stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

Add signal contracts for reachability, exploitability, trust, and unknown symbols
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Signals DSSE Sign & Evidence Locker / sign-signals-artifacts (push) Has been cancelled
Details
Signals DSSE Sign & Evidence Locker / verify-signatures (push) Has been cancelled
Details

Browse Source 
- Introduced `ReachabilityState`, `RuntimeHit`, `ExploitabilitySignal`, `ReachabilitySignal`, `SignalEnvelope`, `SignalType`, `TrustSignal`, and `UnknownSymbolSignal` records to define various signal types and their properties.
- Implemented JSON serialization attributes for proper data interchange.
- Created project files for the new signal contracts library and corresponding test projects.
- Added deterministic test fixtures for micro-interaction testing.
- Included cryptographic keys for secure operations with cosign.
This commit is contained in:
StellaOps Bot
2025-12-05 00:27:00 +02:00
parent b018949a8d
commit 8768c27f30
192 changed files with 27569 additions and 2552 deletions
Download Patch File Download Diff File Expand all files Collapse all files

87
tools/cosign/README.md
View File

@@ -16,12 +16,93 @@
- v3 verify: `cosign verify-blob --bundle confidence_decay_config.sigstore.json decay/confidence_decay_config.yaml`
- To force offline fallback, export `PATH=./tools/cosign:$PATH` (ensures v2.6.0 is used).
## CI / secrets
## CI Workflow: signals-dsse-sign.yml
The `.gitea/workflows/signals-dsse-sign.yml` workflow automates DSSE signing for Signals artifacts.
### Required Secrets
| Secret | Description | Required |
|--------|-------------|----------|
| `COSIGN_PRIVATE_KEY_B64` | Base64-encoded cosign private key | Yes (for production) |
| `COSIGN_PASSWORD` | Password for the private key | If key is encrypted |
| `CI_EVIDENCE_LOCKER_TOKEN` | Token for Evidence Locker upload | Optional |
### Trigger Options
1. **Automatic**: On push to `main` when signals artifacts change
2. **Manual**: Via workflow_dispatch with options:
- `out_dir`: Output directory (default: `evidence-locker/signals/2025-12-01`)
- `allow_dev_key`: Set to `1` for testing with dev key
### Setting Up CI Secrets
```bash
# Generate production key pair (do this once, securely)
cosign generate-key-pair
# Base64 encode the private key
cat cosign.key | base64 -w0 > cosign.key.b64
# Add to Gitea secrets:
# - COSIGN_PRIVATE_KEY_B64: contents of cosign.key.b64
# - COSIGN_PASSWORD: password used during key generation
```
## CI / secrets (manual usage)
- CI should provide a base64-encoded private key via secret `COSIGN_PRIVATE_KEY_B64` and optional password in `COSIGN_PASSWORD`.
- Example bootstrap in jobs:
```bash
echo \"$COSIGN_PRIVATE_KEY_B64\" | base64 -d > /tmp/cosign.key
echo "$COSIGN_PRIVATE_KEY_B64" | base64 -d > /tmp/cosign.key
chmod 600 /tmp/cosign.key
COSIGN_PASSWORD=\"${COSIGN_PASSWORD:-}\" cosign version
COSIGN_PASSWORD="${COSIGN_PASSWORD:-}" cosign version
```
- For local dev, copy your own key to `tools/cosign/cosign.key` or export `COSIGN_PRIVATE_KEY_B64` before running signing scripts. Never commit real keys; only `cosign.key.example` lives in git.
## Development signing key
A development key pair is provided for local testing and smoke tests:
| File | Description |
|------|-------------|
| `tools/cosign/cosign.dev.key` | Private key (password-protected) |
| `tools/cosign/cosign.dev.pub` | Public key for verification |
### Usage
```bash
# Sign signals artifacts with dev key
COSIGN_ALLOW_DEV_KEY=1 COSIGN_PASSWORD=stellaops-dev \
OUT_DIR=docs/modules/signals/dev-test \
tools/cosign/sign-signals.sh
# Verify a signature
cosign verify-blob \
--key tools/cosign/cosign.dev.pub \
--bundle docs/modules/signals/dev-test/confidence_decay_config.sigstore.json \
docs/modules/signals/decay/confidence_decay_config.yaml
```
### Security Notes
- Password: `stellaops-dev` (do not reuse elsewhere)
- **NOT** for production or Evidence Locker ingestion
- Real signing requires the Signals Guild key via `COSIGN_PRIVATE_KEY_B64` (CI) or `tools/cosign/cosign.key` (local drop-in)
- `sign-signals.sh` requires `COSIGN_ALLOW_DEV_KEY=1` to use the dev key; otherwise it refuses
- The signing helper disables tlog upload (`--tlog-upload=false`) and auto-accepts prompts (`--yes`) for offline runs
## Signing Scripts
### sign-signals.sh
Signs decay config, unknowns manifest, and heuristics catalog with DSSE envelopes.
```bash
# Production (CI secret or cosign.key drop-in)
OUT_DIR=evidence-locker/signals/2025-12-01 tools/cosign/sign-signals.sh
# Development (dev key)
COSIGN_ALLOW_DEV_KEY=1 COSIGN_PASSWORD=stellaops-dev \
OUT_DIR=docs/modules/signals/dev-test \
tools/cosign/sign-signals.sh
```
### Key Resolution Order
1. `COSIGN_KEY_FILE` environment variable
2. `COSIGN_PRIVATE_KEY_B64` (decoded to temp file)
3. `tools/cosign/cosign.key` (production drop-in)
4. `tools/cosign/cosign.dev.key` (only if `COSIGN_ALLOW_DEV_KEY=1`)

11
tools/cosign/cosign.dev.key Normal file
View File

@@ -0,0 +1,11 @@
-----BEGIN ENCRYPTED SIGSTORE PRIVATE KEY-----
eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjo2NTUzNiwiciI6
OCwicCI6MX0sInNhbHQiOiJ5dlhpaXliR2lTR0NPS2x0Q2M1dlFhTy91S3pBVzNs
Skl3QTRaU2dEMTAwPSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94
Iiwibm9uY2UiOiIyNHA0T2xJZnJxdnhPVnM3dlY2MXNwVGpkNk80cVBEVCJ9LCJj
aXBoZXJ0ZXh0IjoiTHRWSGRqVi94MXJrYXhscGxJbVB5dkVtc2NBYTB5dW5oakZ5
UUFiZ1RSNVdZL3lCS0tYMWdFb09hclZDWksrQU0yY0tIM2tJQWlJNWlMd1AvV3c5
Q3k2SVY1ek4za014cExpcjJ1QVZNV3c3Y3BiYUhnNjV4TzNOYkEwLzJOSi84R0dN
NWt1QXhJRWsraER3ZWJ4Tld4WkRtNEZ4NTJVcVJxa2NPT09vNk9xWXB4OWFMaVZw
RjgzRElGZFpRK2R4K05RUnUxUmNrKzBtOHc9PSJ9
-----END ENCRYPTED SIGSTORE PRIVATE KEY-----

4
tools/cosign/cosign.dev.pub Normal file
View File

@@ -0,0 +1,4 @@
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfoI+9RFCTcfjeMqpCQ3FAyvKwBQU
YAIM2cfDR8W98OxnXV+gfV5Dhfoi8qofAnG/vC7DbBlX2t/gT7GKUZAChA==
-----END PUBLIC KEY-----

20
tools/cosign/sign-signals.sh
View File

@@ -32,12 +32,19 @@ elif [[ -n "${COSIGN_PRIVATE_KEY_B64:-}" ]]; then
KEY_FILE="$TMP_KEY"
elif [[ -f "$ROOT/tools/cosign/cosign.key" ]]; then
KEY_FILE="$ROOT/tools/cosign/cosign.key"
elif [[ "${COSIGN_ALLOW_DEV_KEY:-0}" == "1" && -f "$ROOT/tools/cosign/cosign.dev.key" ]]; then
echo "[warn] Using development key (tools/cosign/cosign.dev.key); NOT for production/Evidence Locker" >&2
KEY_FILE="$ROOT/tools/cosign/cosign.dev.key"
else
echo "No signing key: set COSIGN_PRIVATE_KEY_B64 or COSIGN_KEY_FILE, or place key at tools/cosign/cosign.key" >&2
exit 2
fi
OUT_BASE="${OUT_DIR:-$ROOT/evidence-locker/signals/2025-12-01}"
# Normalize OUT_BASE to absolute to avoid pushd-relative path issues.
if [[ "$OUT_BASE" != /* ]]; then
OUT_BASE="$ROOT/$OUT_BASE"
fi
mkdir -p "$OUT_BASE"
ARTIFACTS=(
@@ -46,9 +53,12 @@ ARTIFACTS=(
"heuristics/heuristics.catalog.json|stella.ops/heuristicCatalog@v1|heuristics_catalog"
)
COSIGN_VERSION="$($COSIGN_BIN version | head -n1)"
USE_BUNDLE=0
[[ "$COSIGN_VERSION" == *"v3."* ]] && USE_BUNDLE=1
if $COSIGN_BIN version --json 2>/dev/null | grep -q '"GitVersion":"v3'; then
USE_BUNDLE=1
elif $COSIGN_BIN version 2>/dev/null | grep -q 'GitVersion:.*v3\.'; then
USE_BUNDLE=1
fi
pushd "$ROOT/docs/modules/signals" >/dev/null
@@ -67,7 +77,8 @@ for entry in "${ARTIFACTS[@]}"; do
COSIGN_PASSWORD="${COSIGN_PASSWORD:-}" \
"$COSIGN_BIN" sign-blob \
--key "$KEY_FILE" \
--predicate-type "$predicate" \
--yes \
--tlog-upload=false \
--bundle "$bundle" \
"$path"
printf "%s %s\n" "$(sha256sum "$bundle" | cut -d' ' -f1)" "$(realpath --relative-to="$OUT_BASE" "$bundle")" >> "$SHA_FILE"
@@ -76,7 +87,8 @@ for entry in "${ARTIFACTS[@]}"; do
COSIGN_PASSWORD="${COSIGN_PASSWORD:-}" \
"$COSIGN_BIN" sign-blob \
--key "$KEY_FILE" \
--predicate-type "$predicate" \
--yes \
--tlog-upload=false \
--output-signature "$sig" \
"$path"
printf "%s %s\n" "$(sha256sum "$sig" | cut -d' ' -f1)" "$(realpath --relative-to="$OUT_BASE" "$sig")" >> "$SHA_FILE"