Identity & keys

Every developer on a gridtrue network has an enrollment cert issued by their org. The private key is generated locally and stored in the OS keyring — Keychain on macOS, DPAPI on Windows, libsecret on Linux. The control plane never sees it.

Commands that touch identity

gridtrue login                # enroll / re-enroll, store cert in keyring
gridtrue logout               # wipe the keyring entry and daemon cache
gridtrue identity show        # print cert subject, fingerprint, expiry
gridtrue identity revoke      # revoke the current cert on the ledger
gridtrue identity rotate      # issue a new cert, revoke the old one atomically

What that means in practice

• If the gridtrue control plane is compromised, attestations cannot be forged — the signing keys are not there.
• If your laptop is compromised, only your identity is at risk. Revoke via gridtrue identity revoke from any other enrolled machine.
• If you lose your machine, re-enroll on a new one; the lost cert is revoked on the ledger; old attestations remain valid and auditable.
• There is no escrow mode. We do not hold copies of user private keys.