# Evidence locker publishing

Purpose
- Publish deterministic evidence bundles to the Evidence Locker.

Required inputs
- Evidence locker base URL (no trailing slash).
- Bearer token with write scopes for required prefixes.
- Signing key for final bundle signing (Cosign key or key file).

Publishing flow
- Build deterministic tar bundles for each producer (signals, runtime, evidence packs).
- Verify bundle hashes and inner SHA256 lists before upload.
- Upload bundles to the Evidence Locker using the configured token.
- Re-sign bundles with production keys when required.

Deterministic packaging rules
- tar --sort=name
- fixed mtime (UTC 1970-01-01)
- owner and group set to 0
- numeric-owner enabled

Offline posture
- Transparency log upload may be disabled in sealed mode.
- Trust derives from local keys and recorded hashes.
- Upload scripts must fail on hash mismatch.

Related references
- security/forensics-and-evidence-locker.md
- provenance/attestation-workflow.md