# DSSE/TUF profile for Mirror thin bundles (v1 draft) Applies to `mirror-thin-v1.*` artefacts in `out/mirror/thin/`. ## Keys - Signing algorithm: ed25519 - Key IDs: `mirror-ed25519-test-1` - Storage: keep private key only in sealed CI secret; public key published alongside metadata at `out/mirror/thin/tuf/keys/mirror-ed25519-test-1.pub`. ## DSSE envelope - Payload type: `application/vnd.stellaops.mirror.manifest+json` - Payload: `mirror-thin-v1.manifest.json` - Signature: ed25519 over base64url(payload) - Envelope path: `out/mirror/thin/mirror-thin-v1.manifest.dsse.json` ## TUF metadata layout ``` out/mirror/thin/tuf/ root.json snapshot.json targets.json timestamp.json keys/mirror-ed25519-test-1.pub ``` ### Targets mapping - `mirror-thin-v1.tar.gz` → targets entry with sha256 `210dc49e8d3e25509298770a94da277aa2c9d4c387d3c24505a61fe1d7695a49` - `mirror-thin-v1.manifest.json` → sha256 `0ae51fa87648dae0a54fab950181a3600a8363182d89ad46d70f3a56b997b504` ### Determinism rules - Sort keys in JSON; indent=2; trailing newline. - `expires` set to `2026-01-01T00:00:00Z` for draft; update during release. - Versions: root=1, targets=1, snapshot=1, timestamp=1 for this draft. - Signatures should be stable; for test draft, placeholders are used until CI signing is wired. ## Status & TODO to productionize - Draft signatures now generated with repo test key (`mirror-ed25519-test-1`) via `scripts/mirror/sign_thin_bundle.py`; replace with CI-held key before release. - CI hook: set `MIRROR_SIGN_KEY_B64` (base64-encoded Ed25519 PEM) and run `scripts/mirror/ci-sign.sh` to build+sign+verify in one step. - Rotate keys via TUF root role once CI secrets land. - Add DSSE signer to assembler pipeline so `make-thin-v1.sh` emits envelope + TUF metadata automatically in CI. ### CI integration sketch (disabled until key is provided) ``` - name: Mirror thin bundle (signed) run: | export MIRROR_SIGN_KEY_B64="${{ secrets.MIRROR_SIGN_KEY_B64 }}" export OCI=1 scripts/mirror/ci-sign.sh if: ${{ secrets.MIRROR_SIGN_KEY_B64 != '' }} ```