save checkpoint
This commit is contained in:
master
@@ -0,0 +1,41 @@
|
||||
# Signature Required Policy Gate (SignatureRequiredGate)
|
||||
|
||||
## Module
|
||||
Policy
|
||||
|
||||
## Status
|
||||
IMPLEMENTED
|
||||
|
||||
## Description
|
||||
Policy gate requiring valid cryptographic signatures on release artifacts before promotion, with configurable signing key allowlists, certificate chain validation, and Rekor inclusion proof requirements.
|
||||
|
||||
## Implementation Details
|
||||
- **PolicyGateEvaluator**: `src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs`
|
||||
- Evidence Completeness gate (first in pipeline) verifies signature presence
|
||||
- Signature requirements configurable per environment
|
||||
- Gate result types: Pass (valid signature), Block (missing/invalid signature)
|
||||
- **VexTrustGate**: `src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGate.cs`
|
||||
- `RequireIssuerVerified` per-environment: production=true, staging=true, development=false
|
||||
- Issuer signature verification as part of VEX trust evaluation
|
||||
- **VexTrustGateOptions**: `src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGateOptions.cs`
|
||||
- Per-environment signing requirements (RequireIssuerVerified flag)
|
||||
- FailureAction: Warn or Block when signature verification fails
|
||||
- **EvidenceRequirementValidator**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/EvidenceRequirementValidator.cs`
|
||||
- DSSE signature verification for evidence attestations
|
||||
- Validates signed evidence meets trust requirements
|
||||
- **VerdictAttestationService**: `src/Policy/StellaOps.Policy.Engine/Attestation/VerdictAttestationService.cs`
|
||||
- DSSE-signed verdict attestations with certificate chain
|
||||
- **KnowledgeSnapshotManifest**: `src/Policy/__Libraries/StellaOps.Policy/Snapshots/KnowledgeSnapshotManifest.cs`
|
||||
- TrustBundleRef (BundleId, Digest, Uri) for trust anchor set
|
||||
- Signature field on manifest for optional DSSE signing
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Evaluate artifact with valid signature from allowed key; verify gate passes
|
||||
- [ ] Evaluate artifact without signature; verify gate blocks with "missing signature" message
|
||||
- [ ] Evaluate artifact with signature from key not in allowlist; verify gate blocks
|
||||
- [ ] Configure environment requiring issuer verification; provide unverified issuer; verify gate blocks
|
||||
- [ ] Configure environment not requiring issuer verification (development); provide unsigned VEX; verify gate passes
|
||||
- [ ] Evaluate artifact with expired certificate; verify gate blocks with certificate validation error
|
||||
- [ ] Verify DSSE envelope structure on verdict attestation includes valid signature
|
||||
- [ ] Verify TrustBundleRef in KnowledgeSnapshotManifest references correct trust anchor set
|
||||
- [ ] Verify EvidenceRequirementValidator validates DSSE signature on evidence attestation
|
||||
Reference in New Issue
Block a user