This commit is contained in:
StellaOps Bot
20
docs/modules/mirror/provenance/observers.md
Normal file
20
docs/modules/mirror/provenance/observers.md
Normal file
@@ -0,0 +1,20 @@
|
||||
# PROV-OBS-53-001 draft: provenance observers for mirror bundles
|
||||
|
||||
Goal: allow downstream services to verify mirror bundle manifests and tarballs using published hashes and (when available) DSSE/TUF signatures.
|
||||
|
||||
## Inputs
|
||||
- Manifest: `out/mirror/thin/mirror-thin-v1.manifest.json`
|
||||
- Tarball: `out/mirror/thin/mirror-thin-v1.tar.gz`
|
||||
- Hashes: `.sha256` files adjacent to artefacts
|
||||
- (Future) DSSE envelope + TUF metadata under `out/mirror/thin/tuf/`
|
||||
|
||||
## Observer checks (draft)
|
||||
1) Hash verification: recompute SHA256 for manifest and tarball; compare to `.sha256` files.
|
||||
2) Schema check: ensure manifest fields `version`, `created`, `layers[]`, `indexes[]` exist; all digests are `sha256:`.
|
||||
3) Determinism: verify tar entry order matches manifest order and tar headers are owner=0:0, mtime=0, sorted paths.
|
||||
4) Optional DSSE: once available, verify DSSE envelope signature over manifest using `mirror-ed25519-test-1` public key.
|
||||
5) Optional TUF: once available, verify `timestamp.json` -> `snapshot.json` -> `targets.json` -> artefact hashes.
|
||||
|
||||
## Implementation notes
|
||||
- These checks can be implemented as a small CLI (Go/C#/Python). For now, reference artefacts live in `out/mirror/thin/` for test runners.
|
||||
- Determinism probe: `tar --list --utc --full-time -vvf mirror-thin-v1.tar.gz` should show epoch mtimes and sorted entries.
|
||||
Reference in New Issue
Block a user