> ## Documentation Index
> Fetch the complete documentation index at: https://docs.manthan.systems/llms.txt
> Use this file to discover all available pages before exploring further.

# @parmanasystems/crypto

> Ed25519 signing and verification primitives

Low-level cryptographic primitives for Ed25519 signing and verification. Consumed internally by the governance pipeline. Use `@parmanasystems/core` for most applications - reach for this package only when you need direct access to the underlying sign/verify operations.

## Install

```bash theme={null}
npm install @parmanasystems/crypto
```

## Key exports

| Export                   | Description                                           |
| ------------------------ | ----------------------------------------------------- |
| `signManifest`           | Sign a bundle manifest file with a PEM private key    |
| `verifySignature`        | Verify a base64 signature against a file              |
| `writeSignature`         | Write a base64 signature to disk                      |
| `readSignature`          | Read a base64 signature from disk                     |
| `loadPrivateKey`         | Load an Ed25519 PEM private key from a file path      |
| `loadPublicKey`          | Load an Ed25519 PEM public key from a file path       |
| `signBundle`             | Async variant - sign a manifest using a Signer object |
| `verifyPayloadSignature` | Verify a base64 signature over a string payload       |

## Signing a bundle manifest

```typescript theme={null}
import { signManifest, writeSignature } from "@parmanasystems/crypto";

const signature = signManifest(
  "./policies/loan-approval/1.0.0/bundle.manifest.json",
  "./trust/root.key"
);

writeSignature(signature, "./policies/loan-approval/1.0.0");
// Writes: bundle.sig
```

## Verifying a payload signature

```typescript theme={null}
import { verifyPayloadSignature } from "@parmanasystems/crypto";

const valid = verifyPayloadSignature(
  payload,    // canonical JSON string
  signature,  // base64-encoded Ed25519 signature
  publicKey   // PEM-encoded SPKI public key
);
```

## Key format

All keys are standard PEM-encoded Ed25519:

* Private keys: PKCS8 format (`-----BEGIN PRIVATE KEY-----`)
* Public keys: SPKI format (`-----BEGIN PUBLIC KEY-----`)

Generate a key pair:

```typescript theme={null}
import crypto from "crypto";

const { privateKey, publicKey } = crypto.generateKeyPairSync("ed25519", {
  privateKeyEncoding: { type: "pkcs8", format: "pem" },
  publicKeyEncoding:  { type: "spki",  format: "pem" },
});
```

## See also

* [Trust Portability](/architecture/trust-portability) - how signatures enable portable verification
* [Core Package](/packages/core) - high-level signing via `LocalSigner`