CD/CD consolidation

.gitea/scripts/sign/sign-authority-gaps.sh

@@ -0,0 +1,106 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Deterministic DSSE signing helper for Authority gap artefacts (AU1–AU10, RR1–RR10).
+# Prefers system cosign v3 (bundle) and falls back to repo-pinned v2.6.0.
+
+ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+COSIGN_BIN="${COSIGN_BIN:-}"
+
+# Detect cosign binary
+if [[ -z "$COSIGN_BIN" ]]; then
+  if command -v /usr/local/bin/cosign >/dev/null 2>&1; then
+    COSIGN_BIN="/usr/local/bin/cosign"
+  elif command -v cosign >/dev/null 2>&1; then
+    COSIGN_BIN="$(command -v cosign)"
+  elif [[ -x "$ROOT/tools/cosign/cosign" ]]; then
+    COSIGN_BIN="$ROOT/tools/cosign/cosign"
+  else
+    echo "cosign not found; install or set COSIGN_BIN" >&2
+    exit 1
+  fi
+fi
+
+# Resolve key
+TMP_KEY=""
+if [[ -n "${COSIGN_KEY_FILE:-}" ]]; then
+  KEY_FILE="$COSIGN_KEY_FILE"
+elif [[ -n "${COSIGN_PRIVATE_KEY_B64:-}" ]]; then
+  TMP_KEY="$(mktemp)"
+  echo "$COSIGN_PRIVATE_KEY_B64" | base64 -d > "$TMP_KEY"
+  chmod 600 "$TMP_KEY"
+  KEY_FILE="$TMP_KEY"
+elif [[ -f "$ROOT/tools/cosign/cosign.key" ]]; then
+  KEY_FILE="$ROOT/tools/cosign/cosign.key"
+elif [[ "${COSIGN_ALLOW_DEV_KEY:-0}" == "1" && -f "$ROOT/tools/cosign/cosign.dev.key" ]]; then
+  echo "[warn] Using development key (tools/cosign/cosign.dev.key); NOT for production/Evidence Locker" >&2
+  KEY_FILE="$ROOT/tools/cosign/cosign.dev.key"
+else
+  echo "No signing key: set COSIGN_PRIVATE_KEY_B64 or COSIGN_KEY_FILE, or place key at tools/cosign/cosign.key" >&2
+  exit 2
+fi
+
+OUT_BASE="${OUT_DIR:-$ROOT/docs/modules/authority/gaps/dsse/2025-12-04}"
+if [[ "$OUT_BASE" != /* ]]; then
+  OUT_BASE="$ROOT/$OUT_BASE"
+fi
+mkdir -p "$OUT_BASE"
+
+ARTEFACTS=(
+  "docs/modules/authority/gaps/artifacts/authority-scope-role-catalog.v1.json|authority-scope-role-catalog"
+  "docs/modules/authority/gaps/artifacts/authority-jwks-metadata.schema.json|authority-jwks-metadata.schema"
+  "docs/modules/authority/gaps/artifacts/crypto-profile-registry.v1.json|crypto-profile-registry"
+  "docs/modules/authority/gaps/artifacts/authority-offline-verifier-bundle.v1.json|authority-offline-verifier-bundle"
+  "docs/modules/authority/gaps/artifacts/authority-abac.schema.json|authority-abac.schema"
+  "docs/modules/authority/gaps/artifacts/rekor-receipt-policy.v1.json|rekor-receipt-policy"
+  "docs/modules/authority/gaps/artifacts/rekor-receipt.schema.json|rekor-receipt.schema"
+  "docs/modules/authority/gaps/artifacts/rekor-receipt-bundle.v1.json|rekor-receipt-bundle"
+)
+
+USE_BUNDLE=0
+if $COSIGN_BIN version --json 2>/dev/null | grep -q '"GitVersion":"v3'; then
+  USE_BUNDLE=1
+elif $COSIGN_BIN version 2>/dev/null | grep -q 'GitVersion:.*v3\.'; then
+  USE_BUNDLE=1
+fi
+
+SHA_FILE="$OUT_BASE/SHA256SUMS"
+: > "$SHA_FILE"
+
+for entry in "${ARTEFACTS[@]}"; do
+  IFS="|" read -r path stem <<<"$entry"
+  if [[ ! -f "$ROOT/$path" ]]; then
+    echo "Missing artefact: $path" >&2
+    exit 3
+  fi
+  if (( USE_BUNDLE )); then
+    bundle="$OUT_BASE/${stem}.sigstore.json"
+    COSIGN_PASSWORD="${COSIGN_PASSWORD:-}" \
+    "$COSIGN_BIN" sign-blob \
+      --key "$KEY_FILE" \
+      --yes \
+      --tlog-upload=false \
+      --bundle "$bundle" \
+      "$ROOT/$path"
+    printf "%s  %s\n" "$(sha256sum "$bundle" | cut -d' ' -f1)" "$(realpath --relative-to="$OUT_BASE" "$bundle")" >> "$SHA_FILE"
+  else
+    sig="$OUT_BASE/${stem}.dsse"
+    COSIGN_PASSWORD="${COSIGN_PASSWORD:-}" \
+    "$COSIGN_BIN" sign-blob \
+      --key "$KEY_FILE" \
+      --yes \
+      --tlog-upload=false \
+      --output-signature "$sig" \
+      "$ROOT/$path"
+    printf "%s  %s\n" "$(sha256sum "$sig" | cut -d' ' -f1)" "$(realpath --relative-to="$OUT_BASE" "$sig")" >> "$SHA_FILE"
+  fi
+
+  printf "%s  %s\n" "$(sha256sum "$ROOT/$path" | cut -d' ' -f1)" "$(realpath --relative-to="$OUT_BASE" "$ROOT/$path")" >> "$SHA_FILE"
+  echo "Signed $path"
+done
+
+echo "Signed artefacts written to $OUT_BASE"
+
+if [[ -n "$TMP_KEY" ]]; then
+  rm -f "$TMP_KEY"
+fi

.gitea/scripts/sign/sign-policy.sh

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+set -euo pipefail
+# Signs a policy file with cosign and verifies it. Intended for CI and offline use.
+# Requires COSIGN_KEY_B64 (private key PEM base64) or KMS envs; optional COSIGN_PASSWORD.
+
+usage() {
+  cat <<'USAGE'
+Usage: sign-policy.sh --file <path> [--out-dir out/policy-sign]
+Env:
+  COSIGN_KEY_B64   base64-encoded PEM private key (if not using KMS)
+  COSIGN_PASSWORD  passphrase for the key (can be empty for test keys)
+  COSIGN_PUBLIC_KEY_PATH optional path to write public key for verify step
+USAGE
+}
+
+FILE=""
+OUT_DIR="out/policy-sign"
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --file) FILE="$2"; shift 2;;
+    --out-dir) OUT_DIR="$2"; shift 2;;
+    -h|--help) usage; exit 0;;
+    *) echo "Unknown arg: $1" >&2; usage; exit 1;;
+  esac
+done
+
+if [[ -z "$FILE" ]]; then echo "--file is required" >&2; exit 1; fi
+if [[ ! -f "$FILE" ]]; then echo "file not found: $FILE" >&2; exit 1; fi
+
+mkdir -p "$OUT_DIR"
+BASENAME=$(basename "$FILE")
+SIG="$OUT_DIR/${BASENAME}.sig"
+PUB_OUT="${COSIGN_PUBLIC_KEY_PATH:-$OUT_DIR/cosign.pub}"
+
+if [[ -n "${COSIGN_KEY_B64:-}" ]]; then
+  KEYFILE="$OUT_DIR/cosign.key"
+  printf "%s" "$COSIGN_KEY_B64" | base64 -d > "$KEYFILE"
+  chmod 600 "$KEYFILE"
+  export COSIGN_KEY="$KEYFILE"
+fi
+
+export COSIGN_PASSWORD=${COSIGN_PASSWORD:-}
+cosign version >/dev/null
+
+cosign sign-blob "$FILE" --output-signature "$SIG"
+cosign public-key --key "$COSIGN_KEY" > "$PUB_OUT"
+cosign verify-blob --key "$PUB_OUT" --signature "$SIG" "$FILE"
+
+printf "Signed %s -> %s\nPublic key -> %s\n" "$FILE" "$SIG" "$PUB_OUT"

.gitea/scripts/sign/sign-signals.sh

@@ -0,0 +1,106 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Deterministic DSSE signing helper for Signals artifacts.
+# Prefers system cosign v3 (bundle) and falls back to repo-pinned v2.6.0.
+
+ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+COSIGN_BIN="${COSIGN_BIN:-}"
+
+# Detect cosign binary (v3 preferred).
+if [[ -z "$COSIGN_BIN" ]]; then
+  if command -v /usr/local/bin/cosign >/dev/null 2>&1; then
+    COSIGN_BIN="/usr/local/bin/cosign"
+  elif command -v cosign >/dev/null 2>&1; then
+    COSIGN_BIN="$(command -v cosign)"
+  elif [[ -x "$ROOT/tools/cosign/cosign" ]]; then
+    COSIGN_BIN="$ROOT/tools/cosign/cosign"
+  else
+    echo "cosign not found; install or set COSIGN_BIN" >&2
+    exit 1
+  fi
+fi
+
+# Resolve key
+TMP_KEY=""
+if [[ -n "${COSIGN_KEY_FILE:-}" ]]; then
+  KEY_FILE="$COSIGN_KEY_FILE"
+elif [[ -n "${COSIGN_PRIVATE_KEY_B64:-}" ]]; then
+  TMP_KEY="$(mktemp)"
+  echo "$COSIGN_PRIVATE_KEY_B64" | base64 -d > "$TMP_KEY"
+  chmod 600 "$TMP_KEY"
+  KEY_FILE="$TMP_KEY"
+elif [[ -f "$ROOT/tools/cosign/cosign.key" ]]; then
+  KEY_FILE="$ROOT/tools/cosign/cosign.key"
+elif [[ "${COSIGN_ALLOW_DEV_KEY:-0}" == "1" && -f "$ROOT/tools/cosign/cosign.dev.key" ]]; then
+  echo "[warn] Using development key (tools/cosign/cosign.dev.key); NOT for production/Evidence Locker" >&2
+  KEY_FILE="$ROOT/tools/cosign/cosign.dev.key"
+else
+  echo "No signing key: set COSIGN_PRIVATE_KEY_B64 or COSIGN_KEY_FILE, or place key at tools/cosign/cosign.key" >&2
+  exit 2
+fi
+
+OUT_BASE="${OUT_DIR:-$ROOT/evidence-locker/signals/2025-12-01}"
+# Normalize OUT_BASE to absolute to avoid pushd-relative path issues.
+if [[ "$OUT_BASE" != /* ]]; then
+  OUT_BASE="$ROOT/$OUT_BASE"
+fi
+mkdir -p "$OUT_BASE"
+
+ARTIFACTS=(
+  "decay/confidence_decay_config.yaml|stella.ops/confidenceDecayConfig@v1|confidence_decay_config"
+  "unknowns/unknowns_scoring_manifest.json|stella.ops/unknownsScoringManifest@v1|unknowns_scoring_manifest"
+  "heuristics/heuristics.catalog.json|stella.ops/heuristicCatalog@v1|heuristics_catalog"
+)
+
+USE_BUNDLE=0
+if $COSIGN_BIN version --json 2>/dev/null | grep -q '"GitVersion":"v3'; then
+  USE_BUNDLE=1
+elif $COSIGN_BIN version 2>/dev/null | grep -q 'GitVersion:.*v3\.'; then
+  USE_BUNDLE=1
+fi
+
+pushd "$ROOT/docs/modules/signals" >/dev/null
+
+SHA_FILE="$OUT_BASE/SHA256SUMS"
+: > "$SHA_FILE"
+
+for entry in "${ARTIFACTS[@]}"; do
+  IFS="|" read -r path predicate stem <<<"$entry"
+  if [[ ! -f "$path" ]]; then
+    echo "Missing artifact: $path" >&2
+    exit 3
+  fi
+
+  if (( USE_BUNDLE )); then
+    bundle="$OUT_BASE/${stem}.sigstore.json"
+    COSIGN_PASSWORD="${COSIGN_PASSWORD:-}" \
+    "$COSIGN_BIN" sign-blob \
+      --key "$KEY_FILE" \
+      --yes \
+      --tlog-upload=false \
+      --bundle "$bundle" \
+      "$path"
+    printf "%s  %s\n" "$(sha256sum "$bundle" | cut -d' ' -f1)" "$(realpath --relative-to="$OUT_BASE" "$bundle")" >> "$SHA_FILE"
+  else
+    sig="$OUT_BASE/${stem}.dsse"
+    COSIGN_PASSWORD="${COSIGN_PASSWORD:-}" \
+    "$COSIGN_BIN" sign-blob \
+      --key "$KEY_FILE" \
+      --yes \
+      --tlog-upload=false \
+      --output-signature "$sig" \
+      "$path"
+    printf "%s  %s\n" "$(sha256sum "$sig" | cut -d' ' -f1)" "$(realpath --relative-to="$OUT_BASE" "$sig")" >> "$SHA_FILE"
+  fi
+
+  printf "%s  %s\n" "$(sha256sum "$path" | cut -d' ' -f1)" "$(realpath --relative-to="$OUT_BASE" "$path")" >> "$SHA_FILE"
+done
+
+popd >/dev/null
+
+echo "Signed artifacts written to $OUT_BASE"
+
+if [[ -n "$TMP_KEY" ]]; then
+  rm -f "$TMP_KEY"
+fi