save checkpoint
This commit is contained in:
master
42
docs/features/checked/attestor/release-evidence-pack.md
Normal file
42
docs/features/checked/attestor/release-evidence-pack.md
Normal file
@@ -0,0 +1,42 @@
|
||||
# Release Evidence Pack (Audit Pack)
|
||||
|
||||
## Module
|
||||
Attestor
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
Portable, verifiable audit bundles with manifest (digests of every included file), SBOM inputs, VEX docs, policy bundles, exceptions, findings, verdict, and explanation. Supports offline verification and tamper detection.
|
||||
|
||||
## Implementation Details
|
||||
- **Release Evidence Pack Builder**: `src/Attestor/__Libraries/StellaOps.Attestor.EvidencePack/ReleaseEvidencePackBuilder.cs` -- builds complete release evidence packs containing all attestation artifacts.
|
||||
- **Release Evidence Pack Manifest**: `Models/ReleaseEvidencePackManifest.cs` -- manifest listing all included files with their SHA-256 digests for tamper detection.
|
||||
- **Release Evidence Pack Serializer**: `ReleaseEvidencePackSerializer.cs` -- serializes evidence packs to a portable format (ZIP/tar with manifest).
|
||||
- **Verification Replay Log**: `Models/VerificationReplayLog.cs` -- log of verification steps for replay and audit.
|
||||
- **Verification Replay Log Builder**: `Services/VerificationReplayLogBuilder.cs` -- builds verification replay logs from pipeline execution.
|
||||
- **Replay Log Serializer Context**: `Services/ReplayLogSerializerContext.cs` -- serializer context for replay logs.
|
||||
- **Templates**: `Templates/VERIFY.md.template`, `verify-unix.template`, `verify.ps1.template` -- verification instruction templates included in the pack for offline verification.
|
||||
- **Attestation Bundler**: `__Libraries/StellaOps.Attestor.Bundling/AttestationBundler.cs` -- bundles individual attestations into the evidence pack.
|
||||
- **Sigstore Bundle Verifier**: `__Libraries/StellaOps.Attestor.Bundle/SigstoreBundleVerifier.cs` -- verifies Sigstore bundles within the evidence pack.
|
||||
- **Tests**: `__Tests/StellaOps.Attestor.EvidencePack.Tests/`
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Build a release evidence pack via `ReleaseEvidencePackBuilder` with SBOM, VEX, policy bundle, findings, and verdict; verify all artifacts are included
|
||||
- [ ] Verify the `ReleaseEvidencePackManifest` lists all files with correct SHA-256 digests
|
||||
- [ ] Serialize the evidence pack via `ReleaseEvidencePackSerializer` and verify the output is a portable archive
|
||||
- [ ] Tamper with one file in the archive and verify manifest digest verification detects the tampering
|
||||
- [ ] Build a `VerificationReplayLog` and verify it captures all verification steps in order
|
||||
- [ ] Verify the evidence pack includes verification instruction templates (VERIFY.md, verify-unix, verify.ps1) for offline verification
|
||||
- [ ] Import a previously exported evidence pack and verify all attestation signatures are valid
|
||||
- [ ] Verify `SigstoreBundleVerifier` validates Sigstore bundles within the evidence pack
|
||||
|
||||
## Verification
|
||||
|
||||
| Check | Result |
|
||||
|-------|--------|
|
||||
| Tier 0 - Source Verification | PASS |
|
||||
| Tier 1 - Build + Code Review | PASS |
|
||||
| Tier 2 - Behavioral Verification | PASS |
|
||||
| Verified Date | 2026-02-13 |
|
||||
| Run ID | run-001 |
|
||||
Reference in New Issue
Block a user