stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

license switch agpl -> busl1, sprints work, new product advisories

Browse Source
This commit is contained in:
master
2026-01-20 15:32:20 +02:00
parent 4903395618
commit c32fff8f86
1835 changed files with 38630 additions and 4359 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
docs/modules/cli/guides/attest.md
View File

@@ -9,6 +9,66 @@ stella attest verify --envelope bundle.dsse.json --policy policy.json \
```
- Offline verification uses bundled roots and checkpoints; transparency optional.
### Timestamped attestations
Create a DSSE envelope and request RFC-3161 timestamping:
```bash
stella attest sign \
--predicate ./predicate.json \
--predicate-type https://slsa.dev/provenance/v1 \
--subject oci://registry/app@sha256:abc123 \
--digest sha256:abc123 \
--key ./keys/signing.pem \
--timestamp \
--tsa https://tsa.example \
--output attestation.dsse.json
```
Request and inspect standalone timestamp tokens:
```bash
stella ts rfc3161 --hash sha256:abc123 --tsa https://tsa.example --out artifact.tst
stella ts info --tst artifact.tst
stella ts verify --tst artifact.tst --artifact ./artifact.bin --trust-root ./roots.pem
```
Store timestamp evidence alongside an attestation:
```bash
stella evidence store --artifact attestation.dsse.json \
--tst artifact.tst --rekor-bundle rekor.json \
--tsa-chain tsa-chain.pem --ocsp ocsp.der --crl crl.der
```
Evidence is stored under `~/.stellaops/evidence-store/sha256_<digest>/` by default
(the colon in the digest is replaced with an underscore).
### Timestamp requirements during verify
Require RFC-3161 evidence and enforce skew:
```bash
stella attest verify --envelope attestation.dsse.json \
--require-timestamp --max-skew 5m --format json
```
The JSON output includes a `timestamp` block:
```json
{
"timestamp": {
"required": true,
"maxSkew": "00:05:00",
"present": true,
"generationTime": "2026-01-19T12:00:00Z",
"tsaUrl": "https://tsa.example",
"tokenDigest": "sha256:...",
"withinSkew": true
}
}
```
`--max-skew` accepts relative durations (`5m`, `30s`, `2h`) or `hh:mm:ss`.
## List attestations
```bash
stella attest list --tenant default --issuer dev-kms --format table

2
docs/modules/cli/guides/distribution-matrix.md
View File

@@ -680,7 +680,7 @@ wget https://releases.stella-ops.org/cli/china/latest/stella-china-linux-x64.tar
### License Compliance
All distributions are licensed under **AGPL-3.0-or-later**, with regional plugins subject to additional vendor licenses (e.g., CryptoPro CSP requires commercial license).
All distributions are licensed under **BUSL-1.1**, with regional plugins subject to additional vendor licenses (e.g., CryptoPro CSP requires commercial license).
---