# Zastava Kit (offline bundle) ## Contents - Schemas + DSSE: `schemas/observer_event.schema.json(.dsse)`, `schemas/webhook_admission.schema.json(.dsse)`. - Examples: `schemas/examples/*.json` (canonicalised, hashed). - Thresholds + DSSE: `thresholds.yaml(.dsse)`. - Exports + DSSE: `exports/observer_events.ndjson(.dsse)`, `exports/webhook_admissions.ndjson(.dsse)`. - Verification assets: `SHA256SUMS`, `kit/verify.sh`, `kit/ed25519.pub`, `schemas/README.md`, `evidence/README.md`. ## Build (deterministic) From `docs/modules/zastava`: ```bash tar --mtime @0 --owner 0 --group 0 --numeric-owner --sort=name \ -cf - \ SHA256SUMS schemas exports thresholds.yaml thresholds.yaml.dsse \ schemas/examples schemas/README.md \ schemas/observer_event.schema.json schemas/observer_event.schema.json.dsse \ schemas/webhook_admission.schema.json schemas/webhook_admission.schema.json.dsse \ exports/observer_events.ndjson exports/observer_events.ndjson.dsse \ exports/webhook_admissions.ndjson exports/webhook_admissions.ndjson.dsse \ evidence/README.md kit/README.md kit/verify.sh kit/ed25519.pub \ | zstd -19 --long=27 --no-progress > kit/zastava-kit.tzst ``` Sign the kit itself with the same Ed25519 key (base64url pub: `mpIEbYRL1q5yhN6wBRvkZ_0xXz3QUJPueJJ8sn__GGc`): ```bash python - <<'PY' from pathlib import Path from base64 import urlsafe_b64encode import json from cryptography.hazmat.primitives.asymmetric import ed25519 from cryptography.hazmat.primitives import serialization priv = serialization.load_pem_private_key(Path('/tmp/zastava-ed25519.key').read_bytes(), password=None) pub = priv.public_key().public_bytes(encoding=serialization.Encoding.Raw, format=serialization.PublicFormat.Raw) keyid = urlsafe_b64encode(pub).decode().rstrip('=') pt = 'application/vnd.stellaops.zastava.kit+tzst;version=1' payload = Path('kit/zastava-kit.tzst').read_bytes() pae = b' '.join([b'DSSEv1', str(len(pt)).encode(), pt.encode(), str(len(payload)).encode(), payload]) sig = priv.sign(pae) env = { 'payloadType': pt, 'payload': urlsafe_b64encode(payload).decode().rstrip('='), 'signatures': [{'keyid': keyid, 'sig': urlsafe_b64encode(sig).decode().rstrip('=')}], } Path('kit/zastava-kit.tzst.dsse').write_text(json.dumps(env, indent=2, sort_keys=True) + '\n') print('wrote kit/zastava-kit.tzst.dsse with keyid', keyid) PY ``` ## Verify 1) Verify the kit DSSE before unpacking (optional but recommended) using the public key shipped alongside the kit (run from `docs/modules/zastava`): ```bash cd docs/modules/zastava python - <<'PY' import base64, json, sys from pathlib import Path from cryptography.hazmat.primitives.asymmetric import ed25519 root = Path('.') pub = base64.urlsafe_b64decode((root / 'kit' / 'ed25519.pub').read_text().strip() + '==') env = json.loads((root / 'kit' / 'zastava-kit.tzst.dsse').read_text()) payload = (root / 'kit' / 'zastava-kit.tzst').read_bytes() pt = env['payloadType'].encode() pae = b' '.join([b'DSSEv1', str(len(pt)).encode(), pt, str(len(payload)).encode(), payload]) sig = base64.urlsafe_b64decode(env['signatures'][0]['sig'] + '==') ed25519.Ed25519PublicKey.from_public_bytes(pub).verify(sig, pae) decoded_payload = base64.urlsafe_b64decode(env['payload'] + '==') assert decoded_payload == payload print('OK: kit DSSE verified') PY ``` 2) Extract and run offline validation of the inner artefacts: ```bash zstd -d kit/zastava-kit.tzst -c | tar -xf - ./kit/verify.sh ``` ## Notes - Private signing key is held offline; only the public key is shipped. - All files are deterministic (mtime=0, numeric owners) to keep hashes stable for Evidence Locker ingestion.