Add tests for SBOM generation determinism across multiple formats
- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism. - Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions. - Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests. - Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.
This commit is contained in:
master
49
docs2/operations/key-rotation.md
Normal file
49
docs2/operations/key-rotation.md
Normal file
@@ -0,0 +1,49 @@
|
||||
# Key rotation
|
||||
|
||||
Purpose
|
||||
- Rotate signing keys without invalidating historical DSSE proofs.
|
||||
|
||||
Principles
|
||||
- Do not mutate old DSSE envelopes.
|
||||
- Keep key history; revoke instead of delete.
|
||||
- Publish key material to trust anchors and mirrors.
|
||||
- Audit all key lifecycle events.
|
||||
|
||||
Key profiles (examples)
|
||||
- default: SHA256-ED25519
|
||||
- fips: SHA256-ECDSA-P256
|
||||
- gost: GOST-R-34.10-2012
|
||||
- sm2: SM2-P256
|
||||
- pqc: ML-DSA-65
|
||||
|
||||
Rotation workflow
|
||||
1. Generate a new key in the configured keystore.
|
||||
2. Add the key to the trust anchor without removing old keys.
|
||||
3. Run a transition period where both keys verify.
|
||||
4. Revoke the old key with an effective date.
|
||||
5. Publish updated key material to attestation feeds or mirrors.
|
||||
|
||||
Trust anchors
|
||||
- Scoped by PURL pattern and allowed predicate types.
|
||||
- Store allowedKeyIds, revokedKeys, and keyHistory with timestamps.
|
||||
|
||||
Verification with key history
|
||||
- Verify signatures using the key valid at the time of signing.
|
||||
- Revoked keys remain valid for pre-revocation attestations.
|
||||
|
||||
Emergency revocation
|
||||
- Revoke compromised keys immediately and publish updated anchors.
|
||||
- Re-issue trust bundles and notify downstream verifiers.
|
||||
|
||||
Metrics and alerts
|
||||
- signer_key_age_days
|
||||
- signer_keys_active_total
|
||||
- signer_keys_revoked_total
|
||||
- signer_rotation_events_total
|
||||
- signer_verification_key_lookups_total
|
||||
- Alerts when keys near or exceed maximum age.
|
||||
|
||||
Related references
|
||||
- security/crypto-and-trust.md
|
||||
- provenance/attestation-workflow.md
|
||||
- docs/operations/key-rotation-runbook.md
|
||||
Reference in New Issue
Block a user