Signed bundle releases for the Pilot Protocol app store.
RC1: local-bundle install only. The signed-Merkle-root catalog protocol is RC2 territory. For RC1, apps are distributed as bundle tarballs attached to GitHub Releases, fetched manually by operators, and installed via:
pilotctl appstore verify <bundle-dir>
pilotctl appstore install <bundle-dir>
Each bundle is a directory containing:
manifest.json— the app's manifest (id, version, declared grants, sha256 pin)bin/<binary>— the binary at the path specified bymanifest.binary.path
The pilotctl verify subcommand runs both the binary's sha256 against
the manifest's pin AND the manifest's semantic Validate before any
install is accepted.
| Repo | Description |
|---|---|
| pilot-protocol/app-store | App store plugin: supervisor + broker + audit |
| pilot-protocol/wallet | Reference wallet (io.pilot.wallet) |
| pilot-protocol/catalog (this repo) | Bundle release distribution |
- Bundle author pins binary sha256 in
manifest.json pilotctl verifychecks pin + runs manifest Validatepilotctl installre-verifies, stages atomically, atomic-renames- Supervisor re-verifies sha256 on every spawn
- Failures audit-logged with both expected + actual hashes
The compile-time-embedded EmbeddedCatalogPubkey is the all-zeros
fail-closed placeholder in RC1 (signed catalogs cannot yet be
authenticated). Production builds for RC2+ must replace it.
See app-store/CHANGELOG.md for the full list. Headlines: no catalog fetch + Merkle proof yet, partial resource limits (Linux RLIMIT_NOFILE only), no encrypted-at-rest identity, macOS + Linux only.