stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
docs/features/checked/attestor/attestation-bundle-verification.md Normal file
View File

@@ -0,0 +1,42 @@
# Attestation Bundle Verification
## Module
Attestor
## Status
VERIFIED
## Description
Sigstore bundle verification with dedicated verifier and bundler services for validating attestation integrity.
## Implementation Details
- **Sigstore Bundle Verifier**: `src/Attestor/__Libraries/StellaOps.Attestor.Bundle/Verification/SigstoreBundleVerifier.cs` -- verifies Sigstore bundles including signature validation and transparency log verification.
- **Bundle Verification Result**: `BundleVerificationResult.cs` -- result model with pass/fail status and detailed error messages.
- **Sigstore Bundle Model**: `src/Attestor/__Libraries/StellaOps.Attestor.Bundle/Models/SigstoreBundle.cs` -- represents a Sigstore bundle with `VerificationMaterial`, `TransparencyLogEntry`, and `InclusionProof`.
- **Bundle Builder**: `src/Attestor/__Libraries/StellaOps.Attestor.Bundle/Builder/SigstoreBundleBuilder.cs` -- constructs Sigstore bundles from attestation components.
- **Bundle Serializer**: `src/Attestor/__Libraries/StellaOps.Attestor.Bundle/Serialization/SigstoreBundleSerializer.cs` -- JSON serialization/deserialization of Sigstore bundles.
- **Attestation Bundler**: `src/Attestor/__Libraries/StellaOps.Attestor.Bundling/Services/AttestationBundler.cs` -- high-level bundling service implementing `IAttestationBundler`. Aggregates multiple attestations into bundles.
- **Bundle Aggregator**: `IBundleAggregator.cs` -- interface for aggregating attestations.
- **Bundle Store**: `IBundleStore.cs` -- persistence interface for bundles.
- **Org Key Signing**: `Signing/KmsOrgKeySigner.cs` -- signs bundles with organization-level KMS keys.
- **Verification Engine**: `src/Attestor/StellaOps.Attestor.Verify/AttestorVerificationEngine.cs` -- top-level verification engine that orchestrates bundle and attestation verification.
- **Tests**: `__Tests/StellaOps.Attestor.Bundle.Tests/SigstoreBundleVerifierTests.cs`, `SigstoreBundleBuilderTests.cs`, `SigstoreBundleSerializerTests.cs`, `__Tests/StellaOps.Attestor.Bundling.Tests/AttestationBundlerTests.cs`
## E2E Test Plan
- [ ] Build a Sigstore bundle via `SigstoreBundleBuilder` with a signed attestation, inclusion proof, and verification material, then verify it via `SigstoreBundleVerifier`
- [ ] Serialize a `SigstoreBundle` to JSON via `SigstoreBundleSerializer`, deserialize it back, and verify round-trip fidelity
- [ ] Tamper with the inclusion proof in a bundle and verify `SigstoreBundleVerifier` returns a failed `BundleVerificationResult` with error details
- [ ] Use `AttestationBundler` to aggregate 3+ attestations into a single bundle and verify the bundle contains all attestation entries
- [ ] Sign a bundle with `KmsOrgKeySigner` and verify the org-level signature is present in the output
- [ ] Run `AttestorVerificationEngine` against a valid bundle and verify all verification checks pass
- [ ] Run `AttestorVerificationEngine` against a bundle with an invalid signature and verify it reports the specific check that failed
## Verification
| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |