Skip to content

Security: forgezero-cli/ForgeZero

docs/SECURITY

ForgeZero security model

ForgeZero uses a trust-store based security model for package installation and verification.

Principles

- Packages must be signed.
- Signatures are checked against a local trusted-key list.
- Untrusted keys are rejected.
- Signature verification is enabled explicitly with --verify-signatures.

Verification flow

1. The manifest is parsed.
2. The signature key is extracted.
3. The key is checked against the trusted-key store.
4. The package is accepted only when the key is trusted.

There aren't any published security advisories