feat: Add VEX compact fixture and implement offline verifier for Findings Ledger exports
- Introduced a new VEX compact fixture for testing purposes. - Implemented `verify_export.py` script to validate Findings Ledger exports, ensuring deterministic ordering and applying redaction manifests. - Added a lightweight stub `HarnessRunner` for unit tests to validate ledger hashing expectations. - Documented tasks related to the Mirror Creator. - Created models for entropy signals and implemented the `EntropyPenaltyCalculator` to compute penalties based on scanner outputs. - Developed unit tests for `EntropyPenaltyCalculator` to ensure correct penalty calculations and handling of edge cases. - Added tests for symbol ID normalization in the reachability scanner. - Enhanced console status service with comprehensive unit tests for connection handling and error recovery. - Included Cosign tool version 2.6.0 with checksums for various platforms.
This commit is contained in:
StellaOps Bot
@@ -1,24 +1,59 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
ROOT="$(cd "$(dirname "$0")" && pwd)"
|
||||
cd "$ROOT"
|
||||
|
||||
if ! command -v sha256sum >/dev/null; then
|
||||
echo "sha256sum required" >&2; exit 1
|
||||
fi
|
||||
ROOT="$(cd "$(dirname "$0")" && pwd)"
|
||||
MODULE_ROOT="${ROOT}/.."
|
||||
cd "$MODULE_ROOT"
|
||||
export MODULE_ROOT
|
||||
|
||||
command -v sha256sum >/dev/null || { echo "sha256sum required" >&2; exit 1; }
|
||||
command -v python >/dev/null || { echo "python required" >&2; exit 1; }
|
||||
|
||||
sha256sum --check SHA256SUMS
|
||||
if command -v cosign >/dev/null && [ -f cosign.pub ]; then
|
||||
echo "cosign present; DSSE verification placeholders (update paths when signed):"
|
||||
echo "- observer_event.schema.dsse"
|
||||
echo "- webhook_admission.schema.dsse"
|
||||
echo "- thresholds.dsse"
|
||||
# Example commands (uncomment once DSSE files exist):
|
||||
# cosign verify-blob --key cosign.pub --signature observer_event.schema.dsse schemas/observer_event.schema.json
|
||||
# cosign verify-blob --key cosign.pub --signature webhook_admission.schema.dsse schemas/webhook_admission.schema.json
|
||||
# cosign verify-blob --key cosign.pub --signature thresholds.dsse thresholds.yaml
|
||||
else
|
||||
echo "cosign not found or cosign.pub missing; skipped DSSE verification"
|
||||
fi
|
||||
|
||||
echo "OK: hashes verified (DSSE verification pending)"
|
||||
python - <<'PY'
|
||||
import base64, json, os, sys
|
||||
from pathlib import Path
|
||||
|
||||
try:
|
||||
from cryptography.hazmat.primitives.asymmetric import ed25519
|
||||
except Exception as exc:
|
||||
raise SystemExit(f"cryptography package required for DSSE verification: {exc}")
|
||||
|
||||
root = Path(os.environ['MODULE_ROOT']).resolve()
|
||||
pub_b64 = (root / "kit" / "ed25519.pub").read_text().strip()
|
||||
pub = base64.urlsafe_b64decode(pub_b64 + "==")
|
||||
verifier = ed25519.Ed25519PublicKey.from_public_bytes(pub)
|
||||
|
||||
def pae(payload_type: bytes, payload: bytes) -> bytes:
|
||||
parts = [b"DSSEv1", str(len(payload_type)).encode(), payload_type, str(len(payload)).encode(), payload]
|
||||
return b" ".join(parts)
|
||||
|
||||
def verify(name: str, payload_path: Path, envelope_path: Path, payload_type: str):
|
||||
payload = payload_path.read_bytes()
|
||||
envelope = json.loads(envelope_path.read_text())
|
||||
if envelope.get("payloadType") != payload_type:
|
||||
raise SystemExit(f"{name}: payloadType mismatch ({envelope.get('payloadType')} != {payload_type})")
|
||||
if not envelope.get("signatures"):
|
||||
raise SystemExit(f"{name}: missing signatures")
|
||||
sig_entry = envelope["signatures"][0]
|
||||
sig = base64.urlsafe_b64decode(sig_entry["sig"] + "==")
|
||||
decoded_payload = base64.urlsafe_b64decode(envelope["payload"] + "==")
|
||||
if decoded_payload != payload:
|
||||
raise SystemExit(f"{name}: payload body mismatch vs envelope")
|
||||
verifier.verify(sig, pae(payload_type.encode(), payload))
|
||||
print(f"OK: {name}")
|
||||
|
||||
targets = [
|
||||
("observer schema", root / "schemas" / "observer_event.schema.json", root / "schemas" / "observer_event.schema.json.dsse", "application/vnd.stellaops.zastava.schema+json;name=observer_event;version=1"),
|
||||
("webhook schema", root / "schemas" / "webhook_admission.schema.json", root / "schemas" / "webhook_admission.schema.json.dsse", "application/vnd.stellaops.zastava.schema+json;name=webhook_admission;version=1"),
|
||||
("thresholds", root / "thresholds.yaml", root / "thresholds.yaml.dsse", "application/vnd.stellaops.zastava.thresholds+yaml;version=1"),
|
||||
("observer exports", root / "exports" / "observer_events.ndjson", root / "exports" / "observer_events.ndjson.dsse", "application/vnd.stellaops.zastava.observer-events+ndjson;version=1"),
|
||||
("webhook exports", root / "exports" / "webhook_admissions.ndjson", root / "exports" / "webhook_admissions.ndjson.dsse", "application/vnd.stellaops.zastava.webhook-admissions+ndjson;version=1"),
|
||||
]
|
||||
|
||||
for name, payload_path, envelope_path, ptype in targets:
|
||||
verify(name, payload_path, envelope_path, ptype)
|
||||
PY
|
||||
|
||||
echo "OK: SHA256 + DSSE signatures verified"
|
||||
|
||||
Reference in New Issue
Block a user