Event Signing

Overview

Cosmictron signs every event (WAL entry) with an Ed25519 signature at write time. This makes the event log tamper-evident: any modification to a past event will produce an invalid signature that verification tools will detect.

How it works

When a reducer commits, Cosmictron:

Assembles the event payload: (seq, reducer_name, sender_identity, timestamp, content_hash, prev_hash)
Signs the payload with the node’s Ed25519 signing key
Appends (payload, signature) to the WAL

The signing operation adds negligible latency (Ed25519 is ~50 µs on modern hardware).

Key management

The node signing key is stored in the COSMICTRON_DATA_DIR/keys/ directory:

keys/
├── signing.key       # Ed25519 private key (encrypted at rest)
├── signing.pub       # Public key
└── signing.cert      # Certificate chain (if using PKI)

Key generation on first start:

# Auto-generated on first start, or generate explicitly:
cosmictron-cli keys generate --type ed25519

Verifying signatures

# Verify the integrity of the event log
cosmictron-cli audit verify --from 2026-01-01 --to 2026-01-31

# Verify a specific exported bundle
cosmictron-cli audit verify-bundle audit-jan-2026.bundle

Example output:

Verifying 12,847 events...
Chain integrity: OK
Signature validity: OK (12,847/12,847)
TSA tokens: OK (12,847/12,847)

Enabling event signing

In config.toml:

[compliance]
event_signing = true
signing_key_path = "/data/keys/signing.key"

Or via environment variable:

COSMICTRON_EVENT_SIGNING=true
COSMICTRON_SIGNING_KEY_PATH=/data/keys/signing.key

Event signing is automatically enabled in the maximum_safety performance profile.

Algorithm details

Property	Value
Signing algorithm	Ed25519 (RFC 8032)
Key size	256-bit private key, 256-bit public key
Signature size	64 bytes
Hash function	SHA-512 (internal to Ed25519)
Payload hash	SHA-256 over serialized event

Hash Chain — chaining events together
Threshold Signing — M-of-N signing with FROST
Audit Bundles — export and verify signed event sets