# StellaOps Signer Signer validates callers, enforces Proof-of-Entitlement, and produces signed DSSE bundles for SBOMs, reports, and exports. ## Latest updates (Sprint 11 · 2025-10-21) - `/sign/dsse` pipeline landed with Authority OpTok + PoE enforcement, Fulcio/KMS signing modes, and deterministic DSSE bundles ready for Attestor logging. - `/verify/referrers` endpoint exposes release-integrity checks against scanner OCI referrers so callers can confirm digests before requesting signatures. - Plan quota enforcement (QPS/concurrency/artifact size) and audit/metrics wiring now align with the Sprint 11 signing-chain release. ## Responsibilities - Enforce Proof-of-Entitlement and plan quotas before signing artifacts. - Support keyless (Fulcio) and keyful (KMS/HSM) signing backends. - Verify scanner release integrity via OCI referrers prior to issuing signatures. - Emit DSSE payloads consumed by Attestor/Export Center and maintain comprehensive audit trails. ## Key components - `StellaOps.Signer` service host. - Crypto providers under `StellaOps.Cryptography.*`. ## Integrations & dependencies - Authority for OpTok + PoE validation. - Licensing Service for entitlement introspection. - OCI registries (Referrers API) for scanner release verification. - Attestor for transparency logging and Rekor ingestion. - Export Center and CLI for artifact signing flows. ## API quick reference - `POST /api/v1/signer/sign/dsse` — validate OpTok/PoE, enforce quotas, return DSSE bundle with signing identity metadata. - `GET /api/v1/signer/verify/referrers` — report scanner release signer and trust verdict for a supplied image digest. ## Operational notes - Key management via Authority/DevOps runbooks. - Metrics for signing latency/throttle states. - Offline kit integration for signature verification. ## Backlog references - SIG docs/tasks in ../../TASKS.md (e.g., DOCS-SIG-26-006). ## Epic alignment - **Epic 10 – Export Center:** provide signing pipelines, cosign interoperability, and provenance manifests for bundle promotion. - **Epic 19 – Attestor Console:** supply DSSE payloads and Proof-of-Entitlement enforcement feeding attestation workflows described in `docs/modules/attestor/`.