Module Signing and Lifecycle

Section: Reference | Article 65
Audience: Developers, System Administrators
Last Updated: 2026-04-08

---

Overview

RP-PAM uses a dual-signature security model for custom modules. This ensures that every module installed in a production environment has been reviewed by Ravenphyre for security and is locked to the customer's specific deployment.

---

Module Types

Type	Signed By	Time Limit	Where It Runs
Ravenphyre	Ravenphyre only	None	Any licensed RP-PAM
Customer Dev	Customer only	72 hours, then auto-uninstalls	Test labs only
Customer Production	Customer + Ravenphyre	None (permanent)	Customer's environment only
Community	Ravenphyre (converted from customer)	None	Any licensed RP-PAM

---

Development Workflow

Step 1 — Build and Self-Sign for Testing

Build your module, then sign it for development testing:

rppam-module-sign --dev \
  --rmod path/to/my-module-1.0.0.rmod \
  --org "My Company"

This creates a 72-hour development signature. Install it in a test lab with modules.allowDevModules: true in rppam.config.

After 72 hours, the module auto-uninstalls. Re-sign to get another test window.

Step 2 — Iterate

Repeat the build → sign → test cycle until the module is ready.

Step 3 — Sign for Submission

When ready for production, sign for submission:

rppam-module-sign --submit \
  --rmod path/to/my-module-1.0.0.rmod \
  --org "My Company"

Step 4 — Submit to Ravenphyre

Send the .rmod and .rmod.sig files to Ravenphyre for review: - Email: support@ravenphyre.net - Include: module description, list of outbound network connections, your license fingerprint

Step 5 — Review and Co-Signing

Ravenphyre reviews the module (security checklist), then co-signs it. You receive back the dual-signed .rmod + .rmod.sig.

Step 6 — Install in Production

Install the co-signed module through the portal. On first install, the module ident is registered with the Ravenphyre License Validation Service (LVS), locking it to your deployment.

---

Validating a Module

Before installing, verify the module:

rppam-module-validate path/to/my-module-1.0.0.rmod \
  --fingerprint YOUR_LICENSE_FINGERPRINT

Output shows: - Package integrity — SHA-256 hash match (tamper detection) - Customer signature — verified against your key - Ravenphyre co-signature — verified against Ravenphyre's public key - License binding — locked to your installation - Version match — manifest matches signed version (no swapping)

---

Security Protections

Protection	What It Prevents
Dual signature	Neither party can modify the module after signing
License fingerprint lock	Module can't be installed on a different customer's RP-PAM
LVS deployment lock	Module can't be moved to a different deployment (even same customer)
Package SHA-256 hash	Any file modification invalidates the signature
Version match	Can't substitute a different version under the same signature
72-hour dev expiry	Unsigned modules can't run indefinitely in production

---

Community Modules

If you build a module that could benefit other RP-PAM customers, you can request that Ravenphyre convert it to a community module:

1. Contact Ravenphyre with the request
2. Ravenphyre re-signs the module without the customer license fingerprint
3. The module is attributed: "Originally by [Your Company], certified by Ravenphyre"
4. It becomes available to all licensed RP-PAM customers

Your company is credited as the original author in the module's details.

---

Next Steps

• Building Custom Modules — SDK reference and example code
• Configuration Reference — modules.allowDevModules setting

---

RP-PAM v1.0.0 — Copyright 2026 Ravenphyre. All rights reserved.