stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
docs/features/checked/evidencelocker/provenance-bundle-export-and-independent-verification.md Normal file
View File

@@ -0,0 +1,30 @@
# Provenance Bundle Export and Independent Verification
## Module
EvidenceLocker
## Status
IMPLEMENTED
## Description
Provenance attestation with build models, signers, and verification is implemented. EvidenceLocker supports tar.gz bundle export with Merkle tree integrity.
## Implementation Details
- **Modules**: `src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/`, `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/`
- **Key Classes**:
- `TarGzBundleExporter` (`src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/TarGzBundleExporter.cs`) - exports provenance bundles as tar.gz with Merkle tree
- `MerkleTreeBuilder` (`src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/MerkleTreeBuilder.cs`) - builds Merkle tree for bundle integrity verification
- `VerifyScriptGenerator` (`src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/VerifyScriptGenerator.cs`) - generates verification scripts for independent verification
- `EvidenceSignatureService` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Signing/EvidenceSignatureService.cs`) - signs provenance bundles with DSSE
- `EvidencePortableBundleService` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Services/EvidencePortableBundleService.cs`) - creates portable provenance bundles
- `BundleManifest` (`src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/Models/BundleManifest.cs`) - manifest with provenance attestation references
- **Interfaces**: `IEvidenceBundleExporter`, `IEvidenceSignatureService`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Export a provenance bundle via `TarGzBundleExporter` and verify it contains SLSA provenance attestation and Merkle tree
- [ ] Verify `MerkleTreeBuilder` computes correct Merkle root matching all bundle items
- [ ] Verify `VerifyScriptGenerator` creates scripts that independently verify provenance signatures and Merkle root
- [ ] Verify `EvidenceSignatureService` signs the provenance bundle and the signature is independently verifiable
- [ ] Verify the exported bundle can be verified by a third party using only the bundle contents and public key
- [ ] Verify `EvidencePortableBundleService` creates a self-contained portable bundle for air-gapped environments