Artefact Integrity and Trust

Cryptographic integrity verification, digital signing, trust-on-first-use certificate management, and optional encryption for artefact packages shared between workspaces.

April 5, 2026

Three Layers of Integrity

Every artefact package includes three independent integrity mechanisms that work together to ensure content has not been tampered with.

Per-File Hashing

Every individual file within the artefact is SHA-256 hashed. The import ceremony verifies each hash independently, so a single corrupted file is caught without rejecting the entire package.

Payload Hash

The entire payload (all items combined) is hashed with SHA-256. This hash is stored in the manifest, which sits outside the payload. Even if individual file hashes pass, a modified payload structure is detected.

Digital Signature

The payload hash is signed with the exporter's RSA-2048 private key using RSASSA-PKCS1-v1_5 with SHA-256. The signature proves both integrity and identity - you know who created the artefact and that they actually created what you received.

Certificate Tiers

NeoArc Studio supports two certificate tiers, each suited to different organisational contexts.

TOFU (Trust on First Use)

NeoArc Studio generates an RSA-2048 key pair locally. No certificate authority needed. The first time a new signer's certificate appears, the importer decides whether to trust it. Trusted certificates are stored in the local trust store and verified automatically on subsequent imports.

Bring Your Own Certificate

Organisations with existing PKI can import their own PEM certificate and private key. This integrates with corporate certificate infrastructure and provides stronger identity assurance through an established chain of trust.

The TOFU Trust Model

TOFU works like SSH host key verification. The trust store lives at governance/certificate-store.json within the workspace.

If a previously trusted signer's certificate changes unexpectedly, the import ceremony flags this as a potential security concern - the same way SSH warns about changed host keys.

Encryption Tiers

Artefacts can optionally be encrypted for secure transport. The manifest, signature, and provenance remain readable even when the payload is encrypted, so the recipient can verify the signer before decrypting.

Tier	Method	Use Case
None	Plaintext payload	Internal sharing on trusted networks
Symmetric	AES-256-GCM with PBKDF2 key derivation	USB transfer, email, shared drives - passphrase shared out of band
Certificate	RSA-OAEP recipient encryption	Targeted sharing where only the intended recipient can decrypt

Verification During Import

The import ceremony performs verification in a strict sequence. Each step must pass before the next begins. The visual ceremony shows each check as it completes, so the importer has full confidence in the integrity of the content before accepting it into their workspace.