save checkpoint
This commit is contained in:
master
38
docs/features/checked/attestor/oci-attestation-attachment.md
Normal file
38
docs/features/checked/attestor/oci-attestation-attachment.md
Normal file
@@ -0,0 +1,38 @@
|
||||
# OCI Attestation Attachment (Referrers API, ORAS, Cosign Compatible)
|
||||
|
||||
## Module
|
||||
Attestor
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
OCI Distribution Spec 1.1 compliant attestation attacher using ORAS with referrers API support. Attaches verdict attestations, delta verdicts, evidence bundles, and SBOMs to container image digests. Supports cosign compatibility, attach/fetch/list operations, and OCI registry client for discovery.
|
||||
|
||||
## Implementation Details
|
||||
- **ORAS Attestation Attacher**: `src/Attestor/__Libraries/StellaOps.Attestor.Oci/Services/OrasAttestationAttacher.cs` -- attaches DSSE-signed attestations to OCI image digests using ORAS and the OCI Referrers API. Implements `IOciAttestationAttacher.cs`.
|
||||
- **OCI Registry Client**: `Services/IOciRegistryClient.cs` -- abstraction for OCI registry operations (push, pull, list referrers, discover).
|
||||
- **SBOM OCI Publisher**: `Services/SbomOciPublisher.cs` -- publishes SBOMs as OCI artifacts attached to image digests. Implements `ISbomOciPublisher.cs`.
|
||||
- **Trust Verdict OCI Attacher**: `__Libraries/StellaOps.Attestor.TrustVerdict/` -- attaches trust verdict attestations to OCI images as referrer artifacts.
|
||||
- **Delta Verdict Predicates**: `__Libraries/StellaOps.Attestor.ProofChain/Predicates/DeltaVerdictPredicate.cs` -- delta verdict predicate model for OCI attachment.
|
||||
- **DSSE Envelope**: `__Libraries/StellaOps.Attestor.ProofChain/Signing/DsseEnvelope.cs` -- envelope format for OCI-attached attestations.
|
||||
- **Tests**: `__Tests/StellaOps.Attestor.Oci.Tests/`
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Attach a DSSE-signed verdict attestation to an OCI image digest via `OrasAttestationAttacher` and verify it appears in the referrers list
|
||||
- [ ] Publish an SBOM via `SbomOciPublisher` as an OCI artifact and verify it is discoverable via the Referrers API
|
||||
- [ ] List all attestation referrers for an image digest and verify correct artifact types are returned
|
||||
- [ ] Fetch a previously attached attestation by digest and verify the DSSE envelope is intact
|
||||
- [ ] Attach multiple attestation types (verdict, delta verdict, evidence bundle, SBOM) to the same image and verify all are listed
|
||||
- [ ] Verify cosign compatibility: attach an attestation and verify it can be discovered using cosign-style media types
|
||||
- [ ] Verify `IOciRegistryClient` handles authentication and registry errors gracefully
|
||||
|
||||
## Verification
|
||||
|
||||
| Check | Result |
|
||||
|-------|--------|
|
||||
| Tier 0 - Source Verification | PASS |
|
||||
| Tier 1 - Build + Code Review | PASS |
|
||||
| Tier 2 - Behavioral Verification | PASS |
|
||||
| Verified Date | 2026-02-13 |
|
||||
| Run ID | run-001 |
|
||||
Reference in New Issue
Block a user