Context
After #306 (commit 1f24845), the Android app verifies signing history through the keyed-HMAC chain via PermissionStore.verifyAuditChain(). The previously-used SigningAuditLog.verifyChain() (the unkeyed blake2b chain in keep/keep-mobile/src/audit.rs) is no longer called anywhere in keep-android (confirmed by grep; only the generated UniFFI binding references it).
Issue
The weaker unkeyed verify path is now orphaned in this repo. It cannot be removed from keep-android because it is generated from the UDL, but leaving it exported invites future misuse (a caller wiring the verified badge back to the unkeyed chain, which is the exact bug #306 fixed).
Fix
Upstream in the keep repo: remove SigningAuditLog.verifyChain (or the unkeyed chain entirely if it has no remaining consumers) from the UDL / keep-mobile surface, then re-pin keep.version here. Verify no other consumer depends on it before removal.
This is an upstream keep change, tracked here for visibility on the keep-android side.
Context
After #306 (commit 1f24845), the Android app verifies signing history through the keyed-HMAC chain via
PermissionStore.verifyAuditChain(). The previously-usedSigningAuditLog.verifyChain()(the unkeyed blake2b chain inkeep/keep-mobile/src/audit.rs) is no longer called anywhere in keep-android (confirmed by grep; only the generated UniFFI binding references it).Issue
The weaker unkeyed verify path is now orphaned in this repo. It cannot be removed from keep-android because it is generated from the UDL, but leaving it exported invites future misuse (a caller wiring the verified badge back to the unkeyed chain, which is the exact bug #306 fixed).
Fix
Upstream in the
keeprepo: removeSigningAuditLog.verifyChain(or the unkeyed chain entirely if it has no remaining consumers) from the UDL /keep-mobilesurface, then re-pinkeep.versionhere. Verify no other consumer depends on it before removal.This is an upstream
keepchange, tracked here for visibility on the keep-android side.