# Attestation workflow

Purpose
- Ensure all exported evidence includes DSSE signatures and transparency proofs.
- Provide deterministic verification for online and air-gapped environments.

Workflow overview
- Producer emits a payload and requests signing.
- Signer validates policy and signs with tenant or keyless credentials.
- Attestor wraps the payload in DSSE, records transparency data, and publishes bundles.
- Export Center and Evidence Locker embed bundles in export artifacts.
- Verifiers (CLI, services, auditors) validate signatures and proofs.

Payload types
- StellaOps.BuildProvenance@1
- StellaOps.SBOMAttestation@1
- StellaOps.ScanResults@1
- StellaOps.PolicyEvaluation@1
- StellaOps.VEXAttestation@1
- StellaOps.RiskProfileEvidence@1
- StellaOps.PromotionAttestation@1

Signing and storage controls
- Default is short-lived keyless signing; tenant KMS keys are supported.
- Ed25519 and ECDSA P-256 are supported.
- Payloads must exclude PII and secrets; redaction is required before signing.
- Evidence Locker stores immutable copies with retention and legal hold.

Verification steps
- Verify DSSE signature against trusted roots.
- Confirm subject digest matches expected artifact.
- Verify transparency proof when available.
- Enforce freshness using attestation.max_age_days policy.
- Record verification results in timeline events.

Offline posture
- Bundles include DSSE, transparency proofs, and certificate chains.
- Offline verification uses embedded proofs and cached trust roots.
- Pending transparency entries are replayed when connectivity returns.

Related references
- provenance/inline-provenance.md
- security/forensics-and-evidence-locker.md
- docs/modules/attestor/architecture.md
- docs/modules/signer/architecture.md
- docs/modules/export-center/architecture.md