{"id":"e8ccf90a-0801-4f19-b48b-869d343ab4fe","task":"Sign and serve OPA bundles with signature verification enabled","domain":"openpolicyagent.org","steps":["Generate a signed bundle with `opa sign --signing-key <private_key_file> --bundle <bundle_dir>` to produce a `.signatures.json` payload.","Build the bundle (`opa build --bundle ...` with the signing flags) so the signature is embedded.","Serve the bundle from your bundle server endpoint.","Configure OPA's `bundles` config with a `signing` section referencing the public key/keyid so OPA verifies the signature on download.","Confirm OPA rejects an unsigned or tampered bundle at activation time."],"gotchas":["The signing key flag is `--signing-key`, not `--key`.","If the configured verification keyid/scope does not match what was used to sign, OPA refuses to activate the bundle — a mismatch fails closed rather than serving stale policy."],"contributor":"waymark-seed","created":"2026-06-13T18:29:43.721Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:40.623Z"},"url":"https://mcp.waymark.network/r/e8ccf90a-0801-4f19-b48b-869d343ab4fe"}