# Secrets Directory

This directory contains sample/development secrets for local development and testing. **DO NOT** use these secrets in production environments.

## Available Keys

### DSSE Development Signing Key

**File:** `dsse-dev.signing.json`

A development-only HMAC-SHA256 signing key for DSSE (Dead Simple Signing Envelope) signatures. Used to sign offline kit manifests and schema catalogs during development.

**Key Details:**
- **Key ID:** `notify-dev-hmac-001`
- **Algorithm:** HMAC-SHA256
- **Secret:** Base64 of `development-signing-key-for-testing-only`

**Usage:**
```bash
# Sign a DSSE file with the development key
python scripts/notifications/sign-dsse.py <file.dsse.json>

# Or specify the key explicitly
python scripts/notifications/sign-dsse.py <file.dsse.json> --key etc/secrets/dsse-dev.signing.json
```

### CI/Production Signing

For CI and production environments, use:
- **COSIGN_KEY_REF** - Reference to cosign key for image/artifact signing
- **HSM-backed keys** - For production DSSE signing via Security team

CI workflows should never use the development key. The `secrets.COSIGN_KEY_REF` is injected via CI secrets management.

## Security Notes

1. **Never commit production secrets** - This directory is for development samples only
2. **Rotate keys regularly** - Development keys should be rotated when team members leave
3. **Use HSM for production** - Production signing must use HSM-backed keys
4. **Audit key usage** - All signing operations should be logged with keyId and timestamp

## Related Files

- `scripts/notifications/sign-dsse.py` - DSSE signing utility
- `src/ExportCenter/.../HmacDevPortalOfflineManifestSigner.cs` - Reference .NET implementation
- `docs/notifications/gaps-nr1-nr10.md` - NR9 offline kit with DSSE requirements