Kit Trust Gate

The daemon enforces a cryptographic trust gate on every operator-initiated kit install. The gate is enabled by default: with no explicit configuration, only kits whose sigstore signature verifies and whose signer identity appears in your configured allowlist are allowed to install.

Trust Modes

The trust policy lives in daemon.yaml under a top-level trust: block:

trust:
  mode: signed-by-allowlist   # permissive | signed-by-allowlist
  issuerSet:
    - kit-publisher@example.com   # Fulcio SAN identities you trust
  actor: ops@example.com          # audit identity for trust overrides

Empty issuerSet is a misconfiguration

signed-by-allowlist with an empty issuerSet does not silently accept any validly-signed kit - it is treated as a misconfiguration. Installs are blocked until you populate the allowlist or explicitly opt out. The kit surface (list, show, verify) remains readable so you can inspect what would need to be allowlisted.

Inspecting a Kit's Trust State

Before adding a kit to the allowlist, check its current signature and signer identity:

rensei host kit verify <kit-id>

The output shows whether the kit is signed, the Fulcio SAN of the signer, and whether the signer is in your current trust.issuerSet.

Configuring the Allowlist

Populate trust.issuerSet in daemon.yaml with the Fulcio SAN identities you trust. The daemon performs SAN-exact matching with the OIDC issuer wildcarded, so you only need to specify the identity string (email or workflow URL):

trust:
  mode: signed-by-allowlist
  issuerSet:
    # Email identity (short-lived Fulcio cert)
    - kit-publisher@your-org.com
    # GitHub Actions workflow identity (OIDC keyless signing)
    - https://github.com/your-org/your-repo/.github/workflows/release.yml@refs/tags/v.*
  actor: ops@your-org.com

After editing daemon.yaml, restart the daemon for the change to take effect:

rensei host daemon restart

Bypassing the Gate

Two opt-out paths are available. Both are intentionally opt-in and audited.

Per-install bypass

Bypass the trust gate for a single install only. The bypass is audit-logged by the daemon with the kit ID, signer identity, and the configured trust.actor.

rensei host kit install <kit-id> --allow-unsigned

The CLI prints a warning before proceeding:

WARNING: --allow-unsigned bypasses signature verification for <kit-id>.
Unsigned kits can execute arbitrary shell commands; only proceed if you trust the source.
The bypass is audit-logged by the daemon.

Global bypass (daemon.yaml)

Set permissive mode in daemon.yaml. The daemon logs a warning on every gated install while in this mode.

trust:
  mode: permissive

Global bypass (environment variable)

Export DONMAI_KIT_TRUST_MODE=permissive before starting the daemon. Takes precedence over daemon.yaml when set.

DONMAI_KIT_TRUST_MODE=permissive rensei host daemon run

Troubleshooting a Blocked Install

When a kit install is rejected, the CLI output lists every remediation path:

install kit: 403 Forbidden

The kit was blocked by the daemon's trust gate (default: signed-by-allowlist).
To proceed, either:
  1. allowlist the kit's signer:  add it to trust.issuerSet in daemon.yaml
     (inspect the signer first:   kit verify <id>)
  2. bypass once (audit-logged):  kit install <id> --allow-unsigned
  3. disable the gate entirely:   set trust.mode: permissive in daemon.yaml
     or export DONMAI_KIT_TRUST_MODE=permissive (not recommended - unsigned
     kits can execute arbitrary shell commands)

Work through the steps in order:

1. Run rensei host kit verify <id> to get the kit's signer SAN.
2. If you trust the signer, add the SAN to trust.issuerSet in daemon.yaml and restart the daemon.
3. If you need a one-off install before updating config, use --allow-unsigned (audit-logged).
4. Only use permissive mode if you own every kit source end-to-end.

Related Pages

• Host Kit - Kit management commands (list, show, install, enable, disable)
• Daemon - Install and manage the daemon process
• Audit Trail - Where trust-override audit events are stored