From cc11adda875f9d97c638fac2872696ee3a3d8ce2 Mon Sep 17 00:00:00 2001
From: Daniel Holmgren <dtholmgren@gmail.com>
Date: Fri, 8 Mar 2024 19:41:31 -0600
Subject: [PATCH] Ozone: Add sigs to all labels (#2236)

* sketching out label sequencer

* refactor sequencer

* sequencer tests

* tests

* add query labels endpoint & tests

* add pagination

* fix label formatting on temp

* tidy

* format labels

* make use listen/notify for sequencer

* ensure sig on all outgoing labels from ozone

* fixing up tests

* fix sequencer tests

* fix hanging server test

* add log on failure to update label

* update description for sig

* use bytes for label sigs

* fix tests

* add ver to labels

* tidy up background queue

* store signing keys as ids

* fix sequencer teest
---
 lexicons/com/atproto/label/defs.json          |  8 ++
 packages/api/src/client/lexicons.ts           |  8 ++
 .../client/types/com/atproto/label/defs.ts    |  4 +
 packages/bsky/src/lexicon/lexicons.ts         |  8 ++
 .../lexicon/types/com/atproto/label/defs.ts   |  4 +
 packages/ozone/src/api/label/queryLabels.ts   |  6 +-
 packages/ozone/src/api/temp/fetchLabels.ts    |  6 +-
 packages/ozone/src/context.ts                 | 22 ++++-
 packages/ozone/src/daemon/context.ts          |  5 +-
 .../20240228T003647759Z-add-label-sigs.ts     | 23 ++++++
 packages/ozone/src/db/migrations/index.ts     |  1 +
 packages/ozone/src/db/schema/index.ts         |  2 +
 packages/ozone/src/db/schema/label.ts         |  2 +
 packages/ozone/src/db/schema/signing_key.ts   | 10 +++
 packages/ozone/src/lexicon/lexicons.ts        |  8 ++
 .../lexicon/types/com/atproto/label/defs.ts   |  4 +
 packages/ozone/src/mod-service/index.ts       | 48 ++++++-----
 packages/ozone/src/mod-service/util.ts        | 51 ++++++++++--
 packages/ozone/src/mod-service/views.ts       | 34 +++++++-
 packages/ozone/src/sequencer/sequencer.ts     | 23 +++---
 packages/ozone/src/util.ts                    | 21 +++++
 .../__snapshots__/get-record.test.ts.snap     |  8 ++
 .../tests/__snapshots__/get-repo.test.ts.snap |  4 +
 packages/ozone/tests/_util.ts                 |  5 ++
 packages/ozone/tests/query-labels.test.ts     | 82 ++++++++++++++++++-
 packages/ozone/tests/sequencer.test.ts        |  4 +-
 packages/pds/src/lexicon/lexicons.ts          |  8 ++
 .../lexicon/types/com/atproto/label/defs.ts   |  4 +
 28 files changed, 359 insertions(+), 54 deletions(-)
 create mode 100644 packages/ozone/src/db/migrations/20240228T003647759Z-add-label-sigs.ts
 create mode 100644 packages/ozone/src/db/schema/signing_key.ts

diff --git a/lexicons/com/atproto/label/defs.json b/lexicons/com/atproto/label/defs.json
index cd8e03e116c..229ad192f2a 100644
--- a/lexicons/com/atproto/label/defs.json
+++ b/lexicons/com/atproto/label/defs.json
@@ -7,6 +7,10 @@
       "description": "Metadata tag on an atproto resource (eg, repo or record).",
       "required": ["src", "uri", "val", "cts"],
       "properties": {
+        "ver": {
+          "type": "integer",
+          "description": "The AT Protocol version of the label object."
+        },
         "src": {
           "type": "string",
           "format": "did",
@@ -35,6 +39,10 @@
           "type": "string",
           "format": "datetime",
           "description": "Timestamp when this label was created."
+        },
+        "sig": {
+          "type": "bytes",
+          "description": "Signature of dag-cbor encoded label."
         }
       }
     },
diff --git a/packages/api/src/client/lexicons.ts b/packages/api/src/client/lexicons.ts
index 635e9e19e60..afc7ed866b1 100644
--- a/packages/api/src/client/lexicons.ts
+++ b/packages/api/src/client/lexicons.ts
@@ -2202,6 +2202,10 @@ export const schemaDict = {
           'Metadata tag on an atproto resource (eg, repo or record).',
         required: ['src', 'uri', 'val', 'cts'],
         properties: {
+          ver: {
+            type: 'integer',
+            description: 'The AT Protocol version of the label object.',
+          },
           src: {
             type: 'string',
             format: 'did',
@@ -2235,6 +2239,10 @@ export const schemaDict = {
             format: 'datetime',
             description: 'Timestamp when this label was created.',
           },
+          sig: {
+            type: 'bytes',
+            description: 'Signature of dag-cbor encoded label.',
+          },
         },
       },
       selfLabels: {
diff --git a/packages/api/src/client/types/com/atproto/label/defs.ts b/packages/api/src/client/types/com/atproto/label/defs.ts
index c1641432c3a..425978d6d0e 100644
--- a/packages/api/src/client/types/com/atproto/label/defs.ts
+++ b/packages/api/src/client/types/com/atproto/label/defs.ts
@@ -8,6 +8,8 @@ import { CID } from 'multiformats/cid'
 
 /** Metadata tag on an atproto resource (eg, repo or record). */
 export interface Label {
+  /** The AT Protocol version of the label object. */
+  ver?: number
   /** DID of the actor who created this label. */
   src: string
   /** AT URI of the record, repository (account), or other resource that this label applies to. */
@@ -20,6 +22,8 @@ export interface Label {
   neg?: boolean
   /** Timestamp when this label was created. */
   cts: string
+  /** Signature of dag-cbor encoded label. */
+  sig?: Uint8Array
   [k: string]: unknown
 }
 
diff --git a/packages/bsky/src/lexicon/lexicons.ts b/packages/bsky/src/lexicon/lexicons.ts
index 635e9e19e60..afc7ed866b1 100644
--- a/packages/bsky/src/lexicon/lexicons.ts
+++ b/packages/bsky/src/lexicon/lexicons.ts
@@ -2202,6 +2202,10 @@ export const schemaDict = {
           'Metadata tag on an atproto resource (eg, repo or record).',
         required: ['src', 'uri', 'val', 'cts'],
         properties: {
+          ver: {
+            type: 'integer',
+            description: 'The AT Protocol version of the label object.',
+          },
           src: {
             type: 'string',
             format: 'did',
@@ -2235,6 +2239,10 @@ export const schemaDict = {
             format: 'datetime',
             description: 'Timestamp when this label was created.',
           },
+          sig: {
+            type: 'bytes',
+            description: 'Signature of dag-cbor encoded label.',
+          },
         },
       },
       selfLabels: {
diff --git a/packages/bsky/src/lexicon/types/com/atproto/label/defs.ts b/packages/bsky/src/lexicon/types/com/atproto/label/defs.ts
index 66226677a5b..935b2aa4bb3 100644
--- a/packages/bsky/src/lexicon/types/com/atproto/label/defs.ts
+++ b/packages/bsky/src/lexicon/types/com/atproto/label/defs.ts
@@ -8,6 +8,8 @@ import { CID } from 'multiformats/cid'
 
 /** Metadata tag on an atproto resource (eg, repo or record). */
 export interface Label {
+  /** The AT Protocol version of the label object. */
+  ver?: number
   /** DID of the actor who created this label. */
   src: string
   /** AT URI of the record, repository (account), or other resource that this label applies to. */
@@ -20,6 +22,8 @@ export interface Label {
   neg?: boolean
   /** Timestamp when this label was created. */
   cts: string
+  /** Signature of dag-cbor encoded label. */
+  sig?: Uint8Array
   [k: string]: unknown
 }
 
diff --git a/packages/ozone/src/api/label/queryLabels.ts b/packages/ozone/src/api/label/queryLabels.ts
index 6de6380d194..38d83020fe5 100644
--- a/packages/ozone/src/api/label/queryLabels.ts
+++ b/packages/ozone/src/api/label/queryLabels.ts
@@ -2,7 +2,6 @@ import { Server } from '../../lexicon'
 import AppContext from '../../context'
 import { InvalidRequestError } from '@atproto/xrpc-server'
 import { sql } from 'kysely'
-import { formatLabel } from '../../mod-service/util'
 
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.label.queryLabels(async ({ params }) => {
@@ -44,7 +43,10 @@ export default function (server: Server, ctx: AppContext) {
 
     const res = await builder.execute()
 
-    const labels = res.map((l) => formatLabel(l))
+    const modSrvc = ctx.modService(ctx.db)
+    const labels = await Promise.all(
+      res.map((l) => modSrvc.views.formatLabelAndEnsureSig(l)),
+    )
     const resCursor = res.at(-1)?.id.toString(10)
 
     return {
diff --git a/packages/ozone/src/api/temp/fetchLabels.ts b/packages/ozone/src/api/temp/fetchLabels.ts
index d1a3f5e8e26..716c87a86bd 100644
--- a/packages/ozone/src/api/temp/fetchLabels.ts
+++ b/packages/ozone/src/api/temp/fetchLabels.ts
@@ -1,6 +1,5 @@
 import { Server } from '../../lexicon'
 import AppContext from '../../context'
-import { formatLabel } from '../../mod-service/util'
 import {
   UNSPECCED_TAKEDOWN_BLOBS_LABEL,
   UNSPECCED_TAKEDOWN_LABEL,
@@ -29,7 +28,10 @@ export default function (server: Server, ctx: AppContext) {
         .limit(limit)
         .execute()
 
-      const labels = labelRes.map((l) => formatLabel(l))
+      const modSrvc = ctx.modService(ctx.db)
+      const labels = await Promise.all(
+        labelRes.map((l) => modSrvc.views.formatLabelAndEnsureSig(l)),
+      )
 
       return {
         encoding: 'application/json',
diff --git a/packages/ozone/src/context.ts b/packages/ozone/src/context.ts
index 59a1baff704..b7d9a3e9e89 100644
--- a/packages/ozone/src/context.ts
+++ b/packages/ozone/src/context.ts
@@ -16,6 +16,7 @@ import {
 } from './communication-service/template'
 import { AuthVerifier } from './auth-verifier'
 import { ImageInvalidator } from './image-invalidator'
+import { getSigningKeyId } from './util'
 
 export type AppContextOptions = {
   db: Database
@@ -25,6 +26,7 @@ export type AppContextOptions = {
   appviewAgent: AtpAgent
   pdsAgent: AtpAgent | undefined
   signingKey: Keypair
+  signingKeyId: number
   idResolver: IdResolver
   imgInvalidator?: ImageInvalidator
   backgroundQueue: BackgroundQueue
@@ -48,6 +50,7 @@ export class AppContext {
       poolIdleTimeoutMs: cfg.db.poolIdleTimeoutMs,
     })
     const signingKey = await Secp256k1Keypair.import(secrets.signingKeyHex)
+    const signingKeyId = await getSigningKeyId(db, signingKey.did())
     const appviewAgent = new AtpAgent({ service: cfg.appview.url })
     const pdsAgent = cfg.pds
       ? new AtpAgent({ service: cfg.pds.url })
@@ -71,20 +74,20 @@ export class AppContext {
     })
 
     const modService = ModerationService.creator(
+      signingKey,
+      signingKeyId,
       cfg,
       backgroundQueue,
       idResolver,
       eventPusher,
       appviewAgent,
       createAuthHeaders,
-      cfg.service.did,
       overrides?.imgInvalidator,
-      cfg.cdn.paths,
     )
 
     const communicationTemplateService = CommunicationTemplateService.creator()
 
-    const sequencer = new Sequencer(db)
+    const sequencer = new Sequencer(modService(db))
 
     const authVerifier = new AuthVerifier(idResolver, {
       serviceDid: cfg.service.did,
@@ -103,6 +106,7 @@ export class AppContext {
         appviewAgent,
         pdsAgent,
         signingKey,
+        signingKeyId,
         idResolver,
         backgroundQueue,
         sequencer,
@@ -149,6 +153,10 @@ export class AppContext {
     return this.opts.signingKey
   }
 
+  get signingKeyId(): number {
+    return this.opts.signingKeyId
+  }
+
   get plcClient(): plc.Client {
     return new plc.Client(this.cfg.identity.plcUrl)
   }
@@ -188,6 +196,12 @@ export class AppContext {
   async appviewAuth() {
     return this.serviceAuthHeaders(this.cfg.appview.did)
   }
-}
 
+  devOverride(overrides: Partial<AppContextOptions>) {
+    this.opts = {
+      ...this.opts,
+      ...overrides,
+    }
+  }
+}
 export default AppContext
diff --git a/packages/ozone/src/daemon/context.ts b/packages/ozone/src/daemon/context.ts
index 12c0ece9b17..64cf3c9423e 100644
--- a/packages/ozone/src/daemon/context.ts
+++ b/packages/ozone/src/daemon/context.ts
@@ -8,6 +8,7 @@ import { EventReverser } from './event-reverser'
 import { ModerationService, ModerationServiceCreator } from '../mod-service'
 import { BackgroundQueue } from '../background'
 import { IdResolver } from '@atproto/identity'
+import { getSigningKeyId } from '../util'
 
 export type DaemonContextOptions = {
   db: Database
@@ -31,6 +32,7 @@ export class DaemonContext {
       schema: cfg.db.postgresSchema,
     })
     const signingKey = await Secp256k1Keypair.import(secrets.signingKeyHex)
+    const signingKeyId = await getSigningKeyId(db, signingKey.did())
 
     const appviewAgent = new AtpAgent({ service: cfg.appview.url })
     const createAuthHeaders = (aud: string) =>
@@ -51,13 +53,14 @@ export class DaemonContext {
     })
 
     const modService = ModerationService.creator(
+      signingKey,
+      signingKeyId,
       cfg,
       backgroundQueue,
       idResolver,
       eventPusher,
       appviewAgent,
       createAuthHeaders,
-      cfg.service.did,
     )
 
     const eventReverser = new EventReverser(db, modService)
diff --git a/packages/ozone/src/db/migrations/20240228T003647759Z-add-label-sigs.ts b/packages/ozone/src/db/migrations/20240228T003647759Z-add-label-sigs.ts
new file mode 100644
index 00000000000..098d4c4b672
--- /dev/null
+++ b/packages/ozone/src/db/migrations/20240228T003647759Z-add-label-sigs.ts
@@ -0,0 +1,23 @@
+import { Kysely, sql } from 'kysely'
+
+export async function up(db: Kysely<unknown>): Promise<void> {
+  await db.schema
+    .alterTable('label')
+    .addColumn('sig', sql`bytea`)
+    .execute()
+  await db.schema
+    .alterTable('label')
+    .addColumn('signingKeyId', 'integer')
+    .execute()
+  await db.schema
+    .createTable('signing_key')
+    .addColumn('id', 'serial', (col) => col.primaryKey())
+    .addColumn('key', 'varchar', (col) => col.notNull().unique())
+    .execute()
+}
+
+export async function down(db: Kysely<unknown>): Promise<void> {
+  await db.schema.dropTable('signing_key')
+  await db.schema.alterTable('label').dropColumn('sig').execute()
+  await db.schema.alterTable('label').dropColumn('signingKey').execute()
+}
diff --git a/packages/ozone/src/db/migrations/index.ts b/packages/ozone/src/db/migrations/index.ts
index 1a823f860c5..1281f12c7f1 100644
--- a/packages/ozone/src/db/migrations/index.ts
+++ b/packages/ozone/src/db/migrations/index.ts
@@ -6,3 +6,4 @@ export * as _20231219T205730722Z from './20231219T205730722Z-init'
 export * as _20240116T085607200Z from './20240116T085607200Z-communication-template'
 export * as _20240201T051104136Z from './20240201T051104136Z-mod-event-blobs'
 export * as _20240208T213404429Z from './20240208T213404429Z-add-tags-column-to-moderation-subject'
+export * as _20240228T003647759Z from './20240228T003647759Z-add-label-sigs'
diff --git a/packages/ozone/src/db/schema/index.ts b/packages/ozone/src/db/schema/index.ts
index b522a75ef9f..48e3f15cdc5 100644
--- a/packages/ozone/src/db/schema/index.ts
+++ b/packages/ozone/src/db/schema/index.ts
@@ -5,11 +5,13 @@ import * as repoPushEvent from './repo_push_event'
 import * as recordPushEvent from './record_push_event'
 import * as blobPushEvent from './blob_push_event'
 import * as label from './label'
+import * as signingKey from './signing_key'
 import * as communicationTemplate from './communication_template'
 
 export type DatabaseSchemaType = modEvent.PartialDB &
   modSubjectStatus.PartialDB &
   label.PartialDB &
+  signingKey.PartialDB &
   repoPushEvent.PartialDB &
   recordPushEvent.PartialDB &
   blobPushEvent.PartialDB &
diff --git a/packages/ozone/src/db/schema/label.ts b/packages/ozone/src/db/schema/label.ts
index f50a6119ab3..d19937ce59d 100644
--- a/packages/ozone/src/db/schema/label.ts
+++ b/packages/ozone/src/db/schema/label.ts
@@ -10,6 +10,8 @@ export interface Label {
   val: string
   neg: boolean
   cts: string
+  sig: Buffer | null
+  signingKeyId: number | null
 }
 
 export type LabelRow = Selectable<Label>
diff --git a/packages/ozone/src/db/schema/signing_key.ts b/packages/ozone/src/db/schema/signing_key.ts
new file mode 100644
index 00000000000..654fae9bbfc
--- /dev/null
+++ b/packages/ozone/src/db/schema/signing_key.ts
@@ -0,0 +1,10 @@
+import { Generated } from 'kysely'
+
+export const tableName = 'signing_key'
+
+export interface SigningKey {
+  id: Generated<number>
+  key: string
+}
+
+export type PartialDB = { [tableName]: SigningKey }
diff --git a/packages/ozone/src/lexicon/lexicons.ts b/packages/ozone/src/lexicon/lexicons.ts
index 635e9e19e60..afc7ed866b1 100644
--- a/packages/ozone/src/lexicon/lexicons.ts
+++ b/packages/ozone/src/lexicon/lexicons.ts
@@ -2202,6 +2202,10 @@ export const schemaDict = {
           'Metadata tag on an atproto resource (eg, repo or record).',
         required: ['src', 'uri', 'val', 'cts'],
         properties: {
+          ver: {
+            type: 'integer',
+            description: 'The AT Protocol version of the label object.',
+          },
           src: {
             type: 'string',
             format: 'did',
@@ -2235,6 +2239,10 @@ export const schemaDict = {
             format: 'datetime',
             description: 'Timestamp when this label was created.',
           },
+          sig: {
+            type: 'bytes',
+            description: 'Signature of dag-cbor encoded label.',
+          },
         },
       },
       selfLabels: {
diff --git a/packages/ozone/src/lexicon/types/com/atproto/label/defs.ts b/packages/ozone/src/lexicon/types/com/atproto/label/defs.ts
index 66226677a5b..935b2aa4bb3 100644
--- a/packages/ozone/src/lexicon/types/com/atproto/label/defs.ts
+++ b/packages/ozone/src/lexicon/types/com/atproto/label/defs.ts
@@ -8,6 +8,8 @@ import { CID } from 'multiformats/cid'
 
 /** Metadata tag on an atproto resource (eg, repo or record). */
 export interface Label {
+  /** The AT Protocol version of the label object. */
+  ver?: number
   /** DID of the actor who created this label. */
   src: string
   /** AT URI of the record, repository (account), or other resource that this label applies to. */
@@ -20,6 +22,8 @@ export interface Label {
   neg?: boolean
   /** Timestamp when this label was created. */
   cts: string
+  /** Signature of dag-cbor encoded label. */
+  sig?: Uint8Array
   [k: string]: unknown
 }
 
diff --git a/packages/ozone/src/mod-service/index.ts b/packages/ozone/src/mod-service/index.ts
index f6fb63bd06c..671c93990a6 100644
--- a/packages/ozone/src/mod-service/index.ts
+++ b/packages/ozone/src/mod-service/index.ts
@@ -4,6 +4,7 @@ import { CID } from 'multiformats/cid'
 import { AtUri, INVALID_HANDLE } from '@atproto/syntax'
 import { InvalidRequestError } from '@atproto/xrpc-server'
 import { addHoursToDate } from '@atproto/common'
+import { Keypair } from '@atproto/crypto'
 import { IdResolver } from '@atproto/identity'
 import AtpAgent from '@atproto/api'
 import { Database } from '../db'
@@ -46,6 +47,7 @@ import { LabelChannel } from '../db/schema/label'
 import { BlobPushEvent } from '../db/schema/blob_push_event'
 import { BackgroundQueue } from '../background'
 import { EventPusher } from '../daemon'
+import { formatLabel, formatLabelRow, signLabel } from './util'
 import { ImageInvalidator } from '../image-invalidator'
 import { httpLogger as log } from '../logger'
 import { OzoneConfig } from '../config'
@@ -55,45 +57,49 @@ export type ModerationServiceCreator = (db: Database) => ModerationService
 export class ModerationService {
   constructor(
     public db: Database,
+    public signingKey: Keypair,
+    public signingKeyId: number,
     public cfg: OzoneConfig,
     public backgroundQueue: BackgroundQueue,
     public idResolver: IdResolver,
     public eventPusher: EventPusher,
     public appviewAgent: AtpAgent,
     private createAuthHeaders: (aud: string) => Promise<AuthHeaders>,
-    public serverDid: string,
     public imgInvalidator?: ImageInvalidator,
-    public cdnPaths?: string[],
   ) {}
 
   static creator(
+    signingKey: Keypair,
+    signingKeyId: number,
     cfg: OzoneConfig,
     backgroundQueue: BackgroundQueue,
     idResolver: IdResolver,
     eventPusher: EventPusher,
     appviewAgent: AtpAgent,
     createAuthHeaders: (aud: string) => Promise<AuthHeaders>,
-    serverDid: string,
     imgInvalidator?: ImageInvalidator,
-    cdnPaths?: string[],
   ) {
     return (db: Database) =>
       new ModerationService(
         db,
+        signingKey,
+        signingKeyId,
         cfg,
         backgroundQueue,
         idResolver,
         eventPusher,
         appviewAgent,
         createAuthHeaders,
-        serverDid,
         imgInvalidator,
-        cdnPaths,
       )
   }
 
-  views = new ModerationViews(this.db, this.appviewAgent, () =>
-    this.createAuthHeaders(this.cfg.appview.did),
+  views = new ModerationViews(
+    this.db,
+    this.signingKey,
+    this.signingKeyId,
+    this.appviewAgent,
+    () => this.createAuthHeaders(this.cfg.appview.did),
   )
 
   async getEvent(id: number): Promise<ModerationEventRow | undefined> {
@@ -597,7 +603,7 @@ export class ModerationService {
           if (this.imgInvalidator) {
             await Promise.allSettled(
               (subject.blobCids ?? []).map((cid) => {
-                const paths = (this.cdnPaths ?? []).map((path) =>
+                const paths = (this.cfg.cdn.paths ?? []).map((path) =>
                   path.replace('%s', subject.did).replace('%s', cid),
                 )
                 return this.imgInvalidator
@@ -876,7 +882,7 @@ export class ModerationService {
   ): Promise<Label[]> {
     const { create = [], negate = [] } = labels
     const toCreate = create.map((val) => ({
-      src: this.serverDid,
+      src: this.cfg.service.did,
       uri,
       cid: cid ?? undefined,
       val,
@@ -884,7 +890,7 @@ export class ModerationService {
       cts: new Date().toISOString(),
     }))
     const toNegate = negate.map((val) => ({
-      src: this.serverDid,
+      src: this.cfg.service.did,
       uri,
       cid: cid ?? undefined,
       val,
@@ -892,21 +898,19 @@ export class ModerationService {
       cts: new Date().toISOString(),
     }))
     const formatted = [...toCreate, ...toNegate]
-    await this.createLabels(formatted)
-    return formatted
+    return this.createLabels(formatted)
   }
 
-  async createLabels(labels: Label[]) {
-    if (labels.length < 1) return
-    const dbVals = labels.map((l) => ({
-      ...l,
-      cid: l.cid ?? '',
-      neg: !!l.neg,
-    }))
+  async createLabels(labels: Label[]): Promise<Label[]> {
+    if (labels.length < 1) return []
+    const signedLabels = await Promise.all(
+      labels.map((l) => signLabel(l, this.signingKey)),
+    )
+    const dbVals = signedLabels.map((l) => formatLabelRow(l, this.signingKeyId))
     const { ref } = this.db.db.dynamic
     await sql`notify ${ref(LabelChannel)}`.execute(this.db.db)
     const excluded = (col: string) => ref(`excluded.${col}`)
-    await this.db.db
+    const res = await this.db.db
       .insertInto('label')
       .values(dbVals)
       .onConflict((oc) =>
@@ -916,7 +920,9 @@ export class ModerationService {
           cts: sql`${excluded('cts')}`,
         }),
       )
+      .returningAll()
       .execute()
+    return res.map((row) => formatLabel(row))
   }
 
   async sendEmail(opts: {
diff --git a/packages/ozone/src/mod-service/util.ts b/packages/ozone/src/mod-service/util.ts
index ec4de26c3ad..2fc50974560 100644
--- a/packages/ozone/src/mod-service/util.ts
+++ b/packages/ozone/src/mod-service/util.ts
@@ -1,17 +1,58 @@
+import { cborEncode, noUndefinedVals } from '@atproto/common'
+import { Keypair } from '@atproto/crypto'
 import { LabelRow } from '../db/schema/label'
 import { Label } from '../lexicon/types/com/atproto/label/defs'
 
+export type SignedLabel = Label & { sig: Uint8Array }
+
 export const formatLabel = (row: LabelRow): Label => {
-  const label: Label = {
+  return noUndefinedVals({
+    ver: 1,
     src: row.src,
     uri: row.uri,
+    cid: row.cid === '' ? undefined : row.cid,
     val: row.val,
     neg: row.neg,
     cts: row.cts,
+    sig: row.sig ? new Uint8Array(row.sig) : undefined,
+  }) as Label
+}
+
+export const formatLabelRow = (
+  label: Label,
+  signingKeyId?: number,
+): Omit<LabelRow, 'id'> => {
+  return {
+    src: label.src,
+    uri: label.uri,
+    cid: label.cid ?? '',
+    val: label.val,
+    neg: !!label.neg,
+    cts: label.cts,
+    sig: label.sig ? Buffer.from(label.sig) : null,
+    signingKeyId: signingKeyId ?? null,
   }
-  if (row.cid !== '') {
-    // @NOTE avoiding undefined values on label, which dag-cbor chokes on when serializing.
-    label.cid = row.cid
+}
+
+export const signLabel = async (
+  label: Label,
+  signingKey: Keypair,
+): Promise<SignedLabel> => {
+  const { ver, src, uri, cid, val, neg, cts } = label
+  const reformatted = noUndefinedVals({
+    ver: ver ?? 1,
+    src,
+    uri,
+    cid,
+    val,
+    neg,
+    cts,
+  }) as Label
+
+  const bytes = cborEncode(reformatted)
+  const sig = await signingKey.sign(bytes)
+  return {
+    ...reformatted,
+    sig,
   }
-  return label
 }
diff --git a/packages/ozone/src/mod-service/views.ts b/packages/ozone/src/mod-service/views.ts
index f65fd68b480..3aa9e4935c8 100644
--- a/packages/ozone/src/mod-service/views.ts
+++ b/packages/ozone/src/mod-service/views.ts
@@ -3,6 +3,7 @@ import { AtUri, INVALID_HANDLE, normalizeDatetimeAlways } from '@atproto/syntax'
 import AtpAgent, { AppBskyFeedDefs } from '@atproto/api'
 import { dedupeStrs } from '@atproto/common'
 import { BlobRef } from '@atproto/lexicon'
+import { Keypair } from '@atproto/crypto'
 import { Database } from '../db'
 import {
   ModEventView,
@@ -24,8 +25,10 @@ import {
 } from './types'
 import { REASONOTHER } from '../lexicon/types/com/atproto/moderation/defs'
 import { subjectFromEventRow, subjectFromStatusRow } from './subject'
-import { formatLabel } from './util'
-import { httpLogger as log } from '../logger'
+import { formatLabel, signLabel } from './util'
+import { LabelRow } from '../db/schema/label'
+import { dbLogger } from '../logger'
+import { httpLogger } from '../logger'
 
 export type AuthHeaders = {
   headers: {
@@ -36,6 +39,8 @@ export type AuthHeaders = {
 export class ModerationViews {
   constructor(
     private db: Database,
+    private signingKey: Keypair,
+    private signingKeyId: number,
     private appviewAgent: AtpAgent,
     private appviewAuth: () => Promise<AuthHeaders>,
   ) {}
@@ -55,7 +60,10 @@ export class ModerationViews {
         return acc.set(cur.did, cur)
       }, new Map<string, AccountView>())
     } catch (err) {
-      log.error({ err, dids }, 'failed to resolve account infos from appview')
+      httpLogger.error(
+        { err, dids },
+        'failed to resolve account infos from appview',
+      )
       return new Map()
     }
   }
@@ -408,7 +416,25 @@ export class ModerationViews {
       .if(!includeNeg, (qb) => qb.where('neg', '=', false))
       .selectAll()
       .execute()
-    return res.map((l) => formatLabel(l))
+    return Promise.all(res.map((l) => this.formatLabelAndEnsureSig(l)))
+  }
+
+  async formatLabelAndEnsureSig(row: LabelRow) {
+    const formatted = formatLabel(row)
+    if (!!row.sig && row.signingKeyId === this.signingKeyId) {
+      return formatted
+    }
+    const signed = await signLabel(formatted, this.signingKey)
+    try {
+      await this.db.db
+        .updateTable('label')
+        .set({ sig: Buffer.from(signed.sig), signingKeyId: this.signingKeyId })
+        .where('id', '=', row.id)
+        .execute()
+    } catch (err) {
+      dbLogger.error({ err, label: row }, 'failed to update resigned label')
+    }
+    return signed
   }
 
   async getSubjectStatus(
diff --git a/packages/ozone/src/sequencer/sequencer.ts b/packages/ozone/src/sequencer/sequencer.ts
index d7292a0d05a..aac7fcf802b 100644
--- a/packages/ozone/src/sequencer/sequencer.ts
+++ b/packages/ozone/src/sequencer/sequencer.ts
@@ -1,24 +1,26 @@
 import EventEmitter from 'events'
 import TypedEmitter from 'typed-emitter'
+import { Selectable } from 'kysely'
+import { PoolClient } from 'pg'
 import { seqLogger as log } from '../logger'
 import Database from '../db'
 import { Labels as LabelsEvt } from '../lexicon/types/com/atproto/label/subscribeLabels'
 import { LabelChannel, Label as LabelTable } from '../db/schema/label'
-import { Selectable } from 'kysely'
-import { formatLabel } from '../mod-service/util'
-import { PoolClient } from 'pg'
+import { ModerationService } from '../mod-service'
 
 export type { Labels as LabelsEvt } from '../lexicon/types/com/atproto/label/subscribeLabels'
 type LabelRow = Selectable<LabelTable>
 
 export class Sequencer extends (EventEmitter as new () => SequencerEmitter) {
+  db: Database
   destroyed = false
   pollPromise: Promise<void> | undefined
   queued = false
   conn: PoolClient | undefined
 
-  constructor(public db: Database, public lastSeen = 0) {
+  constructor(public modSrvc: ModerationService, public lastSeen = 0) {
     super()
+    this.db = modSrvc.db
     // note: this does not err when surpassed, just prints a warning to stderr
     this.setMaxListeners(100)
   }
@@ -89,13 +91,12 @@ export class Sequencer extends (EventEmitter as new () => SequencerEmitter) {
       return []
     }
 
-    const evts: LabelsEvt[] = []
-    for (const row of rows) {
-      evts.push({
-        seq: row.id,
-        labels: [formatLabel(row)],
-      })
-    }
+    const evts: LabelsEvt[] = await Promise.all(
+      rows.map(async (row) => {
+        const formatted = await this.modSrvc.views.formatLabelAndEnsureSig(row)
+        return { seq: row.id, labels: [formatted] }
+      }),
+    )
 
     return evts
   }
diff --git a/packages/ozone/src/util.ts b/packages/ozone/src/util.ts
index ab96998642a..8ce6df40157 100644
--- a/packages/ozone/src/util.ts
+++ b/packages/ozone/src/util.ts
@@ -1,6 +1,27 @@
 import { AxiosError } from 'axios'
 import { XRPCError, ResponseType } from '@atproto/xrpc'
 import { RetryOptions, retry } from '@atproto/common'
+import Database from './db'
+
+export const getSigningKeyId = async (
+  db: Database,
+  signingKey: string,
+): Promise<number> => {
+  const selectRes = await db.db
+    .selectFrom('signing_key')
+    .selectAll()
+    .where('key', '=', signingKey)
+    .executeTakeFirst()
+  if (selectRes) {
+    return selectRes.id
+  }
+  const insertRes = await db.db
+    .insertInto('signing_key')
+    .values({ key: signingKey })
+    .returningAll()
+    .executeTakeFirstOrThrow()
+  return insertRes.id
+}
 
 export async function retryHttp<T>(
   fn: () => Promise<T>,
diff --git a/packages/ozone/tests/__snapshots__/get-record.test.ts.snap b/packages/ozone/tests/__snapshots__/get-record.test.ts.snap
index 23090b631b3..0de6e23df61 100644
--- a/packages/ozone/tests/__snapshots__/get-record.test.ts.snap
+++ b/packages/ozone/tests/__snapshots__/get-record.test.ts.snap
@@ -11,9 +11,13 @@ Object {
       "cid": "cids(0)",
       "cts": "1970-01-01T00:00:00.000Z",
       "neg": false,
+      "sig": Object {
+        "$bytes": "sig(0)",
+      },
       "src": "user(2)",
       "uri": "record(0)",
       "val": "!unspecced-takedown",
+      "ver": 1,
     },
     Object {
       "cid": "cids(0)",
@@ -108,9 +112,13 @@ Object {
       "cid": "cids(0)",
       "cts": "1970-01-01T00:00:00.000Z",
       "neg": false,
+      "sig": Object {
+        "$bytes": "sig(0)",
+      },
       "src": "user(2)",
       "uri": "record(0)",
       "val": "!unspecced-takedown",
+      "ver": 1,
     },
     Object {
       "cid": "cids(0)",
diff --git a/packages/ozone/tests/__snapshots__/get-repo.test.ts.snap b/packages/ozone/tests/__snapshots__/get-repo.test.ts.snap
index 2ae1b8b2a48..e4528d2a67f 100644
--- a/packages/ozone/tests/__snapshots__/get-repo.test.ts.snap
+++ b/packages/ozone/tests/__snapshots__/get-repo.test.ts.snap
@@ -12,9 +12,13 @@ Object {
     Object {
       "cts": "1970-01-01T00:00:00.000Z",
       "neg": false,
+      "sig": Object {
+        "$bytes": "sig(0)",
+      },
       "src": "user(2)",
       "uri": "user(0)",
       "val": "!unspecced-takedown",
+      "ver": 1,
     },
   ],
   "moderation": Object {
diff --git a/packages/ozone/tests/_util.ts b/packages/ozone/tests/_util.ts
index 8d39a0f9c2c..546e210cf37 100644
--- a/packages/ozone/tests/_util.ts
+++ b/packages/ozone/tests/_util.ts
@@ -16,6 +16,7 @@ export const forSnapshot = (obj: unknown) => {
   const collections = { [kTake]: 'collection' }
   const users = { [kTake]: 'user' }
   const cids = { [kTake]: 'cids' }
+  const sigs = { [kTake]: 'sig' }
   const unknown = { [kTake]: 'unknown' }
   const toWalk = lexToJson(obj as any) // remove any blobrefs/cids
   return mapLeafValues(toWalk, (item) => {
@@ -61,6 +62,10 @@ export const forSnapshot = (obj: unknown) => {
       const [, did, cid] = match
       return str.replace(did, take(users, did)).replace(cid, take(cids, cid))
     }
+    // decent check for 64-byte base64 encoded signatures
+    if (str.length === 86 && !str.includes(' ')) {
+      return take(sigs, str)
+    }
     let isCid: boolean
     try {
       CID.parse(str)
diff --git a/packages/ozone/tests/query-labels.test.ts b/packages/ozone/tests/query-labels.test.ts
index 2b4bf540450..e8f49a5e53c 100644
--- a/packages/ozone/tests/query-labels.test.ts
+++ b/packages/ozone/tests/query-labels.test.ts
@@ -3,10 +3,14 @@ import { TestNetwork } from '@atproto/dev-env'
 import { DisconnectError, Subscription } from '@atproto/xrpc-server'
 import { ids, lexicons } from '../src/lexicon/lexicons'
 import { Label } from '../src/lexicon/types/com/atproto/label/defs'
+import { Secp256k1Keypair, verifySignature } from '@atproto/crypto'
+import { cborEncode } from '@atproto/common'
+import { ModerationService } from '../src/mod-service'
 import {
   OutputSchema as LabelMessage,
   isLabels,
 } from '../src/lexicon/types/com/atproto/label/subscribeLabels'
+import { getSigningKeyId } from '../src/util'
 
 describe('ozone query labels', () => {
   let network: TestNetwork
@@ -21,7 +25,7 @@ describe('ozone query labels', () => {
 
     agent = network.ozone.getClient()
 
-    labels = [
+    const toCreate = [
       {
         src: 'did:example:labeler',
         uri: 'did:example:blah',
@@ -67,7 +71,7 @@ describe('ozone query labels', () => {
     ]
 
     const modService = network.ozone.ctx.modService(network.ozone.ctx.db)
-    await modService.createLabels(labels)
+    labels = await modService.createLabels(toCreate)
   })
 
   afterAll(async () => {
@@ -128,6 +132,72 @@ describe('ozone query labels', () => {
     )
   })
 
+  it('returns validly signed labels', async () => {
+    const res = await agent.api.com.atproto.label.queryLabels({
+      uriPatterns: ['*'],
+    })
+    const signingKey = network.ozone.ctx.signingKey.did()
+    for (const label of res.data.labels) {
+      const { sig, ...rest } = label
+      if (!sig) {
+        throw new Error('Missing signature')
+      }
+      const encodedLabel = cborEncode(rest)
+      const isValid = await verifySignature(signingKey, encodedLabel, sig)
+      expect(isValid).toBe(true)
+    }
+  })
+
+  it('resigns labels if the signingKey changes', async () => {
+    // mock changing the signing key for the service
+    const ctx = network.ozone.ctx
+    const origModServiceFn = ctx.modService
+
+    const modSrvc = ctx.modService(ctx.db)
+    const newSigningKey = await Secp256k1Keypair.create()
+    const newSigningKeyId = await getSigningKeyId(ctx.db, newSigningKey.did())
+    ctx.devOverride({
+      modService: ModerationService.creator(
+        newSigningKey,
+        newSigningKeyId,
+        ctx.cfg,
+        modSrvc.backgroundQueue,
+        ctx.idResolver,
+        modSrvc.eventPusher,
+        modSrvc.appviewAgent,
+        ctx.serviceAuthHeaders,
+      ),
+    })
+
+    const res = await agent.api.com.atproto.label.queryLabels({
+      uriPatterns: ['*'],
+    })
+    for (const label of res.data.labels) {
+      const { sig, ...rest } = label
+      if (!sig) {
+        throw new Error('Missing signature')
+      }
+      const encodedLabel = cborEncode(rest)
+      const isValid = await verifySignature(
+        newSigningKey.did(),
+        encodedLabel,
+        sig,
+      )
+      expect(isValid).toBe(true)
+    }
+
+    await network.ozone.processAll()
+
+    const fromDb = await ctx.db.db.selectFrom('label').selectAll().execute()
+    expect(fromDb.every((row) => row.signingKeyId === newSigningKeyId)).toBe(
+      true,
+    )
+
+    ctx.devOverride({
+      modService: origModServiceFn,
+    })
+  })
+
   describe('subscribeLabels', () => {
     it('streams all labels from initial cursor.', async () => {
       const ac = new AbortController()
@@ -154,7 +224,13 @@ describe('ozone query labels', () => {
       for await (const message of sub) {
         resetDoneTimer()
         if (isLabels(message)) {
-          streamedLabels.push(...message.labels)
+          for (const label of message.labels) {
+            // sigs are currently parsed as a Buffer which is a Uint8Array under the hood, but fails our equality test so we cast to Uint8Array
+            streamedLabels.push({
+              ...label,
+              sig: label.sig ? new Uint8Array(label.sig) : undefined,
+            })
+          }
         }
       }
       expect(streamedLabels).toEqual(labels)
diff --git a/packages/ozone/tests/sequencer.test.ts b/packages/ozone/tests/sequencer.test.ts
index b109aa7b7b1..1f5e3dee35c 100644
--- a/packages/ozone/tests/sequencer.test.ts
+++ b/packages/ozone/tests/sequencer.test.ts
@@ -33,11 +33,13 @@ describe('sequencer', () => {
   }
 
   const evtToDbRow = (e: LabelsEvt) => {
-    const label = e.labels[0]
+    const { ver: _, ...label } = e.labels[0]
     return {
       id: e.seq,
       ...label,
       cid: label.cid ? label.cid : '',
+      sig: label.sig ? Buffer.from(label.sig) : null,
+      signingKeyId: network.ozone.ctx.signingKeyId,
     }
   }
 
diff --git a/packages/pds/src/lexicon/lexicons.ts b/packages/pds/src/lexicon/lexicons.ts
index 635e9e19e60..afc7ed866b1 100644
--- a/packages/pds/src/lexicon/lexicons.ts
+++ b/packages/pds/src/lexicon/lexicons.ts
@@ -2202,6 +2202,10 @@ export const schemaDict = {
           'Metadata tag on an atproto resource (eg, repo or record).',
         required: ['src', 'uri', 'val', 'cts'],
         properties: {
+          ver: {
+            type: 'integer',
+            description: 'The AT Protocol version of the label object.',
+          },
           src: {
             type: 'string',
             format: 'did',
@@ -2235,6 +2239,10 @@ export const schemaDict = {
             format: 'datetime',
             description: 'Timestamp when this label was created.',
           },
+          sig: {
+            type: 'bytes',
+            description: 'Signature of dag-cbor encoded label.',
+          },
         },
       },
       selfLabels: {
diff --git a/packages/pds/src/lexicon/types/com/atproto/label/defs.ts b/packages/pds/src/lexicon/types/com/atproto/label/defs.ts
index 66226677a5b..935b2aa4bb3 100644
--- a/packages/pds/src/lexicon/types/com/atproto/label/defs.ts
+++ b/packages/pds/src/lexicon/types/com/atproto/label/defs.ts
@@ -8,6 +8,8 @@ import { CID } from 'multiformats/cid'
 
 /** Metadata tag on an atproto resource (eg, repo or record). */
 export interface Label {
+  /** The AT Protocol version of the label object. */
+  ver?: number
   /** DID of the actor who created this label. */
   src: string
   /** AT URI of the record, repository (account), or other resource that this label applies to. */
@@ -20,6 +22,8 @@ export interface Label {
   neg?: boolean
   /** Timestamp when this label was created. */
   cts: string
+  /** Signature of dag-cbor encoded label. */
+  sig?: Uint8Array
   [k: string]: unknown
 }