How revocation works on the agent
The agent keeps a revocation list on disk:Issuing a revocation
When a key is compromised or a publisher is removed from trust:- Add the signer id to
/etc/ados/plugin-revocations.json. - Distribute the updated list (OTA for the Altnautica trust set, your config-management channel for self-hosted fleets).
- Re-sign your current plugin releases with a fresh key and add its public key to the trust list.
- Notify operators. New installs of any plugin signed by the revoked key fail signature verification; already-installed plugins stop loading on the next start.
What a revoked plugin does next
The operator’s options:
Why the agent does not auto-remove
In a fleet a plugin can be load-bearing. Auto-removal could take a vehicle out of service mid-mission. The safe default is a loud, immediate refusal-to-load plus a deliberate operator removal step.Reporting a security issue
If you believe a plugin is malicious, broken in a way that affects flight safety, or is leaking data:Where to report
Open a private security advisory on the affected repository under github.com/altnautica. GitHub’s private vulnerability reporting keeps the report off the public issue tracker until a fix ships. If GitHub is not an option, use the contact channel on altnautica.com and mark the message as a security report.What to include
- The plugin id and version.
- The signer key id (from
ados plugin info <id>or the archive’sSIGNATUREfile). - A description of the behavior, with reproduction steps where possible.
- The operator-facing impact (data loss, vehicle behavior, information disclosure).
- Whether you have already disclosed publicly, with a link if so.
- Any logs, captures, or static-analysis output that supports the report.
- How you would like to be credited, if at all.
What we do
- Acknowledge and triage. Critical safety reports are prioritized.
- Investigate severity and scope.
- For confirmed issues, revoke the signer key and ship a fix.
- Coordinate disclosure with the reporter.
- Publish a post-mortem with what happened and what changed to prevent recurrence.
Coordinated disclosure
We default to coordinated disclosure: public report after the fix ships and the post-mortem is published. We do not block you from disclosing on your own timeline; we ask for a heads-up so a coordinated statement and the fix land together.When the hosted registry ships
A hosted Altnautica registry will add a polled revocation feed and finer-grained, per-version revocation. It is not yet live; until then, the on-device signer-id list above and direct re-signing are the mechanisms. The two current distribution channels are local-file install and URL install.Operator checklist when a revocation lands
- Read the reason. Critical safety reasons mean ground the fleet first.
- Check
ados plugin liston every SBC for the affected plugins. - If a plugin was load-bearing, plan a replacement or rollback before removing.
- Once a replacement is in place,
ados plugin remove <id>. - Verify with
ados plugin info <id>andados logs querythat the refusal and the removal were recorded.