Binary signing

A signed binary carries an Ed25519 signature that the kernel verifies at exec to decide its PIP trust level. Signing is the only path to PIP protection — there is no runtime API to escalate. This page covers what signing accomplishes, how it relates to PIP, and the permissiveness rule that makes signing additive rather than gating.

A Peios signature is 65 bytes — a version byte plus a 64-byte Ed25519 signature over a 32-byte SHA-256 hash. The same blob lives in different places depending on the file type. This page covers the format itself, where it goes for ELF and non-ELF files, and how the hash is computed in each case.

At exec, the kernel verifies the signature against its public-key catalogue and assigns the new process's PIP fields based on the result. Once verified, the binary's inode is pinned against modification — updates must replace the file by inode rather than overwriting it. This page covers the verification flow, the stable-snapshot rule, scripts and interpreters, and content pinning.

The kernel's public-key catalogue is compiled into the kernel image at build time. The corresponding private keys are held by image builders and MUST NOT be present on a running Peios system. This page covers the key catalogue, the peiso image-build flow, the constraints on key handling, and the v0.20 limitation of one signing key.