#23802: Skills: add trusted publisher allowlist policy
agents
size: M
trusted-contributor
Cluster:
Skill Security Enhancements
## Summary
- add `skills.trustedPublishers` allowlist policy for verified skill signatures
- block unsigned/unknown-publisher skills when trusted publishers are configured
- accept either signature `publisher` or `keyId` matches (case-insensitive)
- add config validation + policy tests
## Why
This enables explicit publisher trust control so “signed” is not enough by itself; signatures must map to trusted identities.
## Tests
- `pnpm vitest run src/agents/skills/signature.test.ts src/agents/skills/config.trusted-publishers.test.ts src/agents/skills.test.ts src/config/config.skills-trusted-publishers.test.ts`
- `pnpm lint`
<!-- greptile_comment -->
<h3>Greptile Summary</h3>
This PR adds a `skills.trustedPublishers` allowlist policy to enforce explicit publisher trust control for verified skill signatures. The implementation introduces signature verification using ed25519, blocking unsigned or unknown-publisher skills when the allowlist is configured.
**Key changes:**
- New signature verification module (`signature.ts`) that validates ed25519 signatures on skill directories
- Skills with invalid signatures are quarantined and excluded from the skill snapshot
- `shouldIncludeSkill` enforces the allowlist policy with case-insensitive matching on both `publisher` and `keyId` fields
- Configuration schema extended with `skills.trustedPublishers` array
- Comprehensive test coverage for signature verification, policy enforcement, and config validation
<h3>Confidence Score: 5/5</h3>
- This PR is safe to merge with minimal risk
- The implementation is well-structured with comprehensive test coverage including signature verification, policy enforcement, and config validation. The code follows TypeScript best practices with proper error handling, the signature verification uses standard crypto primitives correctly, and invalid signatures are safely quarantined. No logical errors or security issues were found.
- No files require special attention
<sub>Last reviewed commit: a70f308</sub>
<!-- greptile_other_comments_section -->
<!-- /greptile_comment -->
Most Similar PRs
#23785: Skills: add signature verification and quarantine invalid signatures
by bmendonca3 · 2026-02-22
83.2%
#23795: Skills: enforce managed skills.lock integrity with allowUnlocked es...
by bmendonca3 · 2026-02-22
73.5%
#8075: fix(skills): add --ignore-scripts to all package managers
by yubrew · 2026-02-03
73.0%
#23754: Skills: enforce capability manifest requirements
by bmendonca3 · 2026-02-22
72.7%
#17502: feat: normalize skill scanner reason codes and trust messaging
by ArthurzKV · 2026-02-15
72.5%
#8150: fix(skills): block dangerous environment variables from skill config
by yubrew · 2026-02-03
72.1%
#21839: fix(skills): allowBundled: [] now blocks all bundled skills
by hydro13 · 2026-02-20
71.6%
#23383: Skills: gate command-dispatch tool targets and args
by bmendonca3 · 2026-02-22
71.5%
#21727: skills: treat allowBundled [] as denylist for bundled skills
by AIflow-Labs · 2026-02-20
71.2%
#22306: Warn on malformed skill parsing failures in load path
by AIflow-Labs · 2026-02-21
70.1%