# Promotion attestations

Purpose
- Capture promotion-time evidence in a DSSE predicate for offline audit.

Predicate: stella.ops/promotion@v1
- subject: image name and digest.
- materials: SBOM and VEX digests with format and OCI uri.
- promotion: from, to, actor, timestamp, pipeline, ticket, notes.
- rekor: uuid, logIndex, inclusionProof, checkpoint.
- attestation: bundle_sha256 and optional witness.

Producer workflow
1. Resolve and freeze image digest.
2. Hash SBOM and VEX artifacts and publish to OCI if needed.
3. Obtain Rekor inclusion proof and checkpoint.
4. Build promotion predicate JSON.
5. Sign with Signer to produce DSSE bundle.
6. Store bundle in Evidence Locker and Export Center.

Verification flow
- Verify DSSE signature using trusted roots.
- Verify Merkle inclusion using the embedded proof and checkpoint.
- Hash SBOM and VEX artifacts and compare to materials digests.
- Confirm promotion metadata and ticket evidence.

Storage and APIs
- Signer: /api/v1/signer/sign/dsse
- Attestor: /api/v1/rekor/entries
- Export Center: serves promotion bundles for offline kits
- Evidence Locker: long-term retention of DSSE and proofs

Security considerations
- Promotion metadata is tenant scoped.
- Rekor proofs must be embedded for air-gap verification.
- Key rotation follows Signer and Authority policies.

Related references
- release/release-engineering.md
- provenance/attestation-workflow.md
- security/forensics-and-evidence-locker.md