stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
docs/features/checked/attestor/per-layer-dsse-attestations.md Normal file
View File

@@ -0,0 +1,40 @@
# Per-Layer DSSE Attestations
## Module
Attestor
## Status
VERIFIED
## Description
Layer-specific DSSE attestations with batch signing for efficiency, generating individual attestations per container image layer linked to layer-specific SBOM subjects.
## Implementation Details
- **DSSE Envelope Signing**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/ProofChainSigner.cs` (with `.Verification`) -- signs per-layer attestations into DSSE envelopes. Supports batch signing for multi-layer images.
- **DSSE Envelope**: `Signing/DsseEnvelope.cs` -- envelope model with payload, payloadType, and signatures array.
- **DSSE Signature**: `Signing/DsseSignature.cs` -- individual signature within an envelope.
- **Statement Builder**: `Builders/StatementBuilder.cs` (with `.Extended`) -- builds in-toto statements with layer-specific subjects (layer digest as subject).
- **Proof Subject**: `Builders/ProofSubject.cs` -- subject model with name (layer digest) and digest map.
- **Attestation Bundler**: `__Libraries/StellaOps.Attestor.Bundling/AttestationBundler.cs` -- bundles per-layer attestations into a single container-level bundle.
- **OCI Attachment**: `__Libraries/StellaOps.Attestor.Oci/Services/OrasAttestationAttacher.cs` -- attaches per-layer attestations to container image digests via OCI Referrers API.
- **Signing Key Profile**: `Signing/SigningKeyProfile.cs` -- key profile used for signing (supports per-layer key selection).
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/DsseSigningTests.cs`
## E2E Test Plan
- [ ] Create per-layer in-toto statements for a 3-layer container image with layer digests as subjects and sign each via `ProofChainSigner`
- [ ] Verify each per-layer DSSE envelope has the correct layer digest in the subject
- [ ] Batch-sign all 3 layer attestations and verify all envelopes are produced efficiently
- [ ] Bundle per-layer attestations into a container-level bundle via `AttestationBundler` and verify the bundle references all layers
- [ ] Attach per-layer attestations to the container image via `OrasAttestationAttacher` and verify they are discoverable as referrers
- [ ] Verify each per-layer attestation signature independently via `ProofChainSigner.Verification`
- [ ] Create a per-layer attestation linking to a layer-specific SBOM and verify the SBOM subject reference
## Verification
| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |