# Signals DSSE Evidence Staging (runtime/signals gaps) Artifacts prepared 2025-12-05 (UTC) for DSSE signing and Evidence Locker ingest: | Artifact | Path | Predicate | |----------|------|-----------| | Decay config | `docs/modules/signals/decay/confidence_decay_config.yaml` | `stella.ops/confidenceDecayConfig@v1` | | Unknowns manifest | `docs/modules/signals/unknowns/unknowns_scoring_manifest.json` | `stella.ops/unknownsScoringManifest@v1` | | Heuristics catalog | `docs/modules/signals/heuristics/heuristics.catalog.json` | `stella.ops/heuristicCatalog@v1` | | Checksums | `docs/modules/signals/SHA256SUMS` | — | ## CI Automated Signing - `.gitea/workflows/signals-dsse-sign.yml` ƒ?" DSSE signing of decay/unknowns/heuristics on push or manual dispatch. - `.gitea/workflows/signals-reachability.yml` ƒ?" reachability smoke (SIGNALS-24-004/005), DSSE signing, and optional Evidence Locker upload. - `.gitea/workflows/signals-evidence-locker.yml` ƒ?" production re-sign + deterministic tar upload; defaults to `evidence-locker/signals/2025-12-05`. ### Prerequisites (CI Secrets or Repo Vars) | Secret/Var | Description | |--------|-------------| | `COSIGN_PRIVATE_KEY_B64` | Base64-encoded cosign private key (required for production) | | `COSIGN_PASSWORD` | Password for encrypted key (if applicable) | | `CI_EVIDENCE_LOCKER_TOKEN` | Token for Evidence Locker push | | `EVIDENCE_LOCKER_URL` | Base URL for locker PUT (e.g., `https://locker.example.com`) | ### Trigger - **Automatic**: Push to `main` affecting `docs/modules/signals/**`, `tools/cosign/sign-signals.sh`, or Signals sources (reachability workflow). - **Manual**: Workflow dispatch with `allow_dev_key=1` for testing; `out_dir` input defaults to `evidence-locker/signals/2025-12-05`. ### Output Signed artifacts uploaded as workflow artifacts and, when secrets/vars are present, pushed to Evidence Locker. Evidence tar SHA256 is emitted in job logs. ## Development Signing (Local Testing) A development key pair is available for smoke tests. Recent dev bundles live under `docs/modules/signals/dev-smoke/2025-12-04/` and `docs/modules/signals/dev-smoke/2025-12-05/`. ```bash # Sign with dev key COSIGN_ALLOW_DEV_KEY=1 COSIGN_PASSWORD=stellaops-dev \ OUT_DIR=docs/modules/signals/dev-smoke/2025-12-05 \ tools/cosign/sign-signals.sh # Verify signature cosign verify-blob \ --key tools/cosign/cosign.dev.pub \ --bundle docs/modules/signals/dev-smoke/2025-12-05/confidence_decay_config.sigstore.json \ docs/modules/signals/decay/confidence_decay_config.yaml ``` **Note**: Dev key signatures are NOT suitable for Evidence Locker or production use; tlog upload is disabled. ## Production Signing (Manual) For production signing without CI: ```bash # Option 1: Place key file cp /path/to/production.key tools/cosign/cosign.key OUT_DIR=evidence-locker/signals/2025-12-05 tools/cosign/sign-signals.sh # Option 2: Use base64 env var export COSIGN_PRIVATE_KEY_B64=$(cat production.key | base64 -w0) export COSIGN_PASSWORD=your-password OUT_DIR=evidence-locker/signals/2025-12-05 tools/cosign/sign-signals.sh ``` ## Evidence Locker Paths Post-signing, artifacts go to: - `evidence-locker/signals/2025-12-05/confidence_decay_config.sigstore.json` - `evidence-locker/signals/2025-12-05/unknowns_scoring_manifest.sigstore.json` - `evidence-locker/signals/2025-12-05/heuristics_catalog.sigstore.json` - `evidence-locker/signals/2025-12-05/SHA256SUMS` Deterministic tarball (dev-key signing 2025-12-05) for locker push/testing: ``` evidence-locker/signals/2025-12-05/signals-evidence.tar sha256=a17910b8e90aaf44d4546057db22cdc791105dd41feb14f0c9b7c8bac5392e0d ``` Verification helper: ``` ./tools/signals-verify-evidence-tar.sh [path/to/signals-evidence.tar] ``` Local locker upload (once creds are available): ```bash export EVIDENCE_LOCKER_URL="" export CI_EVIDENCE_LOCKER_TOKEN="" ./tools/signals-upload-evidence.sh # or to push both Signals and Zastava in one go ./tools/upload-all-evidence.sh ``` CI upload path: - Workflow: `.gitea/workflows/signals-evidence-locker.yml` - Secrets required: `CI_EVIDENCE_LOCKER_TOKEN`, `EVIDENCE_LOCKER_URL` - Artifact name: `signals-evidence-2025-12-05` - Retention input (optional): `retention_target` (default 180 days) ## Post-Signing Checklist 1. Verify signatures against public key 2. Update sprint tracker (SPRINT_0140) Delivery Tracker rows 5–7 3. Add signer ID to Execution Log 4. Copy to offline kit bundle for air-gap parity ## Notes - All timestamps use UTC ISO-8601 format - Signatures disable tlog upload (`--tlog-upload=false`) for offline compatibility - See `tools/cosign/README.md` for detailed key management and CI setup