up
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
sdk-generator-smoke / sdk-smoke (push) Has been cancelled
SDK Publish & Sign / sdk-publish (push) Has been cancelled
api-governance / spectral-lint (push) Has been cancelled
oas-ci / oas-validate (push) Has been cancelled
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
sdk-generator-smoke / sdk-smoke (push) Has been cancelled
SDK Publish & Sign / sdk-publish (push) Has been cancelled
api-governance / spectral-lint (push) Has been cancelled
oas-ci / oas-validate (push) Has been cancelled
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
This commit is contained in:
StellaOps Bot
@@ -1,22 +1,32 @@
|
||||
# StellaOps Signer
|
||||
|
||||
# StellaOps Signer
|
||||
|
||||
Signer validates callers, enforces Proof-of-Entitlement, and produces signed DSSE bundles for SBOMs, reports, and exports.
|
||||
|
||||
## Latest updates (Sprint 11 · 2025-10-21)
|
||||
## Latest updates (Sprint 0186/0401 · 2025-11-26)
|
||||
- **CryptoDsseSigner** implemented with ICryptoProviderRegistry integration (SIGN-CORE-186-004), enabling keyless + KMS signing modes with cosign-compatible DSSE output.
|
||||
- **SignerStatementBuilder** refactored to support StellaOps predicate types (`stella.ops/promotion@v1`, `stella.ops/sbom@v1`, `stella.ops/vex@v1`, etc.) with CanonicalJson canonicalization (SIGN-CORE-186-005).
|
||||
- **PredicateTypes catalog** extended with `stella.ops/vexDecision@v1` and `stella.ops/graph@v1` for reachability evidence chain (SIGN-VEX-401-018).
|
||||
- **Helper methods** added: `IsVexRelatedType`, `IsReachabilityRelatedType`, `GetAllowedPredicateTypes`, `IsAllowedPredicateType` for predicate type validation.
|
||||
- **Integration tests** upgraded with real crypto abstraction, fixture predicates (promotion, SBOM, VEX, replay, policy, evidence, graph), and deterministic test data (SIGN-TEST-186-006). All 102 Signer tests passing.
|
||||
|
||||
## Previous updates (Sprint 11 · 2025-10-21)
|
||||
- `/sign/dsse` pipeline landed with Authority OpTok + PoE enforcement, Fulcio/KMS signing modes, and deterministic DSSE bundles ready for Attestor logging.
|
||||
- `/verify/referrers` endpoint exposes release-integrity checks against scanner OCI referrers so callers can confirm digests before requesting signatures.
|
||||
- Plan quota enforcement (QPS/concurrency/artifact size) and audit/metrics wiring now align with the Sprint 11 signing-chain release.
|
||||
|
||||
|
||||
## Responsibilities
|
||||
- Enforce Proof-of-Entitlement and plan quotas before signing artifacts.
|
||||
- Support keyless (Fulcio) and keyful (KMS/HSM) signing backends.
|
||||
- Verify scanner release integrity via OCI referrers prior to issuing signatures.
|
||||
- Emit DSSE payloads consumed by Attestor/Export Center and maintain comprehensive audit trails.
|
||||
|
||||
## Key components
|
||||
- `StellaOps.Signer` service host.
|
||||
- Crypto providers under `StellaOps.Cryptography.*`.
|
||||
|
||||
|
||||
## Key components
|
||||
- `StellaOps.Signer` service host with `SignerPipeline` orchestrating the signing flow.
|
||||
- `CryptoDsseSigner` for ES256 signature generation via `ICryptoProviderRegistry`.
|
||||
- `SignerStatementBuilder` for in-toto statement creation with `PredicateTypes` catalog.
|
||||
- `DefaultSigningKeyResolver` for tenant-aware key resolution (keyless/KMS modes).
|
||||
- Crypto providers under `StellaOps.Cryptography.*`.
|
||||
|
||||
## Integrations & dependencies
|
||||
- Authority for OpTok + PoE validation.
|
||||
- Licensing Service for entitlement introspection.
|
||||
@@ -27,15 +37,17 @@ Signer validates callers, enforces Proof-of-Entitlement, and produces signed DSS
|
||||
## API quick reference
|
||||
- `POST /api/v1/signer/sign/dsse` — validate OpTok/PoE, enforce quotas, return DSSE bundle with signing identity metadata.
|
||||
- `GET /api/v1/signer/verify/referrers` — report scanner release signer and trust verdict for a supplied image digest.
|
||||
|
||||
## Operational notes
|
||||
- Key management via Authority/DevOps runbooks.
|
||||
- Metrics for signing latency/throttle states.
|
||||
- Offline kit integration for signature verification.
|
||||
|
||||
## Backlog references
|
||||
- SIG docs/tasks in ../../TASKS.md (e.g., DOCS-SIG-26-006).
|
||||
|
||||
## Epic alignment
|
||||
- **Epic 10 – Export Center:** provide signing pipelines, cosign interoperability, and provenance manifests for bundle promotion.
|
||||
- **Epic 19 – Attestor Console:** supply DSSE payloads and Proof-of-Entitlement enforcement feeding attestation workflows described in `docs/modules/attestor/`.
|
||||
|
||||
## Operational notes
|
||||
- Key management via Authority/DevOps runbooks.
|
||||
- Metrics for signing latency/throttle states.
|
||||
- Offline kit integration for signature verification.
|
||||
|
||||
## Backlog references
|
||||
- Sprint 0186: `docs/implplan/SPRINT_0186_0001_0001_record_deterministic_execution.md` (SIGN-CORE-186-004, SIGN-CORE-186-005, SIGN-TEST-186-006 DONE; SIGN-REPLAY-186-003 blocked on upstream).
|
||||
- Sprint 0401: `docs/implplan/SPRINT_0401_0001_0001_reachability_evidence_chain.md` (SIGN-VEX-401-018 DONE; AUTH-REACH-401-005 TODO).
|
||||
- SIG docs/tasks in ../../TASKS.md (e.g., DOCS-SIG-26-006).
|
||||
|
||||
## Epic alignment
|
||||
- **Epic 10 – Export Center:** provide signing pipelines, cosign interoperability, and provenance manifests for bundle promotion.
|
||||
- **Epic 19 – Attestor Console:** supply DSSE payloads and Proof-of-Entitlement enforcement feeding attestation workflows described in `docs/modules/attestor/`.
|
||||
|
||||
Reference in New Issue
Block a user