stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

audit, advisories and doctors/setup work

Browse Source
This commit is contained in:
master
2026-01-13 18:53:39 +02:00
parent 9ca7cb183e
commit d7be6ba34b
811 changed files with 54242 additions and 4056 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
docs/examples/binary-diff/dsse-attestation.md Normal file
View File

@@ -0,0 +1,44 @@
# DSSE Attestation
This example shows how to emit DSSE envelopes from `stella scan diff` and verify them.
## Generate DSSE Output
```bash
stella scan diff \
--base docker://registry.example.com/myapp:1.0.0 \
--target docker://registry.example.com/myapp:1.0.1 \
--mode=elf \
--emit-dsse=./attestations \
--signing-key=./keys/binarydiff.pem
```
Output files:
```
attestations/
linux-amd64-binarydiff.dsse.json
linux-amd64-binarydiff.payload.json
```
## Attach Attestation
```bash
stella attest attach \
--image docker://registry.example.com/myapp:1.0.1 \
--attestation ./attestations/linux-amd64-binarydiff.dsse.json
```
## Verify with Cosign
```bash
cosign verify-attestation \
--type stellaops.binarydiff.v1 \
--key ./keys/binarydiff.pub \
docker://registry.example.com/myapp:1.0.1
```
## Notes
- DSSE signing requires an ECDSA private key (P-256/384/521) in PEM format.
- If the image is multi-arch, specify `--platform` to select the manifest.