Flux jobs are signed by job submission tools like flux-mini(1). The signature is verified upon receipt by the Flux job-ingest service, and at launch time by flux-imp(8). A signing library provided by the flux-security project performs the cryptographic signing and verification. The library is configured by the security configuration hierarchy, as described in flux-config-security(5). One of three signing mechanisms may be configured:


The job request is enclosed in a MUNGE credential whose originating UID can be verified at any location within the MUNGE domain. This is the preferred mechanism as it has undergone the most extensive auditing.


The job request is signed and verified using public key signatures as implemented by libsodium. This mechanism was implemented as a proof of concept during design and has not yet received adequate review to be considered secure on a real system.


No-op mechanism. This mechanism is used when the submitting user and Flux instance owner are the same, as in a single user instance where signature verification is not required. DO NOT list it in the allowed-types key described below.

This page describes the keys that may be listed in the [sign] table:



An integer value that defines the length of time, in seconds, that a signature should remain valid. In effect, it limits the amount of time a job can be pending in the queue. Recommended value: 1209600 (2 weeks).


A string value that defines the default mechanism used to sign jobs if the submitting user is not the instance owner. Recommended value: "munge".


A list of mechanisms that may be considered for signature verification. Recommended value: [ "munge" ].

The following keys apply only to the munge mechanism:


A string value that overrides the default MUNGE socket path. This is needed only if the MUNGE daemon used to sign Flux jobs is running on a socket path other than the one compiled into libmunge.

The following keys apply only to the curve mechanism:


A boolean value that determines whether the signing certificate should be validated against a certificate authority before use.


A string value that overrides the signing certificate path, normally .flux/curve/sig in the user's home directory.


max-ttl = 1209600  # 2 weeks
default-type = "munge"
allowed-types = [ "munge" ]


Flux: http://flux-framework.org

RFC 15: Independent Minister of Privilege for Flux: The Security IMP: https://flux-framework.readthedocs.io/projects/flux-rfc/en/latest/spec_15.html

MUNGE (MUNGE Uid 'N' Gid Emporium) https://dun.github.io/munge/

libsodium https://doc.libsodium.org/