stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

blockers 2
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details

Browse Source
This commit is contained in:
StellaOps Bot
2025-11-23 14:54:17 +02:00
parent f47d2d1377
commit cce96f3596
100 changed files with 2758 additions and 1912 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
docs/modules/mirror/dsse-tuf-profile.md Normal file
View File

@@ -0,0 +1,50 @@
# DSSE/TUF profile for Mirror thin bundles (v1 draft)
Applies to `mirror-thin-v1.*` artefacts in `out/mirror/thin/`.
## Keys
- Signing algorithm: ed25519
- Key IDs: `mirror-ed25519-test-1`
- Storage: keep private key only in sealed CI secret; public key published alongside metadata at `out/mirror/thin/tuf/keys/mirror-ed25519-test-1.pub`.
## DSSE envelope
- Payload type: `application/vnd.stellaops.mirror.manifest+json`
- Payload: `mirror-thin-v1.manifest.json`
- Signature: ed25519 over base64url(payload)
- Envelope path: `out/mirror/thin/mirror-thin-v1.manifest.dsse.json`
## TUF metadata layout
```
out/mirror/thin/tuf/
root.json
snapshot.json
targets.json
timestamp.json
keys/mirror-ed25519-test-1.pub
```
### Targets mapping
- `mirror-thin-v1.tar.gz` → targets entry with sha256 `210dc49e8d3e25509298770a94da277aa2c9d4c387d3c24505a61fe1d7695a49`
- `mirror-thin-v1.manifest.json` → sha256 `0ae51fa87648dae0a54fab950181a3600a8363182d89ad46d70f3a56b997b504`
### Determinism rules
- Sort keys in JSON; indent=2; trailing newline.
- `expires` set to `2026-01-01T00:00:00Z` for draft; update during release.
- Versions: root=1, targets=1, snapshot=1, timestamp=1 for this draft.
- Signatures should be stable; for test draft, placeholders are used until CI signing is wired.
## Status & TODO to productionize
- Draft signatures now generated with repo test key (`mirror-ed25519-test-1`) via `scripts/mirror/sign_thin_bundle.py`; replace with CI-held key before release.
- CI hook: set `MIRROR_SIGN_KEY_B64` (base64-encoded Ed25519 PEM) and run `scripts/mirror/ci-sign.sh` to build+sign+verify in one step.
- Rotate keys via TUF root role once CI secrets land.
- Add DSSE signer to assembler pipeline so `make-thin-v1.sh` emits envelope + TUF metadata automatically in CI.
### CI integration sketch (disabled until key is provided)
```
- name: Mirror thin bundle (signed)
run: |
export MIRROR_SIGN_KEY_B64="${{ secrets.MIRROR_SIGN_KEY_B64 }}"
export OCI=1
scripts/mirror/ci-sign.sh
if: ${{ secrets.MIRROR_SIGN_KEY_B64 != '' }}
```