, each endorsed by the root (see the endorsement schema). They rotate; retired keys stay listed so older attestations remain verifiable.

No attestation key has been endorsed yet.

Per-install seal keys

Every Omitly install generates its own key for the tamper-evidence seal. These are integrity, not identity — a seal proves a document hasn't changed since it was sealed, not who produced it. They are not listed here and are never registered with us; verify them by comparing the fingerprint the app displays, out of band.

Verifying an attestation

  1. Download the attestation JSON from a release page.
  2. Canonicalize its payload with JCS (RFC 8785) and verify signature_hex (Ed25519) against the attestation key's public key below.
  3. Verify that key's endorsement record against the vendor root fingerprint above.
  4. Compare each artifacts[].sha256 against the file you actually downloaded.