PriviNet Lumra - published signing keys (key directory) ======================================================= These are the public keys PriviNet uses to sign records, plus the demo device key used by the public source-signing demo. Use this list as an out-of-band trust root: a ProofPack is signed by PriviNet only if the signing key and the manifest key match a PriviNet key below. The standalone verifier (verify_proofpack.py) pins the PriviNet keys and warns on any mismatch. A machine-readable copy is at privinet.net/keys.json. Public keys are safe to publish; the matching private keys never leave PriviNet's signing environment. The production key is held in a Google Cloud KMS hardware security module (HSM, FIPS 140-2 Level 3) and is non-extractable: PriviNet's servers can request signatures but can never read or copy the private key. PriviNet signing keys --------------------- key_id: kms-1944107aa98ec035 role: record and manifest signing (production) status: active (since 2026-07-06) custody: Google Cloud KMS HSM, non-extractable algorithm: ECDSA P-256 with SHA-256 (signature is DER-encoded; the signed message is the digest hex string's UTF-8 bytes, per the ProofPack's verify_instructions) p256_public_key_hex (uncompressed SEC1 point): 04bc55de97e806fbeaf95298588a87cf7f1404640f7b9d359fbbc0f1b2bf408f8be837d1cfa641778a11fd9776be566a2c938b8891d29a7182c15500a05b2e6655 key_id: sw-77396abcd4102123 role: record and manifest signing status: fallback (primary signing rotated to the HSM key above 2026-07-06; NOT compromised) note: valid for all records signed before the cutover, and retained as an availability fallback afterward: if the HSM is briefly unreachable, a record is signed with this key and labeled software_key in the record itself, never passed off as HSM-signed. ed25519_public_key_hex: 33b8163a6debfb9fcf6664118c7c7a0a9e9ee9d0429ef97343a57f0727b0edd6 Demo device keys (source-signing demonstration only) ---------------------------------------------------- key_id: metalert-smartsole-002 role: demo edge device (signs at the source in /v1/demo/metalert-edge-signed) status: active ed25519_public_key_hex: 5cbf574f7a61a92010178d69ada7a33736a23f0f8e279cd360f67c89cf157242 key_id: voice-platform-demo-001 role: demo voice platform (signs conversation records at the source in /v1/demo/voice-interaction-event-signed; Vendor-signature-preserved) status: active ed25519_public_key_hex: deb98981a7084aa9500d91cc0139ed529b3da70e738049dd6f1708dd2ca1d6c3 Cold-chain multi-source demo device keys (four independent vendors) ------------------------------------------------------------------- These four represent four different vendors' LoRaWAN sensors in the public multi-source demo (/v1/demo/coldchain-sample-incident). Each signs its own reading at the source with its own key; Lumra verifies each and binds the four into one incident. No single vendor is the arbiter. key_id: coldchain-reefer-temp-001 role: demo reefer temperature logger (vendor: ThermoGuard LoRa) status: active ed25519_public_key_hex: a68551928de6f33cb7f2341bc4987dadce1da1b1dca74b95ab6034b189a06d37 key_id: coldchain-gps-tracker-001 role: demo GPS asset tracker (vendor: TrackPoint LoRaWAN) status: active ed25519_public_key_hex: 5c0da40c72f28f80507c6b185ea35e3ba4e775b65898acd1b7020110f67704de key_id: coldchain-door-seal-001 role: demo door and seal sensor (vendor: SealSense) status: active ed25519_public_key_hex: cf4ac35a741c1c5ef73bdc1a6a0660c5d0c3ab250b95a75dad333fb1d225ea10 key_id: coldchain-humidity-shock-001 role: demo humidity and shock sensor (vendor: EnviroTag) status: active ed25519_public_key_hex: 71cc1950e192b9c9d52d18c00ccebc8a998e3d71d8808174cb3732902fa54620 Key lifecycle ------------- - Rotation: when a signing key is rotated, the new key is added here as "active" and the previous key is marked "retired". Retired keys stay listed and stay valid for records they signed before retirement, so old ProofPacks keep verifying. - Revocation: a compromised key is marked "revoked" with the date; records it signed after that date should not be trusted. The verifier treats an unlisted or revoked key as a warning, never a silent pass. - Roadmap: per-tenant signing keys (each client's records under their own HSM-held key). Key ids and status here are the source of truth regardless of where the private key is held. - Questions: brad@privinet.net. Last updated: 2026-07-09