{"manifest_kind":"signing_keys","rotation_policy":"Keys are rotated by adding a new entry with valid_from = today and setting valid_until on the prior entry. Both entries persist in this manifest so an artifact signed under a now-superseded key can still be matched against its historically valid key. A trust-page-pinned fingerprint that no longer appears here MUST be treated as suspect, not as evidence of compromise — contact support@privacyautomated.ai to reconcile.","keys":[{"purpose":"audit_export","algorithm":"ed25519","valid_from":null,"valid_until":null,"fingerprint_sha256":"5eb6d37819d2fc01e0abdfd6f597fc76b227821beba768815a69367aa9ede425","pem_url":"/audit/verification-key","notes":"Signs customer-downloaded audit-log export bundles (/audit/export-signed). Verifies offline with openssl pkeyutl -verify. See trust-architecture page Invariant 2."},{"purpose":"transparency_root","algorithm":"ed25519","valid_from":null,"valid_until":null,"fingerprint_sha256":"a6618b1c7e1fe3e0bb97d8bf8809e021e5e8639af13521f9fd03cbeeb7ffc362","pem_url":"/audit/transparency-key","notes":"Signs the daily Merkle root of audit events published to the public transparency log. Domain-separated under PA-TRANSPARENCY-V1. See trust-architecture page Invariant 3."},{"purpose":"rekor_anchor","algorithm":"ecdsa-p256","valid_from":null,"valid_until":null,"fingerprint_sha256":"4fdc56a8db8084c3fbb2e51def89155080c42bdbc397eeaf05d7d90466a3b713","pem_url":"/audit/rekor-key","notes":"Signs the SHA-256 digest of each daily transparency root before submission to Sigstore Rekor as a hashedrekord entry. ECDSA P-256 + SHA-256 with DER ASN.1 signatures via utils.Prehashed (signing the digest, not double-hashing it). Pair with /audit/transparency-roots/<date>.json.rekor.json to confirm the Rekor entry's embedded publicKey matches this fingerprint. See trust-architecture page Invariant 3."}]}