Add history signing support

[JoshVanL]

Introduce chain-of-custody signing for workflow history events, allowing each orchestrator execution to produce a cryptographic signature over newly appended events. Signatures are chained via previousSignatureDigest to form a tamper-evident log.

• Add historysigning package with deterministic event marshaling, raw-bytes digest computation, and sign/verify logic supporting Ed25519, ECDSA P-256, and RSA PKCS#1 v1.5
• Verify certificate validity (NotBefore/NotAfter) against the timestamp of the last event in each signed range
• Export SigningCertificate and HistorySignature type aliases from backend package
• Add comprehensive tests covering all key types, chain verification, certificate rotation, tamper detection, and certificate validity

Proposal: dapr/proposals#102

[Copilot]

Pull request overview

Adds a new backend/historysigning package to implement tamper-evident, chained cryptographic signing for workflow history event ranges, along with supporting proto/API surface updates and tests.

Changes:

• Introduce deterministic history event marshaling plus SHA-256 digest utilities (canonical.go).
• Implement signing and verification logic for Ed25519, ECDSA P-256, and RSA PKCS#1 v1.5, including chain verification (signer.go).
• Add comprehensive unit tests for determinism, chaining, rotation, tamper detection, and certificate validity windows.
• Export SigningCertificate and HistorySignature aliases from backend and update generated protobuf outputs.

Reviewed changes

Copilot reviewed 9 out of 10 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
backend/historysigning/signer.go	Core sign/verify implementation and chain verification logic.
backend/historysigning/canonical.go	Deterministic marshaling and digest/input derivation helpers.
backend/historysigning/historysigning_test.go	Test coverage for signing/verification across key types and scenarios.
backend/backend.go	Exposes SigningCertificate and HistorySignature type aliases.
api/protos/runtime_state.pb.go	Generated proto updates (descriptor/init dependencies).
api/protos/orchestrator_actions.pb.go	New/updated generated proto output.
api/protos/orchestration.pb.go	New/updated generated proto output.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Pull request overview

Adds tamper-evident “chain-of-custody” signing for workflow history by introducing a historysigning package to compute deterministic digests and sign/verify chained history signature entries.

Changes:

• Introduces signing + verification logic for history event ranges (including chain linkage and cert validity time checks).
• Adds comprehensive unit tests covering key types, certificate chains/rotation, and tamper detection.
• Updates protobuf submodule/regenerated protos and exports signature-related proto aliases from backend.

Reviewed changes

Copilot reviewed 10 out of 11 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
submodules/durabletask-protobuf	Updates protobuf submodule commit to pick up new/changed proto definitions.
backend/historysigning/canonical.go	Adds deterministic event marshaling and digest helpers for signatures/chaining.
backend/historysigning/signer.go	Implements signing and verification of history event ranges and chained signatures.
backend/historysigning/historysigning_test.go	Adds tests for signing/verification across algorithms, chains, rotation, and tamper detection.
backend/backend.go	Exports SigningCertificate and HistorySignature aliases from backend.
api/protos/runtime_state.pb.go	Regenerated protobuf output reflecting updated proto dependencies/init order.
api/protos/orchestrator_actions.pb.go	New regenerated protobuf output for orchestrator actions.
api/protos/orchestration.pb.go	New regenerated protobuf output for orchestration messages/enums.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Pull request overview

Adds tamper-evident history signing to workflow orchestration by introducing a historysigning package that can sign contiguous history event ranges, chain signatures via previousSignatureDigest, and verify chains against SPIFFE/X.509 trust bundles.

Changes:

• Add backend/historysigning with deterministic event marshaling, digest computations, signing (Ed25519/ECDSA/RSA), and chain verification + cert validity checks.
• Export SigningCertificate and HistorySignature aliases from backend.
• Update protobuf artifacts and dependencies (SPIFFE bundle support + dependency bumps).

Reviewed changes

Copilot reviewed 11 out of 13 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
submodules/durabletask-protobuf	Updates proto submodule revision used by this repo.
go.mod	Adds SPIFFE dependency and bumps OTEL / gRPC / protobuf libs.
go.sum	Records checksums for newly added / bumped dependencies.
backend/historysigning/canonical.go	Implements deterministic marshaling and digest/input canonicalization.
backend/historysigning/signer.go	Implements signing and verification (single signature + full chain + trust checks).
backend/historysigning/historysigning_test.go	Adds extensive tests for signing, chaining, rotation, tamper detection, and trust validation.
backend/backend.go	Exposes signature/certificate protos via backend type aliases.
api/protos/runtime_state.pb.go	Regenerates runtime_state protos to match updated imports/structure.
api/protos/orchestrator_actions.pb.go	Adds newly generated orchestrator actions protobuf Go code.
api/protos/orchestration.pb.go	Adds newly generated orchestration protobuf Go code.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Pull request overview

This PR introduces a new backend/historysigning package to support chain-of-custody signing and verification of workflow history events, along with dependency updates and regenerated protobuf artifacts needed to carry signature/certificate data.

Changes:

• Added canonical deterministic marshaling + digest computation, signing, and chain verification logic for history events.
• Added extensive unit tests covering key types, certificate rotation/validity, tamper detection, and chain coverage/linkage.
• Updated Go module dependencies (including a replace for github.com/dapr/kit) and updated protobuf-generated Go files/submodule pointer.

Reviewed changes

Copilot reviewed 12 out of 14 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
submodules/durabletask-protobuf	Bumps protobuf submodule commit to include new/updated protos.
go.mod	Adds/updates deps for signing/verification and introduces a replace for github.com/dapr/kit.
go.sum	Updates sums to match the new dependency graph.
backend/historysigning/canonical.go	Adds deterministic event marshaling and canonical digest/signature-input helpers.
backend/historysigning/signer.go	Adds signing logic and certificate-table index resolution.
backend/historysigning/verify.go	Adds signature + full-chain verification (linkage, contiguity, trust, validity-at-event-time).
backend/historysigning/historysigning_test.go	Adds comprehensive unit coverage for signing and verification flows.
backend/backend.go	Exports type aliases for signature/certificate protos from backend.
api/protos/runtime_state.pb.go	Regenerated protobuf output reflecting new proto structure/deps.
api/protos/orchestrator_actions.pb.go	New/updated generated protobuf Go output for orchestrator actions.
api/protos/orchestration.pb.go	New/updated generated protobuf Go output for orchestration messages/enums.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.