feat: Add VEX compact fixture and implement offline verifier for Findings Ledger exports
- Introduced a new VEX compact fixture for testing purposes. - Implemented `verify_export.py` script to validate Findings Ledger exports, ensuring deterministic ordering and applying redaction manifests. - Added a lightweight stub `HarnessRunner` for unit tests to validate ledger hashing expectations. - Documented tasks related to the Mirror Creator. - Created models for entropy signals and implemented the `EntropyPenaltyCalculator` to compute penalties based on scanner outputs. - Developed unit tests for `EntropyPenaltyCalculator` to ensure correct penalty calculations and handling of edge cases. - Added tests for symbol ID normalization in the reachability scanner. - Enhanced console status service with comprehensive unit tests for connection handling and error recovery. - Included Cosign tool version 2.6.0 with checksums for various platforms.
This commit is contained in:
StellaOps Bot
15
out/mirror/thin/milestone.json
Normal file
15
out/mirror/thin/milestone.json
Normal file
@@ -0,0 +1,15 @@
|
||||
{
|
||||
"created": "2025-12-02T18:08:34Z",
|
||||
"manifest": {"path": "mirror-thin-v1.manifest.json", "sha256": "1affb0b796ff037117b46aa1f1d8056a9c80755e925af058ea72132ba158becf"},
|
||||
"tarball": {"path": "mirror-thin-v1.tar.gz", "sha256": "fb1ce26388a1f1ab2eb90aae6d63ac05de326fbbd947fbf7a17b980232c9fc7d"},
|
||||
"dsse": {"path": "mirror-thin-v1.manifest.dsse.json", "sha256": "f4a2a99fdfa60b3bd98daf88faabcf5d525b7f4a40fad606a502c3e25f9b2a7f"},
|
||||
"bundle": {"path": "mirror-thin-v1.bundle.json", "sha256": "a3b16f5d1b74ffdf9aedbbfe9282d368dc3dcf70676c8ac7e8cdd984162e7f90"},
|
||||
"bundle_dsse": {"path": "mirror-thin-v1.bundle.dsse.json", "sha256": "5fd3025c03cc4c19708eeec8feaa129a4e567dcefd06cb01f251a38590f76dde"},
|
||||
"time_anchor": null
|
||||
,"policies": {
|
||||
"transport": {"path": "transport-plan.json", "sha256": "df82a56d9bacb00a1882f5d6d9f9ba469b62b89bd949899b7049e123c1e65914"},
|
||||
"rekor": {"path": "rekor-policy.json", "sha256": "652df157628db73e9aa0110e7390f8773319c24530e00873afcfdf972644717e"},
|
||||
"mirror": {"path": "mirror-policy.json", "sha256": "d7059d4b9e7e207f2420520bf73cf69b644eec0e866f039a1f7d0dc2b3bc1192"},
|
||||
"offline": {"path": "offline-kit-policy.json", "sha256": "ae2513f9768f3f7c0b0994b54f539b2a933e1e851c25c26c8fe46fd963d90579"}
|
||||
}
|
||||
}
|
||||
10
out/mirror/thin/mirror-thin-v1.bundle.dsse.json
Normal file
10
out/mirror/thin/mirror-thin-v1.bundle.dsse.json
Normal file
File diff suppressed because one or more lines are too long
117
out/mirror/thin/mirror-thin-v1.bundle.json
Normal file
117
out/mirror/thin/mirror-thin-v1.bundle.json
Normal file
@@ -0,0 +1,117 @@
|
||||
{
|
||||
"artifacts": {
|
||||
"artifact_hashes": {
|
||||
"path": "artifact-hashes.json",
|
||||
"sha256": "55f24bdc3d28a5596f4f8a36292820356de50aa2e9c5c2fb81397bfe2891ca4d"
|
||||
},
|
||||
"bundle_dsse": {
|
||||
"path": "mirror-thin-v1.bundle.dsse.json",
|
||||
"sha256": null
|
||||
},
|
||||
"bundle_meta": {
|
||||
"path": "mirror-thin-v1.bundle.json",
|
||||
"sha256": null
|
||||
},
|
||||
"manifest": {
|
||||
"path": "mirror-thin-v1.manifest.json",
|
||||
"sha256": "1affb0b796ff037117b46aa1f1d8056a9c80755e925af058ea72132ba158becf"
|
||||
},
|
||||
"manifest_dsse": {
|
||||
"path": "mirror-thin-v1.manifest.dsse.json",
|
||||
"sha256": null
|
||||
},
|
||||
"mirror_policy": {
|
||||
"path": "mirror-policy.json",
|
||||
"sha256": "d7059d4b9e7e207f2420520bf73cf69b644eec0e866f039a1f7d0dc2b3bc1192"
|
||||
},
|
||||
"oci_index": {
|
||||
"path": "oci/index.json",
|
||||
"sha256": "5daf8024f0f3b37c2077497c54ac3d7bda4aaed59b3c47c605c535662f7a53a5"
|
||||
},
|
||||
"offline_policy": {
|
||||
"path": "offline-kit-policy.json",
|
||||
"sha256": "ae2513f9768f3f7c0b0994b54f539b2a933e1e851c25c26c8fe46fd963d90579"
|
||||
},
|
||||
"rekor_policy": {
|
||||
"path": "rekor-policy.json",
|
||||
"sha256": "652df157628db73e9aa0110e7390f8773319c24530e00873afcfdf972644717e"
|
||||
},
|
||||
"tarball": {
|
||||
"path": "mirror-thin-v1.tar.gz",
|
||||
"sha256": "fb1ce26388a1f1ab2eb90aae6d63ac05de326fbbd947fbf7a17b980232c9fc7d"
|
||||
},
|
||||
"time_anchor": {
|
||||
"path": "time-anchor.json",
|
||||
"sha256": "c27a0fb0dfa8a9558aaabf8011040abcd4170cf62e36d16b5b1767368f7828ff"
|
||||
},
|
||||
"transport_plan": {
|
||||
"path": "transport-plan.json",
|
||||
"sha256": "df82a56d9bacb00a1882f5d6d9f9ba469b62b89bd949899b7049e123c1e65914"
|
||||
}
|
||||
},
|
||||
"bundle": "mirror-thin-v1",
|
||||
"chain_of_custody": [
|
||||
{
|
||||
"sha256": "dd11c674629fe94bf37ac9a29d7ae32241f6a17815bb275532d9a78b3d851049",
|
||||
"step": "build",
|
||||
"tool": "make-thin-v1.sh"
|
||||
},
|
||||
{
|
||||
"key_present": true,
|
||||
"keyid": "db9928babf3aeb817ccdcd0f6a6688f8395b00d0e42966e32e706931b5301fc8",
|
||||
"step": "sign",
|
||||
"tool": "sign_thin_bundle.py"
|
||||
}
|
||||
],
|
||||
"checkpoint_freshness_seconds": 86400,
|
||||
"chunk_size_bytes": 5242880,
|
||||
"created": "2025-12-02T18:08:34Z",
|
||||
"environment": "lab",
|
||||
"gaps": {
|
||||
"ms": [
|
||||
"MS1 mirror schema versioned in mirror-policy.json",
|
||||
"MS2 DSSE/TUF rotation days recorded",
|
||||
"MS3 delta spec includes tombstones + base hash",
|
||||
"MS4 time-anchor freshness enforced",
|
||||
"MS5 tenant/env scoping captured",
|
||||
"MS6 distribution integrity rules documented",
|
||||
"MS7 chunking/size rules recorded",
|
||||
"MS8 verify script pinned",
|
||||
"MS9 metrics/alerts required",
|
||||
"MS10 semver/changelog noted"
|
||||
],
|
||||
"ok": [
|
||||
"OK1 key manifest + PQ co-sign recorded in offline-kit-policy.json",
|
||||
"OK2 tool hashing captured in bundle_meta.tooling",
|
||||
"OK3 DSSE top-level manifest planned via bundle.dsse",
|
||||
"OK4 checkpoint freshness enforced with checkpoint_freshness_seconds",
|
||||
"OK5 deterministic packaging flags recorded in offline-kit-policy.json",
|
||||
"OK6 scan/VEX/policy/graph hashes captured in artifact-hashes.json",
|
||||
"OK7 time anchor bundled as layers/time-anchor.json",
|
||||
"OK8 transport + chunking defined in transport-plan.json",
|
||||
"OK9 tenant/environment scoping recorded in bundle meta",
|
||||
"OK10 scripted verify path is scripts/mirror/verify_thin_bundle.py"
|
||||
],
|
||||
"rk": [
|
||||
"RK1 enforce dsse/hashedrekord policy in rekor-policy.json",
|
||||
"RK2 payload size preflight rk2_payloadMaxBytes",
|
||||
"RK3 routing policy for public/private recorded",
|
||||
"RK4 shard-aware checkpoints per-tenant-per-day",
|
||||
"RK5 idempotent submission keys enabled",
|
||||
"RK6 Sigstore bundle inclusion flagged true",
|
||||
"RK7 checkpoint freshness seconds recorded",
|
||||
"RK8 PQ dual-sign toggle matches pqDualSign",
|
||||
"RK9 error taxonomy enumerated",
|
||||
"RK10 policy/graph annotations required"
|
||||
]
|
||||
},
|
||||
"pq_cosign_required": false,
|
||||
"tenant": "tenant-demo",
|
||||
"tooling": {
|
||||
"make_thin_v1_sh": "dd11c674629fe94bf37ac9a29d7ae32241f6a17815bb275532d9a78b3d851049",
|
||||
"sign_script": "30268f3b6d11a1108a8cb5a5ebc9723c34a67cf1e12944b1014cc76965619b73",
|
||||
"verify_oci": "04b6b0424a725d2081275e67820c580b532646fd640ee9bf62bc75bc7554eb77",
|
||||
"verify_script": "0794f79851bd71c0e07425e6928f038286957f3babc95ca66660acb6c5d8c31b"
|
||||
},
|
||||
"version": "1.0.0"
|
||||
}
|
||||
1
out/mirror/thin/mirror-thin-v1.bundle.json.sha256
Normal file
1
out/mirror/thin/mirror-thin-v1.bundle.json.sha256
Normal file
@@ -0,0 +1 @@
|
||||
a3b16f5d1b74ffdf9aedbbfe9282d368dc3dcf70676c8ac7e8cdd984162e7f90 mirror-thin-v1.bundle.json
|
||||
@@ -1,10 +1,10 @@
|
||||
{
|
||||
"payload": "ewogICJjcmVhdGVkIjogIjIwMjUtMTEtMjNUMDA6MDA6MDBaIiwKICAiaW5kZXhlcyI6IFsKICAgIHsKICAgICAgImRpZ2VzdCI6ICJzaGEyNTY6YjY0YzdlNWQ0NDA4YTEwMDMxMWVjOGZhYmM3NmI5ZTUyNTE2NWUyMWRmZmMzZjQ2NDFhZjc5YjlhYTQ0MzNjOSIsCiAgICAgICJuYW1lIjogIm9ic2VydmF0aW9ucy5pbmRleCIKICAgIH0KICBdLAogICJsYXllcnMiOiBbCiAgICB7CiAgICAgICJkaWdlc3QiOiAic2hhMjU2OmZkM2NlNTA0OTdjYmQyMDNkZjIyY2QyZmQxNDY0NmIxYWFjODU4ODRlZDE2MzIxNWE3OWM2MjA3MzAxMjQ1ZDYiLAogICAgICAicGF0aCI6ICJsYXllcnMvb2JzZXJ2YXRpb25zLm5kanNvbiIsCiAgICAgICJzaXplIjogMzEwCiAgICB9LAogICAgewogICAgICAiZGlnZXN0IjogInNoYTI1NjpjMjdhMGZiMGRmYThhOTU1OGFhYWJmODAxMTA0MGFiY2Q0MTcwY2Y2MmUzNmQxNmI1YjE3NjczNjhmNzgyOGZmIiwKICAgICAgInBhdGgiOiAibGF5ZXJzL3RpbWUtYW5jaG9yLmpzb24iLAogICAgICAic2l6ZSI6IDMyMgogICAgfQogIF0sCiAgInZlcnNpb24iOiAiMS4wLjAiCn0K",
|
||||
"payload": "ewogICJjcmVhdGVkIjogIjIwMjUtMTItMDJUMTg6MDg6MzRaIiwKICAiaW5kZXhlcyI6IFsKICAgIHsKICAgICAgImRpZ2VzdCI6ICJzaGEyNTY6YjY0YzdlNWQ0NDA4YTEwMDMxMWVjOGZhYmM3NmI5ZTUyNTE2NWUyMWRmZmMzZjQ2NDFhZjc5YjlhYTQ0MzNjOSIsCiAgICAgICJuYW1lIjogIm9ic2VydmF0aW9ucy5pbmRleCIKICAgIH0KICBdLAogICJsYXllcnMiOiBbCiAgICB7CiAgICAgICJkaWdlc3QiOiAic2hhMjU2OjU1ZjI0YmRjM2QyOGE1NTk2ZjRmOGEzNjI5MjgyMDM1NmRlNTBhYTJlOWM1YzJmYjgxMzk3YmZlMjg5MWNhNGQiLAogICAgICAicGF0aCI6ICJsYXllcnMvYXJ0aWZhY3QtaGFzaGVzLmpzb24iLAogICAgICAic2l6ZSI6IDU5MgogICAgfSwKICAgIHsKICAgICAgImRpZ2VzdCI6ICJzaGEyNTY6ZDcwNTlkNGI5ZTdlMjA3ZjI0MjA1MjBiZjczY2Y2OWI2NDRlZWMwZTg2NmYwMzlhMWY3ZDBkYzJiM2JjMTE5MiIsCiAgICAgICJwYXRoIjogImxheWVycy9taXJyb3ItcG9saWN5Lmpzb24iLAogICAgICAic2l6ZSI6IDY2NQogICAgfSwKICAgIHsKICAgICAgImRpZ2VzdCI6ICJzaGEyNTY6ZmQzY2U1MDQ5N2NiZDIwM2RmMjJjZDJmZDE0NjQ2YjFhYWM4NTg4NGVkMTYzMjE1YTc5YzYyMDczMDEyNDVkNiIsCiAgICAgICJwYXRoIjogImxheWVycy9vYnNlcnZhdGlvbnMubmRqc29uIiwKICAgICAgInNpemUiOiAzMTAKICAgIH0sCiAgICB7CiAgICAgICJkaWdlc3QiOiAic2hhMjU2OmFlMjUxM2Y5NzY4ZjNmN2MwYjA5OTRiNTRmNTM5YjJhOTMzZTFlODUxYzI1YzI2YzhmZTQ2ZmQ5NjNkOTA1NzkiLAogICAgICAicGF0aCI6ICJsYXllcnMvb2ZmbGluZS1raXQtcG9saWN5Lmpzb24iLAogICAgICAic2l6ZSI6IDU0NAogICAgfSwKICAgIHsKICAgICAgImRpZ2VzdCI6ICJzaGEyNTY6NjUyZGYxNTc2MjhkYjczZTlhYTAxMTBlNzM5MGY4NzczMzE5YzI0NTMwZTAwODczYWZjZmRmOTcyNjQ0NzE3ZSIsCiAgICAgICJwYXRoIjogImxheWVycy9yZWtvci1wb2xpY3kuanNvbiIsCiAgICAgICJzaXplIjogNDY1CiAgICB9LAogICAgewogICAgICAiZGlnZXN0IjogInNoYTI1NjpjMjdhMGZiMGRmYThhOTU1OGFhYWJmODAxMTA0MGFiY2Q0MTcwY2Y2MmUzNmQxNmI1YjE3NjczNjhmNzgyOGZmIiwKICAgICAgInBhdGgiOiAibGF5ZXJzL3RpbWUtYW5jaG9yLmpzb24iLAogICAgICAic2l6ZSI6IDMyMgogICAgfSwKICAgIHsKICAgICAgImRpZ2VzdCI6ICJzaGEyNTY6ZGY4MmE1NmQ5YmFjYjAwYTE4ODJmNWQ2ZDlmOWJhNDY5YjYyYjg5YmQ5NDk4OTliNzA0OWUxMjNjMWU2NTkxNCIsCiAgICAgICJwYXRoIjogImxheWVycy90cmFuc3BvcnQtcGxhbi5qc29uIiwKICAgICAgInNpemUiOiA3NDEKICAgIH0KICBdLAogICJ2ZXJzaW9uIjogIjEuMC4wIgp9Cg",
|
||||
"payloadType": "application/vnd.stellaops.mirror.manifest+json",
|
||||
"signatures": [
|
||||
{
|
||||
"keyid": "db9928babf3aeb817ccdcd0f6a6688f8395b00d0e42966e32e706931b5301fc8",
|
||||
"sig": "EC7tbq5zlHqUfidvkT-Q1yfmiTJs9KUdpnvs9jCBJXsxzIyB1hzfdh-7FNPi3pFSrzV6cDh47cWvWmMR_ypgDw"
|
||||
"sig": "f3XR6taW0E9gAkBEYPgxsWEI2cO28-1zA4XhcepzXm3FJ7Ii8ksfp_nFWH1m4JT4JRUK5tRcc8X4Bw_SSRRkDg"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
{
|
||||
"created": "2025-11-23T00:00:00Z",
|
||||
"created": "2025-12-02T18:08:34Z",
|
||||
"indexes": [
|
||||
{
|
||||
"digest": "sha256:b64c7e5d4408a100311ec8fabc76b9e525165e21dffc3f4641af79b9aa4433c9",
|
||||
@@ -7,15 +7,40 @@
|
||||
}
|
||||
],
|
||||
"layers": [
|
||||
{
|
||||
"digest": "sha256:55f24bdc3d28a5596f4f8a36292820356de50aa2e9c5c2fb81397bfe2891ca4d",
|
||||
"path": "layers/artifact-hashes.json",
|
||||
"size": 592
|
||||
},
|
||||
{
|
||||
"digest": "sha256:d7059d4b9e7e207f2420520bf73cf69b644eec0e866f039a1f7d0dc2b3bc1192",
|
||||
"path": "layers/mirror-policy.json",
|
||||
"size": 665
|
||||
},
|
||||
{
|
||||
"digest": "sha256:fd3ce50497cbd203df22cd2fd14646b1aac85884ed163215a79c6207301245d6",
|
||||
"path": "layers/observations.ndjson",
|
||||
"size": 310
|
||||
},
|
||||
{
|
||||
"digest": "sha256:ae2513f9768f3f7c0b0994b54f539b2a933e1e851c25c26c8fe46fd963d90579",
|
||||
"path": "layers/offline-kit-policy.json",
|
||||
"size": 544
|
||||
},
|
||||
{
|
||||
"digest": "sha256:652df157628db73e9aa0110e7390f8773319c24530e00873afcfdf972644717e",
|
||||
"path": "layers/rekor-policy.json",
|
||||
"size": 465
|
||||
},
|
||||
{
|
||||
"digest": "sha256:c27a0fb0dfa8a9558aaabf8011040abcd4170cf62e36d16b5b1767368f7828ff",
|
||||
"path": "layers/time-anchor.json",
|
||||
"size": 322
|
||||
},
|
||||
{
|
||||
"digest": "sha256:df82a56d9bacb00a1882f5d6d9f9ba469b62b89bd949899b7049e123c1e65914",
|
||||
"path": "layers/transport-plan.json",
|
||||
"size": 741
|
||||
}
|
||||
],
|
||||
"version": "1.0.0"
|
||||
|
||||
@@ -1 +1 @@
|
||||
b0e5d5af5b560d1b24cf44c2325e7f90d486857f347f34826b9f06aa217c5a6a mirror-thin-v1.manifest.json
|
||||
1affb0b796ff037117b46aa1f1d8056a9c80755e925af058ea72132ba158becf mirror-thin-v1.manifest.json
|
||||
|
||||
Binary file not shown.
@@ -1 +1 @@
|
||||
1ef17d14c09e74703b88753d6c561d8c8a8809fe8e05972257adadfb91b71723 mirror-thin-v1.tar.gz
|
||||
fb1ce26388a1f1ab2eb90aae6d63ac05de326fbbd947fbf7a17b980232c9fc7d mirror-thin-v1.tar.gz
|
||||
|
||||
Binary file not shown.
@@ -3,8 +3,8 @@
|
||||
"manifests": [
|
||||
{
|
||||
"mediaType": "application/vnd.oci.image.manifest.v1+json",
|
||||
"digest": "sha256:f6bd80fe9d346e7306c69832e29180346454005a0751c77ae2ebb7332be94642",
|
||||
"size": 485,
|
||||
"digest": "sha256:0074121d4adef7dc8181607645af330a475608b0d52909e0efd421508f14437d",
|
||||
"size": 486,
|
||||
"annotations": {"org.opencontainers.image.ref.name": "mirror-thin-v1"}
|
||||
}
|
||||
]
|
||||
|
||||
@@ -8,8 +8,8 @@
|
||||
"layers": [
|
||||
{
|
||||
"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
|
||||
"size": 830,
|
||||
"digest": "sha256:1ef17d14c09e74703b88753d6c561d8c8a8809fe8e05972257adadfb91b71723",
|
||||
"size": 2468,
|
||||
"digest": "sha256:fb1ce26388a1f1ab2eb90aae6d63ac05de326fbbd947fbf7a17b980232c9fc7d",
|
||||
"annotations": {"org.stellaops.bundle.type": "mirror-thin-v1"}
|
||||
}
|
||||
]
|
||||
|
||||
20
out/mirror/thin/stage-v1/layers/artifact-hashes.json
Normal file
20
out/mirror/thin/stage-v1/layers/artifact-hashes.json
Normal file
@@ -0,0 +1,20 @@
|
||||
{
|
||||
"artifacts": {
|
||||
"graph": {
|
||||
"digest": "sha256:652df157628db73e9aa0110e7390f8773319c24530e00873afcfdf972644717e",
|
||||
"id": "graph-fixture-1"
|
||||
},
|
||||
"policy": {
|
||||
"digest": "sha256:d7059d4b9e7e207f2420520bf73cf69b644eec0e866f039a1f7d0dc2b3bc1192",
|
||||
"id": "policy-fixture-1"
|
||||
},
|
||||
"scan": {
|
||||
"digest": "sha256:fd3ce50497cbd203df22cd2fd14646b1aac85884ed163215a79c6207301245d6",
|
||||
"id": "scan-fixture-1"
|
||||
},
|
||||
"vex": {
|
||||
"digest": "sha256:fd3ce50497cbd203df22cd2fd14646b1aac85884ed163215a79c6207301245d6",
|
||||
"id": "vex-fixture-1"
|
||||
}
|
||||
}
|
||||
}
|
||||
15
out/mirror/thin/stage-v1/layers/mirror-policy.json
Normal file
15
out/mirror/thin/stage-v1/layers/mirror-policy.json
Normal file
@@ -0,0 +1,15 @@
|
||||
{
|
||||
"schemaVersion": "mirror-thin-v1",
|
||||
"semver": "1.0.0",
|
||||
"dsseTufRotationDays": 30,
|
||||
"pqDualSign": false,
|
||||
"delta": {"tombstones": true, "baseHashRequired": true},
|
||||
"timeAnchorFreshnessSeconds": 86400,
|
||||
"tenantScope": "tenant-demo",
|
||||
"environment": "lab",
|
||||
"distributionIntegrity": {"http": "sha256+dsse", "oci": "tuf+dsse", "object": "checksum+length"},
|
||||
"chunking": {"sizeBytes": 5242880, "maxChunks": 128},
|
||||
"verifyScript": "scripts/mirror/verify_thin_bundle.py",
|
||||
"metrics": {"build": "required", "import": "required", "verify": "required"},
|
||||
"changelog": {"current": "mirror-thin-v1", "notes": "Adds offline/rekor policy coverage (MS1-MS10)"}
|
||||
}
|
||||
14
out/mirror/thin/stage-v1/layers/offline-kit-policy.json
Normal file
14
out/mirror/thin/stage-v1/layers/offline-kit-policy.json
Normal file
@@ -0,0 +1,14 @@
|
||||
{
|
||||
"okVersion": "1.0.0",
|
||||
"keyManifest": {"rotationDays": 90, "pqCosignAllowed": false},
|
||||
"toolHashing": true,
|
||||
"topLevelDsse": true,
|
||||
"checkpointFreshnessSeconds": 86400,
|
||||
"deterministicFlags": ["tar --sort=name --owner=0 --group=0 --numeric-owner --mtime=1970-01-01", "gzip -n"],
|
||||
"contentHashes": "layers/artifact-hashes.json",
|
||||
"timeAnchorPath": "layers/time-anchor.json",
|
||||
"transportPlan": "layers/transport-plan.json",
|
||||
"tenant": "tenant-demo",
|
||||
"environment": "lab",
|
||||
"verifyScript": "scripts/mirror/verify_thin_bundle.py"
|
||||
}
|
||||
12
out/mirror/thin/stage-v1/layers/rekor-policy.json
Normal file
12
out/mirror/thin/stage-v1/layers/rekor-policy.json
Normal file
@@ -0,0 +1,12 @@
|
||||
{
|
||||
"rk1_enforceDsse": true,
|
||||
"rk2_payloadMaxBytes": 1048576,
|
||||
"rk3_routing": {"public": "hashedrekord", "private": "hashedrekord"},
|
||||
"rk4_shardCheckpoint": "per-tenant-per-day",
|
||||
"rk5_idempotentKeys": true,
|
||||
"rk6_sigstoreBundleIncluded": true,
|
||||
"rk7_checkpointFreshnessSeconds": 86400,
|
||||
"rk8_pqDualSign": false,
|
||||
"rk9_errorTaxonomy": ["quota", "payload-too-large", "invalid-signature", "stale-checkpoint"],
|
||||
"rk10_annotations": ["policy", "graph-edge"]
|
||||
}
|
||||
11
out/mirror/thin/stage-v1/layers/transport-plan.json
Normal file
11
out/mirror/thin/stage-v1/layers/transport-plan.json
Normal file
@@ -0,0 +1,11 @@
|
||||
{
|
||||
"chunkSizeBytes": 5242880,
|
||||
"compression": "gzip",
|
||||
"checkpointFreshnessSeconds": 86400,
|
||||
"chainOfCustody": [
|
||||
{"step": "build", "actor": "make-thin-v1.sh", "evidence": "sha256:dd11c674629fe94bf37ac9a29d7ae32241f6a17815bb275532d9a78b3d851049", "negativePaths": ["missing-layer", "non-deterministic-tar"]},
|
||||
{"step": "sign", "actor": "sign_thin_bundle.py", "expectedEnvelope": "mirror-thin-v1.manifest.dsse.json", "keyid": "db9928babf3aeb817ccdcd0f6a6688f8395b00d0e42966e32e706931b5301fc8", "toolDigest": "sha256:30268f3b6d11a1108a8cb5a5ebc9723c34a67cf1e12944b1014cc76965619b73"}
|
||||
],
|
||||
"chunking": {"maxChunks": 128, "strategy": "deterministic-size"},
|
||||
"ingest": {"expectedLatencySeconds": 120, "retryPolicy": "exponential"}
|
||||
}
|
||||
@@ -1,5 +1,5 @@
|
||||
{
|
||||
"created": "2025-11-23T00:00:00Z",
|
||||
"created": "2025-12-02T18:08:34Z",
|
||||
"indexes": [
|
||||
{
|
||||
"digest": "sha256:b64c7e5d4408a100311ec8fabc76b9e525165e21dffc3f4641af79b9aa4433c9",
|
||||
@@ -7,15 +7,40 @@
|
||||
}
|
||||
],
|
||||
"layers": [
|
||||
{
|
||||
"digest": "sha256:55f24bdc3d28a5596f4f8a36292820356de50aa2e9c5c2fb81397bfe2891ca4d",
|
||||
"path": "layers/artifact-hashes.json",
|
||||
"size": 592
|
||||
},
|
||||
{
|
||||
"digest": "sha256:d7059d4b9e7e207f2420520bf73cf69b644eec0e866f039a1f7d0dc2b3bc1192",
|
||||
"path": "layers/mirror-policy.json",
|
||||
"size": 665
|
||||
},
|
||||
{
|
||||
"digest": "sha256:fd3ce50497cbd203df22cd2fd14646b1aac85884ed163215a79c6207301245d6",
|
||||
"path": "layers/observations.ndjson",
|
||||
"size": 310
|
||||
},
|
||||
{
|
||||
"digest": "sha256:ae2513f9768f3f7c0b0994b54f539b2a933e1e851c25c26c8fe46fd963d90579",
|
||||
"path": "layers/offline-kit-policy.json",
|
||||
"size": 544
|
||||
},
|
||||
{
|
||||
"digest": "sha256:652df157628db73e9aa0110e7390f8773319c24530e00873afcfdf972644717e",
|
||||
"path": "layers/rekor-policy.json",
|
||||
"size": 465
|
||||
},
|
||||
{
|
||||
"digest": "sha256:c27a0fb0dfa8a9558aaabf8011040abcd4170cf62e36d16b5b1767368f7828ff",
|
||||
"path": "layers/time-anchor.json",
|
||||
"size": 322
|
||||
},
|
||||
{
|
||||
"digest": "sha256:df82a56d9bacb00a1882f5d6d9f9ba469b62b89bd949899b7049e123c1e65914",
|
||||
"path": "layers/transport-plan.json",
|
||||
"size": 741
|
||||
}
|
||||
],
|
||||
"version": "1.0.0"
|
||||
|
||||
@@ -23,7 +23,7 @@
|
||||
"signatures": [
|
||||
{
|
||||
"keyid": "db9928babf3aeb817ccdcd0f6a6688f8395b00d0e42966e32e706931b5301fc8",
|
||||
"sig": "ZUXDqV5hn0cuZlOOEUZdpD474mc0bkJu4-LyBPNYwU3YkZufT2eXKM-QHksF4JoXgywbY9QD8qhnsEh05xoKBg"
|
||||
"sig": "b9UQWxXZnpsltfVLch4KVKWitgd6ZHTOPvUp0w-e5Gbm8MY6ZBaM-JLP-lwLuiJQMgbhuOlzDVzLbgQoYsbzBw"
|
||||
}
|
||||
],
|
||||
"spec_version": "1.0.31",
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
"signatures": [
|
||||
{
|
||||
"keyid": "db9928babf3aeb817ccdcd0f6a6688f8395b00d0e42966e32e706931b5301fc8",
|
||||
"sig": "Z2FtwGRtVhQNvNZUxceUb3Ygj5KNqJGTOFIq8CxltBvMfmaAavWmMST0shir7p-7LI3-kBUMdPOKYlGxFip3AQ"
|
||||
"sig": "3zzhK_zR4cqN5GQ-WvsDE93He22enjx2oy9WdSxox6hw4rVMY-QhPnagMSRQKOxWVVPgPWNZOsJR8_LOi0H6Cw"
|
||||
}
|
||||
],
|
||||
"spec_version": "1.0.31",
|
||||
|
||||
@@ -4,7 +4,7 @@
|
||||
"signatures": [
|
||||
{
|
||||
"keyid": "db9928babf3aeb817ccdcd0f6a6688f8395b00d0e42966e32e706931b5301fc8",
|
||||
"sig": "SIKtu5qz3FYNQxittPQwwWUzQLRg9D6KpO3OKpxtZzrbD2S5corjRZg-JNymPzFoEbrm8i5b_p7sh6H44At-CQ"
|
||||
"sig": "HkXgkY5l9ACl1nNZ7Ll-hnVC_8Zo1QSWOb7Q74THnlYlDdpg_d-gnruFeOrIxXix18IGCICqrfKfnERoR-8EAw"
|
||||
}
|
||||
],
|
||||
"spec_version": "1.0.31",
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
"signatures": [
|
||||
{
|
||||
"keyid": "db9928babf3aeb817ccdcd0f6a6688f8395b00d0e42966e32e706931b5301fc8",
|
||||
"sig": "C_4pXTUzKaVEZ0Dwtn2FlXxOsxcht8nF_vdWwVOMsYqwrqYriZgd4x_r2lq_RnI5QYxagEHGnEjD-6ztEeRMCg"
|
||||
"sig": "UKplo5ExWrbnIpxo31NjgDEW9xGVb_ypesrqjnpOornojmOUkZjN1rGmyHmhJGam6RoHAboX_KNZJUwIe-K4Dw"
|
||||
}
|
||||
],
|
||||
"spec_version": "1.0.31",
|
||||
|
||||
Reference in New Issue
Block a user