# Trust and Signing (DOCS-AIRGAP-58-002)

Guidance on DSSE/TUF roots, rotation, and signed time tokens.

## Trust roots
- Maintain offline root keys for DSSE/TUF; store in HSM or sealed vault.
- Distribute intermediate/leaf keys via bootstrap packs with fingerprints.
- Keep trust roots versioned; record `rootVersion` and validity period.

## DSSE
- Use DSSE for bundle manifests (mirror/bootstrap) and evidence timelines when possible.
- Verification in sealed mode uses bundled roots; no online Rekor needed.
- Rotate signing keys with overlapping validity; publish new root in next bundle.

## TUF (planned enhancement)
- **Current**: TUF metadata can be shipped with bundles (`root.json`, `snapshot.json`, `timestamp.json`).
- **Planned**: Full TUF client integration for dynamic trust metadata distribution.
  - See: `SPRINT_20260125_001_Attestor_tuf_trust_foundation.md`
  - See: `SPRINT_20260125_002_Attestor_trust_automation.md`
- In sealed mode, trust only bundled metadata; no remote refresh.

## Signed time tokens
- Export signed time anchors (see `docs/modules/airgap/guides/staleness-and-time.md`):
  - Token fields: `issuedAt`, `notAfter`, `timeSource`, `signature`, `rootVersion`.
  - Validate offline against trust roots; expire strictly at `notAfter`.

## Rotation procedure
1. Prepare new root and leaf keys; sign new root with current root.
2. Include new `root.json` and fingerprints in next mirror/bootstrap bundle.
3. During import, verify both current and new root; switch default after verification.
4. Re-sign manifests/time tokens with new leaf.

## Security notes
- Never fetch keys online in sealed mode.
- Keep audit log of rotations (who, when, rootVersion, fingerprints).
- Enforce least privilege for signing service accounts.