SociOS-Linux · mdheller · Apr 30, 2026 · Apr 30, 2026 · Apr 30, 2026 · Apr 30, 2026
diff --git a/.github/workflows/release-candidate.yml b/.github/workflows/release-candidate.yml
@@ -26,6 +26,7 @@ jobs:
         with:
           toolchain: stable
           target: x86_64-unknown-linux-gnu
+          cache: false
 
       - name: Run validation suite
         run: |

diff --git a/AGENT_TASKS/fix-rust-signature-canonicalization.md b/AGENT_TASKS/fix-rust-signature-canonicalization.md
@@ -0,0 +1,88 @@
+# Agent task: fix Rust manifest signature canonicalization
+
+Target: `SociOS-Linux/nlboot` PR `#8` / branch `chatgpt/release-candidate-proof`.
+
+## Problem
+
+The release-candidate proof PR triggered both `nlboot validate` and `nlboot release candidate` workflows. Both failed during Rust tests.
+
+The Python reference verifier canonicalizes signed manifest payloads as compact JSON with sorted keys:
+
+```python
+json.dumps(unsigned, sort_keys=True, separators=(",", ":")).encode("utf-8")
+```
+
+The Rust verifier currently removes `signature_hex` but serializes the remaining `serde_json::Value::Object` using the existing object order. The fixture signature was produced against the Python canonical payload, so Rust fails with:
+
+```text
+Error: signature verification failed
+```
+
+## Required fix
+
+1. Update `rust/nlboot-client/src/main.rs` so `canonical_manifest_payload` recursively sorts object keys before serialization.
+2. Preserve compact `serde_json::to_vec` output.
+3. Keep array ordering unchanged.
+4. Add or update a focused test if needed.
+5. Rerun:
+
+```bash
+make rust-test
+make rust-run-fixture
+make rust-fetch-fixture
+make rust-execute-dry-run-fixture
+make rust-exec-dry-run-fixture
+make rust-apple-m2-dry-run-fixture
+```
+
+## Suggested Rust shape
+
+```rust
+fn sort_json_value(value: &Value) -> Value {
+    match value {
+        Value::Object(map) => {
+            let mut entries: BTreeMap<String, Value> = BTreeMap::new();
+            for (key, value) in map {
+                entries.insert(key.clone(), sort_json_value(value));
+            }
+            let mut sorted = serde_json::Map::new();
+            for (key, value) in entries {
+                sorted.insert(key, value);
+            }
+            Value::Object(sorted)
+        }
+        Value::Array(items) => Value::Array(items.iter().map(sort_json_value).collect()),
+        other => other.clone(),
+    }
+}
+
+fn canonical_manifest_payload(manifest_value: &Value) -> Result<Vec<u8>> {
+    let mut unsigned = manifest_value
+        .as_object()
+        .cloned()
+        .context("manifest must be a JSON object")?;
+    unsigned.remove("signature_hex");
+    Ok(serde_json::to_vec(&sort_json_value(&Value::Object(unsigned)))?)
+}
+```
+
+`BTreeMap` is already imported in `main.rs`.
+
+## Workflow fix
+
+The release-candidate workflow also shows the Rust setup cache invoking `cargo metadata` at the repository root, which has no `Cargo.toml`.
+
+Set `cache: false` on `actions-rust-lang/setup-rust-toolchain@v1` in:
+
+- `.github/workflows/release-candidate.yml`
+- `.github/workflows/validate.yml`
+- `.github/workflows/release.yml`
+
+or otherwise configure caching so Cargo runs from `rust/nlboot-client`.
+
+## Acceptance criteria
+
+- PR `#8` workflows rerun.
+- Rust tests no longer fail on fixture signature verification.
+- Release-candidate workflow reaches artifact assembly or fails later with a new actionable error.
+- No runtime host-changing behavior is broadened.
diff --git a/docs/RELEASE_CANDIDATE_PROOF.md b/docs/RELEASE_CANDIDATE_PROOF.md
@@ -0,0 +1,29 @@
+# NLBoot Release-Candidate Proof
+
+This document exists to exercise the release-candidate workflow through a normal pull-request path.
+
+The release-candidate workflow is expected to:
+
+- run the full NLBoot validation suite;
+- generate a dependency lockfile in the workflow environment;
+- build a locked `nlboot-client` release candidate for `x86_64-unknown-linux-gnu`;
+- emit dependency metadata through `cargo metadata --locked`;
+- package a release-candidate archive;
+- write a SHA-256 checksum;
+- attach provenance where GitHub supports it;
+- upload the artifact without publishing a stable GitHub release.
+
+This proof PR must not change NLBoot runtime behavior. It is release-process validation only.
+
+## Expected workflow
+
+```text
+.github/workflows/release-candidate.yml
+```
+
+## Completion condition
+
+This proof is complete when the release-candidate workflow runs on the PR and either:
+
+1. succeeds and uploads the release-candidate artifact; or
+2. fails with actionable logs that can be fixed in a follow-up release-hardening PR.
diff --git a/examples/signed_boot_manifest.recovery.json b/examples/signed_boot_manifest.recovery.json
@@ -1,16 +1,16 @@
 {
-  "manifest_id": "urn:srcos:boot-manifest:m2-demo-recovery-2026-04-26",
-  "boot_release_set_id": "urn:srcos:boot-release-set:m2-demo-recovery-2026-04-26",
-  "base_release_set_ref": "urn:srcos:release-set:m2-demo-2026-04-26",
-  "boot_mode": "recovery",
   "artifacts": {
-    "kernel_ref": "urn:srcos:artifact:m2-demo-recovery-kernel-sha256-0f3b6d7f",
     "initrd_ref": "urn:srcos:artifact:m2-demo-recovery-initrd-sha256-08f4c82e",
+    "kernel_ref": "urn:srcos:artifact:m2-demo-recovery-kernel-sha256-0f3b6d7f",
     "rootfs_ref": "urn:srcos:artifact:m2-demo-recovery-rootfs-sha256-5f4dcc3b"
   },
+  "base_release_set_ref": "urn:srcos:release-set:m2-demo-2026-04-26",
+  "boot_mode": "recovery",
+  "boot_release_set_id": "urn:srcos:boot-release-set:m2-demo-recovery-2026-04-26",
+  "crypto_profile": "fips-140-3-compatible",
+  "manifest_id": "urn:srcos:boot-manifest:m2-demo-recovery-2026-04-26",
+  "signature_algorithm": "rsa-pss-sha256",
   "signature_ref": "urn:srcos:signature:m2-demo-recovery-2026-04-26",
   "signer_ref": "urn:srcos:key:sourceos-release-root",
-  "signature_algorithm": "rsa-pss-sha256",
-  "crypto_profile": "fips-140-3-compatible",
   "signature_hex": "56e76990dbbed93973e40284129249f61fb3c257e62c3b84a058a735a8ecb35a4abd8544144baf4437dd9e59123073d6005cf8b9cc0011aa16f25d4c6bbc48d1a6f9741d0c848262623c38dedc97457101f27b4ac22d854f91be4061e028024760136dfffe65293ea7bd4e2bc393be7f912f0d69eec72bfd92651b6924e37f1a1c4108bba99f322d5e0bf85581f540048e0eeb565ec71d8335139c3eb3a8f0b4f68a80e9e9ddc526de9017c8e6d0ab8d854755bfde2e36aedbc42e1885bca8124bb253f098116d2fae26657da5be6474305e765d71df2905ff82cd7465687b9c78827ecfb1e647a32c1c72716a3636de41e99f15959757fb03cd770dc5bb7e17"
 }
diff --git a/rust/nlboot-client/.gitignore b/rust/nlboot-client/.gitignore
@@ -0,0 +1 @@
+target/