stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

semi implemented and features implemented save checkpoint

Browse Source
This commit is contained in:
master
2026-02-08 18:00:49 +02:00
parent 04360dff63
commit 1bf6bbf395
20895 changed files with 716795 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
docs/features/unchecked/attestor/release-evidence-pack.md Normal file
View File

@@ -0,0 +1,32 @@
# Release Evidence Pack (Audit Pack)
## Module
Attestor
## Status
IMPLEMENTED
## Description
Portable, verifiable audit bundles with manifest (digests of every included file), SBOM inputs, VEX docs, policy bundles, exceptions, findings, verdict, and explanation. Supports offline verification and tamper detection.
## Implementation Details
- **Release Evidence Pack Builder**: `src/Attestor/__Libraries/StellaOps.Attestor.EvidencePack/ReleaseEvidencePackBuilder.cs` -- builds complete release evidence packs containing all attestation artifacts.
- **Release Evidence Pack Manifest**: `Models/ReleaseEvidencePackManifest.cs` -- manifest listing all included files with their SHA-256 digests for tamper detection.
- **Release Evidence Pack Serializer**: `ReleaseEvidencePackSerializer.cs` -- serializes evidence packs to a portable format (ZIP/tar with manifest).
- **Verification Replay Log**: `Models/VerificationReplayLog.cs` -- log of verification steps for replay and audit.
- **Verification Replay Log Builder**: `Services/VerificationReplayLogBuilder.cs` -- builds verification replay logs from pipeline execution.
- **Replay Log Serializer Context**: `Services/ReplayLogSerializerContext.cs` -- serializer context for replay logs.
- **Templates**: `Templates/VERIFY.md.template`, `verify-unix.template`, `verify.ps1.template` -- verification instruction templates included in the pack for offline verification.
- **Attestation Bundler**: `__Libraries/StellaOps.Attestor.Bundling/AttestationBundler.cs` -- bundles individual attestations into the evidence pack.
- **Sigstore Bundle Verifier**: `__Libraries/StellaOps.Attestor.Bundle/SigstoreBundleVerifier.cs` -- verifies Sigstore bundles within the evidence pack.
- **Tests**: `__Tests/StellaOps.Attestor.EvidencePack.Tests/`
## E2E Test Plan
- [ ] Build a release evidence pack via `ReleaseEvidencePackBuilder` with SBOM, VEX, policy bundle, findings, and verdict; verify all artifacts are included
- [ ] Verify the `ReleaseEvidencePackManifest` lists all files with correct SHA-256 digests
- [ ] Serialize the evidence pack via `ReleaseEvidencePackSerializer` and verify the output is a portable archive
- [ ] Tamper with one file in the archive and verify manifest digest verification detects the tampering
- [ ] Build a `VerificationReplayLog` and verify it captures all verification steps in order
- [ ] Verify the evidence pack includes verification instruction templates (VERIFY.md, verify-unix, verify.ps1) for offline verification
- [ ] Import a previously exported evidence pack and verify all attestation signatures are valid
- [ ] Verify `SigstoreBundleVerifier` validates Sigstore bundles within the evidence pack