CD/CD consolidation

devops/tools/crypto/download-cryptopro-playwright.cjs

@@ -0,0 +1,220 @@
+#!/usr/bin/env node
+/**
+ * CryptoPro CSP downloader (Playwright-driven).
+ *
+ * Navigates cryptopro.ru downloads page, optionally fills login form, and selects
+ * Linux packages (.rpm/.deb/.tar.gz/.tgz/.bin) under the CSP Linux section.
+ *
+ * Environment:
+ *  - CRYPTOPRO_URL (default: https://cryptopro.ru/products/csp/downloads#latest_csp50r3_linux)
+ *  - CRYPTOPRO_EMAIL / CRYPTOPRO_PASSWORD (default demo creds: contact@stella-ops.org / Hoko33JD3nj3aJD.)
+ *  - CRYPTOPRO_DRY_RUN (default: 1) -> list candidates, do not download
+ *  - CRYPTOPRO_OUTPUT_DIR (default: /opt/cryptopro/downloads)
+ *  - CRYPTOPRO_OUTPUT_FILE (optional: force a specific output filename/path)
+ *  - CRYPTOPRO_UNPACK (default: 0) -> attempt to unpack tar.gz/tgz/rpm/deb
+ */
+
+const path = require('path');
+const fs = require('fs');
+const { spawnSync } = require('child_process');
+const { chromium } = require('playwright-chromium');
+
+const url = process.env.CRYPTOPRO_URL || 'https://cryptopro.ru/products/csp/downloads#latest_csp50r3_linux';
+const email = process.env.CRYPTOPRO_EMAIL || 'contact@stella-ops.org';
+const password = process.env.CRYPTOPRO_PASSWORD || 'Hoko33JD3nj3aJD.';
+const dryRun = (process.env.CRYPTOPRO_DRY_RUN || '1') !== '0';
+const outputDir = process.env.CRYPTOPRO_OUTPUT_DIR || '/opt/cryptopro/downloads';
+const outputFile = process.env.CRYPTOPRO_OUTPUT_FILE;
+const unpack = (process.env.CRYPTOPRO_UNPACK || '0') === '1';
+const navTimeout = parseInt(process.env.CRYPTOPRO_NAV_TIMEOUT || '60000', 10);
+
+const linuxPattern = /\.(rpm|deb|tar\.gz|tgz|bin)(\?|$)/i;
+const debugLinks = (process.env.CRYPTOPRO_DEBUG || '0') === '1';
+
+function log(msg) {
+  process.stdout.write(`${msg}\n`);
+}
+
+function warn(msg) {
+  process.stderr.write(`[WARN] ${msg}\n`);
+}
+
+async function maybeLogin(page) {
+  const emailSelector = 'input[type="email"], input[name*="email" i], input[name*="login" i], input[name="name"]';
+  const passwordSelector = 'input[type="password"], input[name*="password" i]';
+  const submitSelector = 'button[type="submit"], input[type="submit"]';
+
+  const emailInput = await page.$(emailSelector);
+  const passwordInput = await page.$(passwordSelector);
+  if (emailInput && passwordInput) {
+    log('[login] Form detected; submitting credentials');
+    await emailInput.fill(email);
+    await passwordInput.fill(password);
+    const submit = await page.$(submitSelector);
+    if (submit) {
+      await Promise.all([
+        page.waitForNavigation({ waitUntil: 'networkidle', timeout: 15000 }).catch(() => {}),
+        submit.click()
+      ]);
+    } else {
+      await passwordInput.press('Enter');
+      await page.waitForTimeout(2000);
+    }
+  } else {
+    log('[login] No login form detected; continuing anonymously');
+  }
+}
+
+async function findLinuxLinks(page) {
+  const targets = [page, ...page.frames()];
+  const hrefs = [];
+
+  // Collect href/data-href/data-url across main page + frames
+  for (const target of targets) {
+    try {
+      const collected = await target.$$eval('a[href], [data-href], [data-url]', (els) =>
+        els
+          .map((el) => el.getAttribute('href') || el.getAttribute('data-href') || el.getAttribute('data-url'))
+          .filter((href) => typeof href === 'string')
+      );
+      hrefs.push(...collected);
+    } catch (err) {
+      warn(`[scan] Failed to collect links from frame: ${err.message}`);
+    }
+  }
+
+  const unique = Array.from(new Set(hrefs));
+  return unique.filter((href) => linuxPattern.test(href));
+}
+
+function unpackIfSupported(filePath) {
+  if (!unpack) {
+    return;
+  }
+  const cwd = path.dirname(filePath);
+  if (filePath.endsWith('.tar.gz') || filePath.endsWith('.tgz')) {
+    const res = spawnSync('tar', ['-xzf', filePath, '-C', cwd], { stdio: 'inherit' });
+    if (res.status === 0) {
+      log(`[unpack] Extracted ${filePath}`);
+    } else {
+      warn(`[unpack] Failed to extract ${filePath}`);
+    }
+  } else if (filePath.endsWith('.rpm')) {
+    const res = spawnSync('bash', ['-lc', `rpm2cpio "${filePath}" | cpio -idmv`], { stdio: 'inherit', cwd });
+    if (res.status === 0) {
+      log(`[unpack] Extracted RPM ${filePath}`);
+    } else {
+      warn(`[unpack] Failed to extract RPM ${filePath}`);
+    }
+  } else if (filePath.endsWith('.deb')) {
+    const res = spawnSync('dpkg-deb', ['-x', filePath, cwd], { stdio: 'inherit' });
+    if (res.status === 0) {
+      log(`[unpack] Extracted DEB ${filePath}`);
+    } else {
+      warn(`[unpack] Failed to extract DEB ${filePath}`);
+    }
+  } else if (filePath.endsWith('.bin')) {
+    const res = spawnSync('chmod', ['+x', filePath], { stdio: 'inherit' });
+    if (res.status === 0) {
+      log(`[unpack] Marked ${filePath} as executable (self-extract expected)`);
+    } else {
+      warn(`[unpack] Could not mark ${filePath} executable`);
+    }
+  } else {
+    warn(`[unpack] Skipping unsupported archive type for ${filePath}`);
+  }
+}
+
+async function main() {
+  if (email === 'contact@stella-ops.org' && password === 'Hoko33JD3nj3aJD.') {
+    warn('Using default demo credentials; set CRYPTOPRO_EMAIL/CRYPTOPRO_PASSWORD to real customer creds.');
+  }
+
+  const browser = await chromium.launch({ headless: true });
+  const context = await browser.newContext({
+    acceptDownloads: true,
+    httpCredentials: { username: email, password }
+  });
+  const page = await context.newPage();
+  log(`[nav] Opening ${url}`);
+  try {
+    await page.goto(url, { waitUntil: 'networkidle', timeout: navTimeout });
+  } catch (err) {
+    warn(`[nav] Navigation at networkidle failed (${err.message}); retrying with waitUntil=load`);
+    await page.goto(url, { waitUntil: 'load', timeout: navTimeout });
+  }
+  log(`[nav] Landed on ${page.url()}`);
+  await maybeLogin(page);
+  await page.waitForTimeout(2000);
+
+  const loginGate =
+    page.url().includes('/user') ||
+    (await page.$('form#user-login, form[id*="user-login"], .captcha, #captcha-container'));
+  if (loginGate) {
+    warn('[auth] Login/captcha gate detected on downloads page; automated fetch blocked. Provide session/cookies or run headful to solve manually.');
+    await browser.close();
+    return 2;
+  }
+
+  let links = await findLinuxLinks(page);
+  if (links.length === 0) {
+    await page.waitForTimeout(1500);
+    await page.evaluate(() => window.scrollTo(0, document.body.scrollHeight));
+    await page.waitForTimeout(2000);
+    links = await findLinuxLinks(page);
+  }
+  if (links.length === 0) {
+    if (debugLinks) {
+      const targetDir = outputFile ? path.dirname(outputFile) : outputDir;
+      await fs.promises.mkdir(targetDir, { recursive: true });
+      const debugHtml = path.join(targetDir, 'cryptopro-download-page.html');
+      await fs.promises.writeFile(debugHtml, await page.content(), 'utf8');
+      log(`[debug] Saved page HTML to ${debugHtml}`);
+      const allLinks = await page.$$eval('a[href], [data-href], [data-url]', (els) =>
+        els
+          .map((el) => el.getAttribute('href') || el.getAttribute('data-href') || el.getAttribute('data-url'))
+          .filter((href) => typeof href === 'string')
+      );
+      log(`[debug] Total link-like attributes: ${allLinks.length}`);
+      allLinks.slice(0, 20).forEach((href, idx) => log(`  [all ${idx + 1}] ${href}`));
+    }
+    warn('No Linux download links found on page.');
+    await browser.close();
+    return 1;
+  }
+
+  log(`[scan] Found ${links.length} Linux candidate links`);
+  links.slice(0, 10).forEach((href, idx) => log(`  [${idx + 1}] ${href}`));
+
+  if (dryRun) {
+    log('[mode] Dry-run enabled; not downloading. Set CRYPTOPRO_DRY_RUN=0 to fetch.');
+    await browser.close();
+    return 0;
+  }
+
+  const target = links[0];
+  log(`[download] Fetching ${target}`);
+  const [download] = await Promise.all([
+    page.waitForEvent('download', { timeout: 30000 }),
+    page.goto(target).catch(() => page.click(`a[href="${target}"]`).catch(() => {}))
+  ]);
+
+  const targetDir = outputFile ? path.dirname(outputFile) : outputDir;
+  await fs.promises.mkdir(targetDir, { recursive: true });
+  const suggested = download.suggestedFilename();
+  const outPath = outputFile ? outputFile : path.join(outputDir, suggested);
+  await download.saveAs(outPath);
+  log(`[download] Saved to ${outPath}`);
+
+  unpackIfSupported(outPath);
+
+  await browser.close();
+  return 0;
+}
+
+main()
+  .then((code) => process.exit(code))
+  .catch((err) => {
+    console.error(err);
+    process.exit(1);
+  });

devops/tools/crypto/package-rootpack-ru.sh

@@ -0,0 +1,69 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(git rev-parse --show-toplevel)"
+TIMESTAMP="$(date -u +%Y%m%dT%H%M%SZ)"
+OUTPUT_ROOT="${1:-${ROOT_DIR}/build/rootpack_ru_${TIMESTAMP}}"
+ARTIFACT_DIR="${OUTPUT_ROOT}/artifacts"
+DOC_DIR="${OUTPUT_ROOT}/docs"
+CONFIG_DIR="${OUTPUT_ROOT}/config"
+TRUST_DIR="${OUTPUT_ROOT}/trust"
+
+mkdir -p "$ARTIFACT_DIR" "$DOC_DIR" "$CONFIG_DIR" "$TRUST_DIR"
+
+publish_plugin() {
+    local project="$1"
+    local name="$2"
+    local publish_dir="${ARTIFACT_DIR}/${name}"
+    echo "[rootpack-ru] Publishing ${project} -> ${publish_dir}"
+    dotnet publish "$project" -c Release -o "$publish_dir" --nologo >/dev/null
+}
+
+publish_plugin "src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro/StellaOps.Cryptography.Plugin.CryptoPro.csproj" "StellaOps.Cryptography.Plugin.CryptoPro"
+publish_plugin "src/__Libraries/StellaOps.Cryptography.Plugin.Pkcs11Gost/StellaOps.Cryptography.Plugin.Pkcs11Gost.csproj" "StellaOps.Cryptography.Plugin.Pkcs11Gost"
+
+cp docs/security/rootpack_ru_validation.md "$DOC_DIR/"
+cp docs/security/crypto-routing-audit-2025-11-07.md "$DOC_DIR/"
+cp docs/security/rootpack_ru_package.md "$DOC_DIR/"
+cp etc/rootpack/ru/crypto.profile.yaml "$CONFIG_DIR/rootpack_ru.crypto.yaml"
+
+if [ "${INCLUDE_GOST_VALIDATION:-1}" != "0" ]; then
+    candidate="${OPENSSL_GOST_LOG_DIR:-}"
+    if [ -z "$candidate" ]; then
+        candidate="$(ls -d "${ROOT_DIR}"/logs/openssl_gost_validation_* "${ROOT_DIR}"/logs/rootpack_ru_*/openssl_gost 2>/dev/null | sort | tail -n 1 || true)"
+    fi
+
+    if [ -n "$candidate" ] && [ -d "$candidate" ]; then
+        mkdir -p "${DOC_DIR}/gost-validation"
+        cp -r "$candidate" "${DOC_DIR}/gost-validation/latest"
+    fi
+fi
+
+shopt -s nullglob
+for pem in "$ROOT_DIR"/certificates/russian_trusted_*; do
+    cp "$pem" "$TRUST_DIR/"
+done
+shopt -u nullglob
+
+cat <<README >"${OUTPUT_ROOT}/README.txt"
+RootPack_RU bundle (${TIMESTAMP})
+--------------------------------
+Contents:
+  - artifacts/ : Sovereign crypto plug-ins published for net10.0 (CryptoPro + PKCS#11)
+  - config/rootpack_ru.crypto.yaml : example configuration binding registry profiles
+  - docs/ : validation + audit documentation
+  - trust/ : Russian trust anchor PEM bundle copied from certificates/
+
+Usage:
+  1. Review docs/rootpack_ru_package.md for installation steps.
+  2. Execute scripts/crypto/run-rootpack-ru-tests.sh (or CI equivalent) and attach the logs to this bundle.
+  3. Record hardware validation outputs per docs/rootpack_ru_validation.md and store alongside this directory.
+README
+
+if [[ "${PACKAGE_TAR:-1}" != "0" ]]; then
+    tarball="${OUTPUT_ROOT}.tar.gz"
+    echo "[rootpack-ru] Creating ${tarball}"
+    tar -czf "$tarball" -C "$(dirname "$OUTPUT_ROOT")" "$(basename "$OUTPUT_ROOT")"
+fi
+
+echo "[rootpack-ru] Bundle staged under $OUTPUT_ROOT"

devops/tools/crypto/run-cryptopro-tests.ps1

@@ -0,0 +1,25 @@
+param(
+    [string]$Configuration = "Release"
+)
+
+if (-not $IsWindows) {
+    Write-Host "CryptoPro tests require Windows" -ForegroundColor Yellow
+    exit 0
+}
+
+if (-not (Get-Command dotnet -ErrorAction SilentlyContinue)) {
+    Write-Host "dotnet SDK not found" -ForegroundColor Red
+    exit 1
+}
+
+# Opt-in flag to avoid accidental runs on agents without CryptoPro CSP installed
+$env:STELLAOPS_CRYPTO_PRO_ENABLED = "1"
+
+Write-Host "Running CryptoPro-only tests..." -ForegroundColor Cyan
+
+pushd $PSScriptRoot\..\..
+try {
+    dotnet test src/__Libraries/__Tests/StellaOps.Cryptography.Tests/StellaOps.Cryptography.Tests.csproj -c $Configuration --filter CryptoProGostSignerTests
+} finally {
+    popd
+}

devops/tools/crypto/run-rootpack-ru-tests.sh

@@ -0,0 +1,96 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(git rev-parse --show-toplevel)"
+DEFAULT_LOG_ROOT="${ROOT_DIR}/logs/rootpack_ru_$(date -u +%Y%m%dT%H%M%SZ)"
+LOG_ROOT="${ROOTPACK_LOG_DIR:-$DEFAULT_LOG_ROOT}"
+ALLOW_PARTIAL="${ALLOW_PARTIAL:-1}"
+mkdir -p "$LOG_ROOT"
+
+PROJECTS=(
+    "src/__Libraries/__Tests/StellaOps.Cryptography.Tests/StellaOps.Cryptography.Tests.csproj"
+    "src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/StellaOps.Scanner.Worker.Tests.csproj"
+    "src/Scanner/__Tests/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests.csproj"
+)
+if [ "${RUN_SCANNER:-1}" != "1" ]; then
+    PROJECTS=("${PROJECTS[0]}")
+    echo "[rootpack-ru] RUN_SCANNER=0 set; skipping scanner test suites"
+fi
+
+run_test() {
+    local project="$1"
+    local extra_props=""
+
+    if [ "${STELLAOPS_ENABLE_CRYPTO_PRO:-""}" = "1" ]; then
+        extra_props+=" /p:StellaOpsEnableCryptoPro=true"
+    fi
+
+    if [ "${STELLAOPS_ENABLE_PKCS11:-""}" = "1" ]; then
+        extra_props+=" /p:StellaOpsEnablePkcs11=true"
+    fi
+    local safe_name
+    safe_name="$(basename "${project%.csproj}")"
+    local log_file="${LOG_ROOT}/${safe_name}.log"
+    local trx_name="${safe_name}.trx"
+
+    echo "[rootpack-ru] Running tests for ${project}" | tee "$log_file"
+    dotnet test "$project" \
+        --nologo \
+        --verbosity minimal \
+        --results-directory "$LOG_ROOT" \
+        --logger "trx;LogFileName=${trx_name}" ${extra_props} | tee -a "$log_file"
+}
+
+PROJECT_SUMMARY=()
+for project in "${PROJECTS[@]}"; do
+    safe_name="$(basename "${project%.csproj}")"
+        if run_test "$project"; then
+            PROJECT_SUMMARY+=("$project|$safe_name|PASS")
+            echo "[rootpack-ru] Wrote logs for ${project} -> ${LOG_ROOT}/${safe_name}.log"
+        else
+            PROJECT_SUMMARY+=("$project|$safe_name|FAIL")
+            echo "[rootpack-ru] Test run failed for ${project}; see ${LOG_ROOT}/${safe_name}.log"
+            if [ "${ALLOW_PARTIAL}" != "1" ]; then
+                echo "[rootpack-ru] ALLOW_PARTIAL=0; aborting harness."
+                exit 1
+            fi
+        fi
+    done
+
+GOST_SUMMARY="skipped (docker not available)"
+if [ "${RUN_GOST_VALIDATION:-1}" = "1" ]; then
+    if command -v docker >/dev/null 2>&1; then
+        echo "[rootpack-ru] Running OpenSSL GOST validation harness"
+        OPENSSL_GOST_LOG_DIR="${LOG_ROOT}/openssl_gost"
+        if OPENSSL_GOST_LOG_DIR="${OPENSSL_GOST_LOG_DIR}" bash "${ROOT_DIR}/scripts/crypto/validate-openssl-gost.sh"; then
+            if [ -d "${OPENSSL_GOST_LOG_DIR}" ] && [ -f "${OPENSSL_GOST_LOG_DIR}/summary.txt" ]; then
+                GOST_SUMMARY="$(cat "${OPENSSL_GOST_LOG_DIR}/summary.txt")"
+            else
+                GOST_SUMMARY="completed (see logs/openssl_gost_validation_*)"
+            fi
+        else
+            GOST_SUMMARY="failed (see logs/openssl_gost_validation_*)"
+        fi
+    else
+        echo "[rootpack-ru] Docker not available; skipping OpenSSL GOST validation."
+    fi
+fi
+
+{
+    echo "RootPack_RU deterministic test harness"
+    echo "Generated: $(date -u +%Y-%m-%dT%H:%M:%SZ)"
+    echo "Log Directory: $LOG_ROOT"
+    echo ""
+    echo "Projects:"
+    for entry in "${PROJECT_SUMMARY[@]}"; do
+        project_path="${entry%%|*}"
+        rest="${entry#*|}"
+        safe_name="${rest%%|*}"
+        status="${rest##*|}"
+        printf ' - %s (log: %s.log, trx: %s.trx) [%s]\n' "$project_path" "$safe_name" "$safe_name" "$status"
+    done
+    echo ""
+    echo "GOST validation: ${GOST_SUMMARY}"
+} > "$LOG_ROOT/README.tests"
+
+echo "Logs and TRX files available under $LOG_ROOT"

devops/tools/crypto/run-sim-smoke.ps1

@@ -0,0 +1,42 @@
+param(
+    [string] $BaseUrl = "http://localhost:5000",
+    [string] $SimProfile = "sm"
+)
+
+$ErrorActionPreference = "Stop"
+$repoRoot = Resolve-Path "$PSScriptRoot/../.."
+
+Push-Location $repoRoot
+$job = $null
+try {
+    Write-Host "Building sim service and smoke harness..."
+    dotnet build ops/crypto/sim-crypto-service/SimCryptoService.csproj -c Release | Out-Host
+    dotnet build ops/crypto/sim-crypto-smoke/SimCryptoSmoke.csproj -c Release | Out-Host
+
+    Write-Host "Starting sim service at $BaseUrl ..."
+    $job = Start-Job -ArgumentList $repoRoot, $BaseUrl -ScriptBlock {
+        param($path, $url)
+        Set-Location $path
+        $env:ASPNETCORE_URLS = $url
+        dotnet run --project ops/crypto/sim-crypto-service/SimCryptoService.csproj --no-build -c Release
+    }
+
+    Start-Sleep -Seconds 6
+
+    $env:STELLAOPS_CRYPTO_SIM_URL = $BaseUrl
+    $env:SIM_PROFILE = $SimProfile
+    Write-Host "Running smoke harness (profile=$SimProfile, url=$BaseUrl)..."
+    dotnet run --project ops/crypto/sim-crypto-smoke/SimCryptoSmoke.csproj --no-build -c Release
+    $exitCode = $LASTEXITCODE
+    if ($exitCode -ne 0) {
+        throw "Smoke harness failed with exit code $exitCode"
+    }
+}
+finally {
+    if ($job) {
+        Stop-Job $job -ErrorAction SilentlyContinue | Out-Null
+        Receive-Job $job -ErrorAction SilentlyContinue | Out-Null
+        Remove-Job $job -ErrorAction SilentlyContinue | Out-Null
+    }
+    Pop-Location
+}

devops/tools/crypto/validate-openssl-gost.sh

@@ -0,0 +1,108 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if ! command -v docker >/dev/null 2>&1; then
+    echo "[gost-validate] docker is required but not found on PATH" >&2
+    exit 1
+fi
+
+ROOT_DIR="$(git rev-parse --show-toplevel)"
+TIMESTAMP="$(date -u +%Y%m%dT%H%M%SZ)"
+LOG_ROOT="${OPENSSL_GOST_LOG_DIR:-${ROOT_DIR}/logs/openssl_gost_validation_${TIMESTAMP}}"
+IMAGE="${OPENSSL_GOST_IMAGE:-rnix/openssl-gost:latest}"
+MOUNT_PATH="${LOG_ROOT}"
+
+UNAME_OUT="$(uname -s || true)"
+case "${UNAME_OUT}" in
+    MINGW*|MSYS*|CYGWIN*)
+        if command -v wslpath >/dev/null 2>&1; then
+            # Docker Desktop on Windows prefers Windows-style mount paths.
+            MOUNT_PATH="$(wslpath -m "${LOG_ROOT}")"
+        fi
+        ;;
+    *)
+        MOUNT_PATH="${LOG_ROOT}"
+        ;;
+esac
+
+mkdir -p "${LOG_ROOT}"
+
+cat >"${LOG_ROOT}/message.txt" <<'EOF'
+StellaOps OpenSSL GOST validation message (md_gost12_256)
+EOF
+
+echo "[gost-validate] Using image ${IMAGE}"
+docker pull "${IMAGE}" >/dev/null
+
+CONTAINER_SCRIPT_PATH="${LOG_ROOT}/container-script.sh"
+
+cat > "${CONTAINER_SCRIPT_PATH}" <<'CONTAINER_SCRIPT'
+set -eu
+
+MESSAGE="/out/message.txt"
+
+openssl version -a > /out/openssl-version.txt
+openssl engine -c > /out/engine-list.txt
+
+openssl genpkey -engine gost -algorithm gost2012_256 -pkeyopt paramset:A -out /tmp/gost.key.pem >/dev/null
+openssl pkey -engine gost -in /tmp/gost.key.pem -pubout -out /out/gost.pub.pem >/dev/null
+
+DIGEST_LINE="$(openssl dgst -engine gost -md_gost12_256 "${MESSAGE}")"
+echo "${DIGEST_LINE}" > /out/digest.txt
+DIGEST="$(printf "%s" "${DIGEST_LINE}" | awk -F'= ' '{print $2}')"
+
+openssl dgst -engine gost -md_gost12_256 -sign /tmp/gost.key.pem -out /tmp/signature1.bin "${MESSAGE}"
+openssl dgst -engine gost -md_gost12_256 -sign /tmp/gost.key.pem -out /tmp/signature2.bin "${MESSAGE}"
+
+openssl dgst -engine gost -md_gost12_256 -verify /out/gost.pub.pem -signature /tmp/signature1.bin "${MESSAGE}" > /out/verify1.txt
+openssl dgst -engine gost -md_gost12_256 -verify /out/gost.pub.pem -signature /tmp/signature2.bin "${MESSAGE}" > /out/verify2.txt
+
+SIG1_SHA="$(sha256sum /tmp/signature1.bin | awk '{print $1}')"
+SIG2_SHA="$(sha256sum /tmp/signature2.bin | awk '{print $1}')"
+MSG_SHA="$(sha256sum "${MESSAGE}" | awk '{print $1}')"
+
+cp /tmp/signature1.bin /out/signature1.bin
+cp /tmp/signature2.bin /out/signature2.bin
+
+DETERMINISTIC_BOOL=false
+DETERMINISTIC_LABEL="no"
+if [ "${SIG1_SHA}" = "${SIG2_SHA}" ]; then
+  DETERMINISTIC_BOOL=true
+  DETERMINISTIC_LABEL="yes"
+fi
+
+cat > /out/summary.txt <<SUMMARY
+OpenSSL GOST validation (Linux engine)
+Image: ${VALIDATION_IMAGE:-unknown}
+Digest algorithm: md_gost12_256
+Message SHA256: ${MSG_SHA}
+Digest: ${DIGEST}
+Signature1 SHA256: ${SIG1_SHA}
+Signature2 SHA256: ${SIG2_SHA}
+Signatures deterministic: ${DETERMINISTIC_LABEL}
+SUMMARY
+
+cat > /out/summary.json <<SUMMARYJSON
+{
+  "image": "${VALIDATION_IMAGE:-unknown}",
+  "digest_algorithm": "md_gost12_256",
+  "message_sha256": "${MSG_SHA}",
+  "digest": "${DIGEST}",
+  "signature1_sha256": "${SIG1_SHA}",
+  "signature2_sha256": "${SIG2_SHA}",
+  "signatures_deterministic": ${DETERMINISTIC_BOOL}
+}
+SUMMARYJSON
+
+CONTAINER_SCRIPT
+
+docker run --rm \
+    -e VALIDATION_IMAGE="${IMAGE}" \
+    -v "${MOUNT_PATH}:/out" \
+    "${IMAGE}" /bin/sh "/out/$(basename "${CONTAINER_SCRIPT_PATH}")"
+
+rm -f "${CONTAINER_SCRIPT_PATH}"
+
+echo "[gost-validate] Artifacts written to ${LOG_ROOT}"
+echo "[gost-validate] Summary:"
+cat "${LOG_ROOT}/summary.txt"