# Signals DSSE Evidence Staging (runtime/signals gaps)

Artifacts prepared 2025-12-01 (UTC) for DSSE signing and Evidence Locker ingest:

| Artifact | Path | Predicate |
|----------|------|-----------|
| Decay config | `docs/modules/signals/decay/confidence_decay_config.yaml` | `stella.ops/confidenceDecayConfig@v1` |
| Unknowns manifest | `docs/modules/signals/unknowns/unknowns_scoring_manifest.json` | `stella.ops/unknownsScoringManifest@v1` |
| Heuristics catalog | `docs/modules/signals/heuristics/heuristics.catalog.json` | `stella.ops/heuristicCatalog@v1` |
| Checksums | `docs/modules/signals/SHA256SUMS` | — |

## CI Automated Signing

The `.gitea/workflows/signals-dsse-sign.yml` workflow automates DSSE signing.

### Prerequisites (CI Secrets)
| Secret | Description |
|--------|-------------|
| `COSIGN_PRIVATE_KEY_B64` | Base64-encoded cosign private key (required for production) |
| `COSIGN_PASSWORD` | Password for encrypted key (if applicable) |
| `CI_EVIDENCE_LOCKER_TOKEN` | Token for Evidence Locker push (optional) |

### Trigger
- **Automatic**: Push to `main` affecting `docs/modules/signals/**` or `tools/cosign/sign-signals.sh`
- **Manual**: Workflow dispatch with `allow_dev_key=1` for testing

### Output
Signed artifacts uploaded as workflow artifact `signals-dsse-signed-{run}` and optionally pushed to Evidence Locker.

## Development Signing (Local Testing)

A development key pair is available for smoke tests:

```bash
# Sign with dev key
COSIGN_ALLOW_DEV_KEY=1 COSIGN_PASSWORD=stellaops-dev \
  OUT_DIR=docs/modules/signals/dev-test \
  tools/cosign/sign-signals.sh

# Verify signature
cosign verify-blob \
  --key tools/cosign/cosign.dev.pub \
  --bundle docs/modules/signals/dev-test/confidence_decay_config.sigstore.json \
  docs/modules/signals/decay/confidence_decay_config.yaml
```

**Note**: Dev key signatures are NOT suitable for Evidence Locker or production use.

## Production Signing (Manual)

For production signing without CI:

```bash
# Option 1: Place key file
cp /path/to/production.key tools/cosign/cosign.key
OUT_DIR=evidence-locker/signals/2025-12-01 tools/cosign/sign-signals.sh

# Option 2: Use base64 env var
export COSIGN_PRIVATE_KEY_B64=$(cat production.key | base64 -w0)
export COSIGN_PASSWORD=your-password
OUT_DIR=evidence-locker/signals/2025-12-01 tools/cosign/sign-signals.sh
```

## Evidence Locker Paths

Post-signing, artifacts go to:
- `evidence-locker/signals/2025-12-01/confidence_decay_config.sigstore.json`
- `evidence-locker/signals/2025-12-01/unknowns_scoring_manifest.sigstore.json`
- `evidence-locker/signals/2025-12-01/heuristics_catalog.sigstore.json`
- `evidence-locker/signals/2025-12-01/SHA256SUMS`

## Post-Signing Checklist

1. Verify signatures against public key
2. Update sprint tracker (SPRINT_0140) Delivery Tracker rows 5–7
3. Add signer ID to Execution Log
4. Copy to offline kit bundle for air-gap parity

## Notes

- All timestamps use UTC ISO-8601 format
- Signatures disable tlog upload (`--tlog-upload=false`) for offline compatibility
- See `tools/cosign/README.md` for detailed key management and CI setup