# Runbook: Attestor - Attestation Verification Failures > **Sprint:** SPRINT_20260117_029_DOCS_runbook_coverage > **Task:** RUN-005 - Attestor Runbooks ## Metadata | Field | Value | |-------|-------| | **Component** | Attestor | | **Severity** | High | | **On-call scope** | Platform team, Security team | | **Last updated** | 2026-01-17 | | **Doctor check** | `check.attestor.verification-health` | --- ## Symptoms - [ ] Attestation verification failing - [ ] Alert `AttestorVerificationFailed` firing - [ ] Error: "signature verification failed" or "invalid attestation" - [ ] Promotions blocked due to failed verification - [ ] Error: "trust anchor not found" or "certificate chain invalid" --- ## Impact | Impact Type | Description | |-------------|-------------| | **User-facing** | Artifacts cannot be promoted; release blocked | | **Data integrity** | May indicate tampered attestation or configuration issue | | **SLA impact** | Release pipeline blocked until resolved | --- ## Diagnosis ### Quick checks 1. **Check Doctor diagnostics:** ```bash stella doctor --check check.attestor.verification-health ``` 2. **Verify specific attestation:** ```bash stella verify attestation --attestation --verbose ``` 3. **Check trust anchors:** ```bash stella trust-anchors list ``` ### Deep diagnosis 1. **Check attestation details:** ```bash stella attest show --details ``` Look for: Signer identity, timestamp, subject 2. **Verify certificate chain:** ```bash stella verify cert-chain --attestation ``` Problem if: Intermediate cert missing, root not trusted 3. **Check public key availability:** ```bash stella keys show --public ``` 4. **Check if issuer is trusted:** ```bash stella issuer trust-status ``` --- ## Resolution ### Immediate mitigation 1. **If trust anchor missing, add it:** ```bash stella trust-anchors add --cert ``` 2. **If intermediate cert missing:** ```bash stella trust-anchors add-intermediate --cert ``` 3. **Re-verify with verbose output:** ```bash stella verify attestation --attestation --verbose ``` ### Root cause fix **If signature mismatch:** 1. Check attestation wasn't modified: ```bash stella attest integrity-check ``` 2. If modified, regenerate attestation: ```bash stella attest create --subject --type --force ``` **If key rotated and old key not trusted:** 1. Add old public key to trust anchors: ```bash stella trust-anchors add-key --key --expires ``` 2. Or fetch from issuer directory: ```bash stella issuer keys fetch ``` **If certificate expired:** 1. Check certificate validity: ```bash stella verify cert --attestation --show-expiry ``` 2. Re-sign with valid certificate: ```bash stella attest resign ``` **If issuer not trusted:** 1. Verify issuer identity: ```bash stella issuer show ``` 2. Add to trusted issuers (requires approval): ```bash stella issuer trust --reason "Approved by security team" ``` **If algorithm not supported:** 1. Check algorithm: ```bash stella attest show | grep algorithm ``` 2. Verify crypto provider supports algorithm: ```bash stella crypto providers list --algorithms ``` ### Verification ```bash # Verify attestation stella verify attestation --attestation # Verify trust chain stella verify cert-chain --attestation # Test end-to-end verification stella verify artifact --digest # Check no verification errors stella attest logs --filter "verification" --level error --last 30m ``` --- ## Prevention - [ ] **Trust anchors:** Keep trust anchor list current with all valid issuer certs - [ ] **Key rotation:** Plan key rotation with overlap period for verification continuity - [ ] **Monitoring:** Alert on verification failure rate > 0 - [ ] **Testing:** Include verification tests in release pipeline --- ## Related Resources - **Architecture:** `docs/modules/attestor/verification.md` - **Related runbooks:** `attestor-signing-failed.md`, `attestor-key-expired.md` - **Trust management:** `docs/operations/trust-anchors.md`