Signed Snapshots

Signed snapshots add Ed25519 provenance to Vorliq's deterministic public snapshot. The snapshot hash is SHA-256 over canonical JSON with the signature object removed, and the signature signs that hash.

What It Proves

A valid signature proves that the published snapshot payload was produced by whoever controls the configured Vorliq snapshot signing private key. It strengthens operator authenticity on top of deterministic hash checks.

It does not prove legal status, financial value, banking safety, investment quality, custody safety, or future network availability. It does not rewrite historical blocks or change block hashes.

Verify

node tools/verify_snapshot.js https://vorliq.org
node tools/verify_snapshot.js https://vorliq.org --require-signature

Vorliq production snapshots are signed. The strict command should pass when the live signature verifies against the published production public key. If signing is disabled during an emergency, the first command can still pass deterministic checks with an unsigned warning, while the strict command fails.

The safe public key metadata endpoint is GET /api/snapshot/public-key. It returns only the algorithm, public key id, public key, and signature enabled/required flags.

Archive

Production also writes signed snapshot archive records during deploy and once per day at 04:00 Europe/London. The latest 30 archives are kept so users can compare recent public state over time. Verify them with node tools/verify_snapshot_archive.js https://vorliq.org.

Archives contain signed public snapshot data and safe metadata only. They do not contain private signing keys, admin tokens, environment dumps, raw logs, raw IP addresses, raw user agents, SSH keys, or server paths.

Generate Keys

node tools/generate_snapshot_keypair.js

The tool prints a public key, private key, and public key id. Do not commit the private key. Store it only as a production secret. The public key and public key id can be published.

Production Configuration

# /etc/vorliq/snapshot-signing.env
VORLIQ_SNAPSHOT_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----..."
VORLIQ_SNAPSHOT_PUBLIC_KEY="-----BEGIN PUBLIC KEY-----..."
VORLIQ_REQUIRE_SNAPSHOT_SIGNATURE=true

Use a root-owned server environment file with mode 600 or an equivalent secret manager. Restart the backend after changing keys, then verify /api/snapshot/verify and node tools/verify_snapshot.js https://vorliq.org --require-signature. Never put the private key in frontend code, GitHub Pages, screenshots, logs, or public issue comments.

Key Rotation

Generate a new Ed25519 keypair, publish the new public key and public key id, deploy the new private key as a production secret, restart the backend, and verify that new snapshots report the new key id. Keep historical public keys documented so older signed snapshots can still be checked.

Disabled Signing

Unsigned snapshots report signature.enabled: false and signature.status: unsigned. In an emergency, operators can set VORLIQ_REQUIRE_SNAPSHOT_SIGNATURE=false, restart the backend, and report the reason publicly. That fallback keeps deterministic integrity checks available without production signing-key provenance.