{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://stella-ops.org/schemas/authority-production-signing.schema.json", "title": "StellaOps Authority Production Signing Schema", "description": "Schema for production DSSE signing keys, key management, and artifact signing workflows. Unblocks AUTH-GAPS-314-004, REKOR-RECEIPT-GAPS-314-005 (2+ tasks).", "type": "object", "definitions": { "SigningKey": { "type": "object", "description": "Production signing key configuration", "required": ["key_id", "algorithm", "purpose"], "properties": { "key_id": { "type": "string", "description": "Unique key identifier" }, "algorithm": { "type": "string", "enum": ["ecdsa-p256", "ecdsa-p384", "ed25519", "rsa-2048", "rsa-4096"], "description": "Signing algorithm" }, "purpose": { "type": "string", "enum": ["artifact_signing", "attestation", "timestamp", "code_signing", "sbom_signing"], "description": "Key purpose" }, "key_type": { "type": "string", "enum": ["software", "hsm", "kms", "yubikey"], "description": "Key storage type" }, "public_key": { "type": "string", "description": "PEM-encoded public key" }, "public_key_fingerprint": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$", "description": "SHA-256 fingerprint of public key" }, "certificate": { "$ref": "#/definitions/SigningCertificate" }, "created_at": { "type": "string", "format": "date-time" }, "expires_at": { "type": "string", "format": "date-time" }, "status": { "type": "string", "enum": ["active", "pending_rotation", "revoked", "expired"], "default": "active" }, "rotation_policy": { "$ref": "#/definitions/KeyRotationPolicy" }, "metadata": { "type": "object", "additionalProperties": true } } }, "SigningCertificate": { "type": "object", "description": "X.509 certificate for signing key", "properties": { "certificate_pem": { "type": "string", "description": "PEM-encoded certificate" }, "issuer": { "type": "string" }, "subject": { "type": "string" }, "serial_number": { "type": "string" }, "not_before": { "type": "string", "format": "date-time" }, "not_after": { "type": "string", "format": "date-time" }, "chain": { "type": "array", "items": { "type": "string" }, "description": "Certificate chain (PEM)" } } }, "KeyRotationPolicy": { "type": "object", "description": "Key rotation policy", "properties": { "rotation_interval_days": { "type": "integer", "minimum": 1, "description": "Days between rotations" }, "overlap_period_days": { "type": "integer", "minimum": 1, "description": "Days both keys are valid" }, "auto_rotate": { "type": "boolean", "default": false }, "notify_before_days": { "type": "integer", "description": "Days before expiry to notify" } } }, "SigningRequest": { "type": "object", "description": "Request to sign an artifact", "required": ["artifact_type", "artifact_digest"], "properties": { "request_id": { "type": "string", "format": "uuid" }, "artifact_type": { "type": "string", "enum": ["container_image", "sbom", "vex", "attestation", "policy_pack", "evidence_bundle"], "description": "Type of artifact to sign" }, "artifact_digest": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$", "description": "SHA-256 digest of artifact" }, "artifact_uri": { "type": "string", "format": "uri", "description": "URI to artifact (optional)" }, "key_id": { "type": "string", "description": "Specific key to use (uses default if not specified)" }, "signature_format": { "type": "string", "enum": ["dsse", "cosign", "gpg", "jws"], "default": "dsse" }, "annotations": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Annotations to include in signature" }, "transparency_log": { "type": "boolean", "default": true, "description": "Upload to transparency log (Rekor)" }, "timestamp": { "type": "boolean", "default": true, "description": "Include RFC 3161 timestamp" } } }, "SigningResponse": { "type": "object", "description": "Signing operation result", "required": ["signature_id", "artifact_digest", "signature"], "properties": { "signature_id": { "type": "string", "format": "uuid" }, "artifact_digest": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$" }, "signature": { "type": "string", "description": "Base64-encoded signature" }, "signature_format": { "type": "string", "enum": ["dsse", "cosign", "gpg", "jws"] }, "key_id": { "type": "string" }, "signed_at": { "type": "string", "format": "date-time" }, "certificate": { "type": "string", "description": "Signing certificate (PEM)" }, "chain": { "type": "array", "items": { "type": "string" } }, "transparency_log_entry": { "$ref": "#/definitions/TransparencyLogEntry" }, "timestamp_response": { "type": "string", "description": "RFC 3161 timestamp response (base64)" } } }, "TransparencyLogEntry": { "type": "object", "description": "Rekor transparency log entry", "properties": { "log_id": { "type": "string", "description": "Log instance identifier" }, "log_index": { "type": "integer", "description": "Entry index in log" }, "entry_uuid": { "type": "string", "description": "Entry UUID" }, "integrated_time": { "type": "string", "format": "date-time" }, "inclusion_proof": { "$ref": "#/definitions/InclusionProof" }, "verification_url": { "type": "string", "format": "uri" } } }, "InclusionProof": { "type": "object", "description": "Merkle tree inclusion proof", "properties": { "tree_size": { "type": "integer" }, "root_hash": { "type": "string" }, "hashes": { "type": "array", "items": { "type": "string" } }, "log_index": { "type": "integer" } } }, "VerificationRequest": { "type": "object", "description": "Request to verify a signature", "required": ["artifact_digest", "signature"], "properties": { "artifact_digest": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$" }, "signature": { "type": "string", "description": "Base64-encoded signature" }, "certificate": { "type": "string", "description": "Expected signing certificate (optional)" }, "trusted_roots": { "type": "array", "items": { "type": "string" }, "description": "Trusted root certificates (PEM)" }, "verify_transparency_log": { "type": "boolean", "default": true }, "verify_timestamp": { "type": "boolean", "default": true } } }, "VerificationResponse": { "type": "object", "description": "Signature verification result", "required": ["verified", "artifact_digest"], "properties": { "verified": { "type": "boolean" }, "artifact_digest": { "type": "string" }, "signer": { "type": "string", "description": "Signer identity from certificate" }, "signed_at": { "type": "string", "format": "date-time" }, "certificate_chain_valid": { "type": "boolean" }, "transparency_log_valid": { "type": "boolean" }, "timestamp_valid": { "type": "boolean" }, "errors": { "type": "array", "items": { "type": "string" } }, "warnings": { "type": "array", "items": { "type": "string" } } } }, "KeyRegistry": { "type": "object", "description": "Registry of signing keys", "required": ["registry_id", "keys"], "properties": { "registry_id": { "type": "string" }, "version": { "type": "string" }, "updated_at": { "type": "string", "format": "date-time" }, "keys": { "type": "array", "items": { "$ref": "#/definitions/SigningKey" } }, "default_key_id": { "type": "string", "description": "Default key for signing operations" }, "trusted_roots": { "type": "array", "items": { "type": "string" }, "description": "Trusted root certificates (PEM)" }, "rekor_url": { "type": "string", "format": "uri", "default": "https://rekor.sigstore.dev" }, "tsa_url": { "type": "string", "format": "uri", "description": "RFC 3161 timestamp authority URL" } } }, "ProductionSigningConfig": { "type": "object", "description": "Production signing configuration", "required": ["config_id"], "properties": { "config_id": { "type": "string" }, "environment": { "type": "string", "enum": ["development", "staging", "production"] }, "key_registry": { "$ref": "#/definitions/KeyRegistry" }, "signing_policy": { "$ref": "#/definitions/SigningPolicy" }, "audit_config": { "$ref": "#/definitions/AuditConfig" } } }, "SigningPolicy": { "type": "object", "description": "Signing policy rules", "properties": { "require_approval": { "type": "boolean", "default": false, "description": "Require approval for production signing" }, "approvers": { "type": "array", "items": { "type": "string" } }, "allowed_artifact_types": { "type": "array", "items": { "type": "string" } }, "require_transparency_log": { "type": "boolean", "default": true }, "require_timestamp": { "type": "boolean", "default": true }, "max_signatures_per_key_per_day": { "type": "integer" } } }, "AuditConfig": { "type": "object", "description": "Audit logging configuration", "properties": { "log_all_requests": { "type": "boolean", "default": true }, "log_verification_failures": { "type": "boolean", "default": true }, "retention_days": { "type": "integer", "default": 365 }, "alert_on_anomaly": { "type": "boolean", "default": true } } } }, "properties": { "config": { "$ref": "#/definitions/ProductionSigningConfig" } }, "examples": [ { "config": { "config_id": "stellaops-prod-signing", "environment": "production", "key_registry": { "registry_id": "stellaops-keys", "version": "2025.10.0", "updated_at": "2025-12-06T10:00:00Z", "keys": [ { "key_id": "stellaops-artifact-signing-2025", "algorithm": "ecdsa-p256", "purpose": "artifact_signing", "key_type": "kms", "public_key_fingerprint": "sha256:abc123def456789012345678901234567890123456789012345678901234abcd", "created_at": "2025-01-01T00:00:00Z", "expires_at": "2026-01-01T00:00:00Z", "status": "active", "rotation_policy": { "rotation_interval_days": 365, "overlap_period_days": 30, "auto_rotate": false, "notify_before_days": 60 } }, { "key_id": "stellaops-attestation-signing-2025", "algorithm": "ecdsa-p256", "purpose": "attestation", "key_type": "kms", "status": "active" } ], "default_key_id": "stellaops-artifact-signing-2025", "rekor_url": "https://rekor.sigstore.dev", "tsa_url": "https://timestamp.digicert.com" }, "signing_policy": { "require_approval": false, "allowed_artifact_types": ["container_image", "sbom", "vex", "attestation", "policy_pack", "evidence_bundle"], "require_transparency_log": true, "require_timestamp": true, "max_signatures_per_key_per_day": 10000 }, "audit_config": { "log_all_requests": true, "log_verification_failures": true, "retention_days": 365, "alert_on_anomaly": true } } } ] }