Add PCF-SIG v1.0: cryptographic signatures profile

.github/workflows/dotnet-ci.yml

@@ -5,27 +5,29 @@ on:
     branches: [master]
     paths:
       - 'implementations/dotnet/pcf/**'
+      - 'implementations/dotnet/pcf-sig/**'
       - 'implementations/dotnet/Directory.Build.props'
       - '.github/workflows/dotnet-ci.yml'
   pull_request:
     branches: [master]
     paths:
       - 'implementations/dotnet/pcf/**'
+      - 'implementations/dotnet/pcf-sig/**'
       - 'implementations/dotnet/Directory.Build.props'
       - '.github/workflows/dotnet-ci.yml'
 
-defaults:
-  run:
-    working-directory: implementations/dotnet/pcf
-
 jobs:
   test:
-    name: build & test (${{ matrix.os }})
+    name: build & test ${{ matrix.package }} (${{ matrix.os }})
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
+        package: [pcf, pcf-sig]
+    defaults:
+      run:
+        working-directory: implementations/dotnet/${{ matrix.package }}
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-dotnet@v4

.github/workflows/php-split.yml

@@ -5,6 +5,7 @@ on:
     branches: [master]
     paths:
       - 'implementations/php/pcf/**'
+      - 'implementations/php/pcf-sig/**'
       - '.github/workflows/php-split.yml'
   workflow_dispatch:
     inputs:
@@ -22,8 +23,14 @@ on:
 
 jobs:
   split:
-    name: split implementations/php/pcf → kduma-OSS-splits/PHP-PCF-lib
+    name: split ${{ matrix.package.dir }} → kduma-OSS-splits/${{ matrix.package.repo }}
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        package:
+          - { dir: 'implementations/php/pcf', repo: 'PHP-PCF-lib' }
+          - { dir: 'implementations/php/pcf-sig', repo: 'PHP-PCF-SIG-lib' }
     steps:
       - uses: actions/checkout@v4
         with:
@@ -42,7 +49,7 @@ jobs:
           GH_TOKEN: ${{ steps.app-token.outputs.token }}
         run: |
           set -euo pipefail
-          REPO="kduma-OSS-splits/PHP-PCF-lib"
+          REPO="kduma-OSS-splits/${{ matrix.package.repo }}"
           TMPDIR=$(mktemp -d)
           git clone "https://x-access-token:${GH_TOKEN}@github.com/$REPO.git" "$TMPDIR" 2>&1 || true
           if ! git -C "$TMPDIR" rev-parse HEAD >/dev/null 2>&1; then
@@ -78,9 +85,9 @@ jobs:
         env:
           PAT: x-access-token:${{ steps.app-token.outputs.token }}
         with:
-          package_directory: 'implementations/php/pcf'
+          package_directory: ${{ matrix.package.dir }}
           repository_organization: 'kduma-OSS-splits'
-          repository_name: 'PHP-PCF-lib'
+          repository_name: ${{ matrix.package.repo }}
           branch: 'master'
           user_name: 'github-actions[bot]'
           user_email: '41898282+github-actions[bot]@users.noreply.github.com'
@@ -92,9 +99,9 @@ jobs:
           PAT: x-access-token:${{ steps.app-token.outputs.token }}
         with:
           tag: ${{ steps.resolve-tag.outputs.tag }}
-          package_directory: 'implementations/php/pcf'
+          package_directory: ${{ matrix.package.dir }}
           repository_organization: 'kduma-OSS-splits'
-          repository_name: 'PHP-PCF-lib'
+          repository_name: ${{ matrix.package.repo }}
           branch: 'master'
           user_name: 'github-actions[bot]'
           user_email: '41898282+github-actions[bot]@users.noreply.github.com'

.github/workflows/php.yml

@@ -6,26 +6,26 @@ on:
   pull_request:
     branches: [master]
 
-defaults:
-  run:
-    working-directory: implementations/php/pcf
-
 jobs:
   test:
-    name: test (PHP ${{ matrix.php }})
+    name: test ${{ matrix.package }} (PHP ${{ matrix.php }})
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
         php: ['8.1', '8.2', '8.3', '8.4']
+        package: [pcf, pcf-sig]
+    defaults:
+      run:
+        working-directory: implementations/php/${{ matrix.package }}
     steps:
       - uses: actions/checkout@v4
 
       - name: Set up PHP
         uses: shivammathur/setup-php@v2
         with:
           php-version: ${{ matrix.php }}
-          extensions: hash, mbstring
+          extensions: hash, mbstring, sodium
           coverage: none
           tools: composer:v2
 
@@ -39,31 +39,40 @@ jobs:
         run: vendor/bin/phpunit
 
   test-vector:
-    name: regenerate spec test vector
+    name: regenerate spec test vector (${{ matrix.package }})
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - { package: pcf,     output: pcf_testvector.bin,    expected: 395 }
+          - { package: pcf-sig, output: pcfsig_testvector.bin, expected: 966 }
+    defaults:
+      run:
+        working-directory: implementations/php/${{ matrix.package }}
     steps:
       - uses: actions/checkout@v4
 
       - name: Set up PHP
         uses: shivammathur/setup-php@v2
         with:
           php-version: '8.3'
-          extensions: hash, mbstring
+          extensions: hash, mbstring, sodium
           coverage: none
           tools: composer:v2
 
       - name: Install dependencies
         run: composer install --prefer-dist --no-progress --no-interaction
 
       - name: Build the test-vector example
-        run: php examples/gen_testvector.php pcf_testvector.bin
+        run: php examples/gen_testvector.php ${{ matrix.output }}
 
       - name: Inspect generated test vector
         run: |
-          ls -l pcf_testvector.bin
-          test "$(wc -c < pcf_testvector.bin)" = "395"
+          ls -l ${{ matrix.output }}
+          test "$(wc -c < ${{ matrix.output }})" = "${{ matrix.expected }}"
 
       - uses: actions/upload-artifact@v4
         with:
-          name: pcf-testvector-php
-          path: implementations/php/pcf/pcf_testvector.bin
+          name: ${{ matrix.package }}-testvector-php
+          path: implementations/php/${{ matrix.package }}/${{ matrix.output }}

.github/workflows/release-prepare.yml

@@ -75,18 +75,30 @@ jobs:
           NEW='${{ steps.version.outputs.version }}'
           sed -i 's/^version = "[^"]*"/version = "'"$NEW"'"/' reference/PCF-v1.0/Cargo.toml
           sed -i 's/^version = "[^"]*"/version = "'"$NEW"'"/' reference/PFS-MS-v1.0/Cargo.toml
+          sed -i 's/^version = "[^"]*"/version = "'"$NEW"'"/' reference/PCF-SIG-v1.0/Cargo.toml
           sed -i 's/^version = "[^"]*"/version = "'"$NEW"'"/' tools/pcf-debug/Cargo.toml
           sed -i 's/^version = "[^"]*"/version = "'"$NEW"'"/' tools/pcf-compact/Cargo.toml
           # path-dep version pins on pcf
           sed -i 's|pcf = { path = "\.\./PCF-v1.0", version = "[^"]*" }|pcf = { path = "../PCF-v1.0", version = "'"$NEW"'" }|' reference/PFS-MS-v1.0/Cargo.toml
+          sed -i 's|pcf = { path = "\.\./PCF-v1.0", version = "[^"]*" }|pcf = { path = "../PCF-v1.0", version = "'"$NEW"'" }|' reference/PCF-SIG-v1.0/Cargo.toml
           sed -i 's|pcf = { path = "\.\./\.\./reference/PCF-v1.0", version = "[^"]*" }|pcf = { path = "../../reference/PCF-v1.0", version = "'"$NEW"'" }|' tools/pcf-debug/Cargo.toml
+          sed -i 's|pcf-sig = { path = "\.\./\.\./reference/PCF-SIG-v1.0", version = "[^"]*" }|pcf-sig = { path = "../../reference/PCF-SIG-v1.0", version = "'"$NEW"'" }|' tools/pcf-debug/Cargo.toml
           sed -i 's|pcf = { path = "\.\./\.\./reference/PCF-v1.0", version = "[^"]*" }|pcf = { path = "../../reference/PCF-v1.0", version = "'"$NEW"'" }|' tools/pcf-compact/Cargo.toml
 
       - name: Bump TypeScript packages
         shell: bash
         working-directory: implementations/ts
         run: npm version '${{ steps.version.outputs.version }}' -ws --no-git-tag-version --allow-same-version
 
+      - name: Bump PHP pcf-sig dependency on pcf
+        shell: bash
+        run: |
+          NEW='${{ steps.version.outputs.version }}'
+          # Bump the require constraint (caret) and the path-repo version pin
+          # (plain semver inside the versions object).
+          sed -i 's|"kduma/pcf": "\^[^"]*"|"kduma/pcf": "^'"$NEW"'"|' implementations/php/pcf-sig/composer.json
+          sed -i 's|"versions": { "kduma/pcf": "[^"]*" }|"versions": { "kduma/pcf": "'"$NEW"'" }|' implementations/php/pcf-sig/composer.json
+
       - name: Bump .NET Directory.Build.props
         shell: bash
         run: |

.github/workflows/release.yml

@@ -106,6 +106,19 @@ jobs:
         if: needs.resolve.outputs.dry_run != 'true'
         run: sleep 45
 
+      - name: cargo publish pcf-sig
+        shell: bash
+        run: |
+          if [ "${{ needs.resolve.outputs.dry_run }}" = "true" ]; then
+            cargo publish -p pcf-sig --allow-dirty --dry-run
+          else
+            cargo publish -p pcf-sig --allow-dirty --token "${{ steps.cargo-auth.outputs.token }}"
+          fi
+
+      - name: Wait for crates.io index
+        if: needs.resolve.outputs.dry_run != 'true'
+        run: sleep 45
+
       - name: cargo publish pfs-ms
         shell: bash
         run: |
@@ -163,13 +176,21 @@ jobs:
         run: npm install -g npm@latest
       - run: npm ci
       - run: npm run build -w @kduma-oss/pcf
-      - name: npm publish (OIDC trusted publishing, auto-provenance)
+      - run: npm run build -w @kduma-oss/pcf-sig
+      - name: npm publish pcf (OIDC trusted publishing, auto-provenance)
         run: |
           if [ "${{ needs.resolve.outputs.dry_run }}" = "true" ]; then
             npm publish -w @kduma-oss/pcf --access public --dry-run
           else
             npm publish -w @kduma-oss/pcf --access public
           fi
+      - name: npm publish pcf-sig
+        run: |
+          if [ "${{ needs.resolve.outputs.dry_run }}" = "true" ]; then
+            npm publish -w @kduma-oss/pcf-sig --access public --dry-run
+          else
+            npm publish -w @kduma-oss/pcf-sig --access public
+          fi
 
   publish-nuget:
     name: Publish to NuGet
@@ -214,6 +235,49 @@ jobs:
           name: nuget-package
           path: implementations/dotnet/pcf/out/*.nupkg
 
+  publish-nuget-sig:
+    name: Publish KDuma.Pcf.Sig to NuGet
+    needs: [resolve, publish-nuget]
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    defaults:
+      run:
+        working-directory: implementations/dotnet/pcf-sig
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: '8.0.x'
+      - run: dotnet restore
+      - name: dotnet pack
+        run: |
+          dotnet pack src/Pcf.Sig/Pcf.Sig.csproj \
+            -c Release \
+            -p:Version='${{ needs.resolve.outputs.version }}' \
+            -o out
+      - name: NuGet login (OIDC trusted publishing)
+        id: nuget-login
+        if: needs.resolve.outputs.dry_run != 'true'
+        uses: NuGet/login@v1
+        with:
+          user: krystianduma
+      - name: dotnet nuget push
+        if: needs.resolve.outputs.dry_run != 'true'
+        run: |
+          dotnet nuget push out/*.nupkg \
+            --source https://api.nuget.org/v3/index.json \
+            --api-key '${{ steps.nuget-login.outputs.NUGET_API_KEY }}' \
+            --skip-duplicate
+      - name: Dry-run note
+        if: needs.resolve.outputs.dry_run == 'true'
+        run: 'echo "Dry-run - skipping dotnet nuget push. Package would be out/*.nupkg."'
+      - uses: actions/upload-artifact@v4
+        with:
+          name: nuget-package-sig
+          path: implementations/dotnet/pcf-sig/out/*.nupkg
+
   split-php:
     name: Split PHP to packagist source repo
     needs: resolve

.github/workflows/ts-ci.yml

@@ -23,6 +23,7 @@ jobs:
           cache-dependency-path: implementations/ts/package-lock.json
       - run: npm ci
       - run: npm run build -w @kduma-oss/pcf
+      - run: npm run build -w @kduma-oss/pcf-sig
 
   test:
     name: test (${{ matrix.os }})
@@ -40,6 +41,10 @@ jobs:
           cache-dependency-path: implementations/ts/package-lock.json
       - run: npm ci
       - run: npm test -w @kduma-oss/pcf
+      # pcf-sig imports the compiled @kduma-oss/pcf dist/; build pcf first
+      # so the workspace dependency resolves before vitest runs.
+      - run: npm run build -w @kduma-oss/pcf
+      - run: npm test -w @kduma-oss/pcf-sig
 
   test-vector:
     name: regenerate spec test vector
@@ -52,16 +57,26 @@ jobs:
           cache: npm
           cache-dependency-path: implementations/ts/package-lock.json
       - run: npm ci
-      - name: Build and run the test-vector example
+      - name: Build PCF (required before pcf-sig can import @kduma-oss/pcf)
+        run: npm run build -w @kduma-oss/pcf
+      - name: Build and run the PCF test-vector example
         run: npm run gen-testvector -w @kduma-oss/pcf -- pcf_testvector.bin
-      - name: Inspect generated test vector
+      - name: Inspect PCF test vector
         run: |
           ls -l pcf/pcf_testvector.bin
           test "$(wc -c < pcf/pcf_testvector.bin)" = "395"
+      - name: Build and run the PCF-SIG test-vector example
+        run: npm run gen-testvector -w @kduma-oss/pcf-sig -- pcfsig_testvector.bin
+      - name: Inspect PCF-SIG test vector
+        run: |
+          ls -l pcf-sig/pcfsig_testvector.bin
+          test "$(wc -c < pcf-sig/pcfsig_testvector.bin)" = "966"
       - uses: actions/upload-artifact@v4
         with:
           name: pcf-testvector-ts
-          path: implementations/ts/pcf/pcf_testvector.bin
+          path: |
+            implementations/ts/pcf/pcf_testvector.bin
+            implementations/ts/pcf-sig/pcfsig_testvector.bin
 
   coverage:
     name: code coverage
@@ -74,9 +89,15 @@ jobs:
           cache: npm
           cache-dependency-path: implementations/ts/package-lock.json
       - run: npm ci
-      - name: Generate coverage report (enforces >=95% line / 100% function)
+      - name: Generate PCF coverage report (enforces >=95% line / 100% function)
         run: npm run coverage -w @kduma-oss/pcf
+      - name: Build PCF (required before pcf-sig can import @kduma-oss/pcf)
+        run: npm run build -w @kduma-oss/pcf
+      - name: Generate PCF-SIG coverage report (enforces >=90% line / 100% function)
+        run: npm run coverage -w @kduma-oss/pcf-sig
       - uses: actions/upload-artifact@v4
         with:
           name: coverage-lcov-ts
-          path: implementations/ts/pcf/coverage/lcov.info
+          path: |
+            implementations/ts/pcf/coverage/lcov.info
+            implementations/ts/pcf-sig/coverage/lcov.info

Cargo.toml

@@ -3,6 +3,7 @@ resolver = "2"
 members = [
     "reference/PCF-v1.0",
     "reference/PFS-MS-v1.0",
+    "reference/PCF-SIG-v1.0",
     "tools/pcf-debug",
     "tools/pcf-compact",
 ]

implementations/dotnet/pcf-sig/.gitignore

@@ -0,0 +1,9 @@
+# --- .NET build artefacts ---
+bin/
+obj/
+out/
+*.user
+
+# --- Generated test vectors ---
+*.bin
+!testdata/canonical.bin