# CLI crypto and compliance

Crypto commands
- crypto sign: sign files with a selected provider and algorithm.
- crypto verify: verify signatures with provider and trust policy.
- crypto profiles: list providers and run diagnostics.

Distribution matrix (summary)
- International: default providers only.
- Russia: adds GOST providers (build flag StellaOpsEnableGOST).
- EU: adds eIDAS providers (build flag StellaOpsEnableEIDAS).
- China: adds SM providers (build flag StellaOpsEnableSM).

Compliance notes
- Use the regional build that matches the deployment jurisdiction.
- Regional providers may require licensed CSPs or remote TSP endpoints.

Configuration
- Profiles select preferred providers and key sources.
- Provider credentials use environment variables or config files.
- DSSE is the default signing format for bundles and manifests.

Plugin development (summary)
- Providers implement ICryptoProvider with SignAsync and VerifyAsync.
- Optional diagnostics interface provides health checks.

Related references
- docs/cli/crypto-commands.md
- docs/cli/crypto-plugins.md
- docs/cli/compliance-guide.md
- docs/cli/distribution-matrix.md
- docs2/security/crypto-compliance.md