tests fixes and sprints work
This commit is contained in:
master
36
docs/modules/cli/guides/trust-profiles.md
Normal file
36
docs/modules/cli/guides/trust-profiles.md
Normal file
@@ -0,0 +1,36 @@
|
||||
# Trust Profiles
|
||||
|
||||
Trust profiles are offline trust-store templates for bundle verification. They define trust roots, Rekor public keys, and TSA roots in a single file so operators can apply a profile into a local trust store.
|
||||
|
||||
Default profile location:
|
||||
- `etc/trust-profiles/*.trustprofile.json`
|
||||
- Assets referenced by profiles live under `etc/trust-profiles/assets/`
|
||||
|
||||
Profile structure (summary):
|
||||
- `profileId`: stable identifier (used by CLI commands)
|
||||
- `trustRoots[]`: signing trust roots (PEM files)
|
||||
- `rekorKeys[]`: Rekor public keys for offline inclusion proof verification
|
||||
- `tsaRoots[]`: TSA roots for RFC3161 verification
|
||||
- `metadata`: optional compliance metadata
|
||||
|
||||
CLI usage:
|
||||
- `stella trust-profile list`
|
||||
- `stella trust-profile show <profile-id>`
|
||||
- `stella trust-profile apply <profile-id> --output <dir>`
|
||||
|
||||
Profile lookup overrides:
|
||||
- `--profiles-dir <path>` to point at a custom profiles directory
|
||||
- `STELLAOPS_TRUST_PROFILES` environment variable for default lookup
|
||||
|
||||
Apply output:
|
||||
- `trust-manifest.json` (trust roots manifest for offline verification)
|
||||
- `trust-profile.json` (resolved profile copy)
|
||||
- `trust-root.pem` (combined trust roots for CLI verification)
|
||||
- `trust-roots/`, `rekor/`, `tsa/` folders with PEM assets
|
||||
|
||||
Example apply workflow:
|
||||
1. `stella trust-profile apply global --output ./trust-store`
|
||||
2. `stella bundle verify --trust-root ./trust-store/trust-root.pem`
|
||||
|
||||
Note:
|
||||
- Default profiles ship with placeholder roots for scaffolding only. Replace them with compliance-approved roots before production use.
|
||||
Reference in New Issue
Block a user