--- checkId: check.compliance.attestation-signing plugin: stellaops.doctor.compliance severity: fail tags: [compliance, attestation, signing, crypto] --- # Attestation Signing Health ## What It Checks Monitors attestation signing capability by querying the Attestor service at `/api/v1/signing/status`. The check validates: - **Key availability**: whether a signing key is loaded and accessible (via `keyAvailable` in the response). - **Key expiration**: if the key has an `expiresAt` timestamp, the check fails when the key is already expired, warns when expiry is within 30 days, and passes otherwise. - **Signing activity**: reports the key type and the number of signatures produced in the last 24 hours. The check only runs when `Attestor:Url` or `Services:Attestor:Url` is configured. It uses a 10-second HTTP timeout. | Condition | Result | |---|---| | Attestor unreachable or HTTP error | Fail | | Key not available | Fail | | Key expired | Fail | | Key expires within 30 days | Warn | | Key available and not expiring soon | Pass | ## Why It Matters Attestation signing is the foundation of Stella Ops' evidence chain. Without a working signing key, the system cannot create attestations for releases, SBOM scans, or policy decisions. This breaks the entire compliance audit trail and makes releases unverifiable. Key expiration without timely rotation causes the same downstream impact as a missing key, but with no advance warning unless monitored. ## Common Causes - HSM/KMS connectivity issue preventing key access - Key rotation in progress (brief window of unavailability) - Key expired or revoked without replacement - Permission denied on the key management backend - Attestor service unavailable or misconfigured endpoint URL ## How to Fix ### Docker Compose Verify the Attestor service is running and the URL is correct: ```bash # Check attestor container health docker compose ps attestor # Verify signing key status docker compose exec attestor stella attestor key status # If key is expired, rotate it docker compose exec attestor stella attestor key rotate # Ensure the URL is correct in your .env or compose override # Attestor__Url=http://attestor:5082 ``` ### Bare Metal / systemd Check the Attestor service and key configuration: ```bash # Check service status sudo systemctl status stellaops-attestor # Verify key status stella attestor key status # Test HSM/KMS connectivity stella attestor hsm test # Rotate an expired key stella attestor key rotate # If using appsettings.json, verify Attestor:Url is correct cat /etc/stellaops/appsettings.json | jq '.Attestor' ``` ### Kubernetes / Helm ```bash # Check attestor pod status kubectl get pods -l app=stellaops-attestor # Check signing key status kubectl exec deploy/stellaops-attestor -- stella attestor key status # Verify HSM/KMS connectivity from the pod kubectl exec deploy/stellaops-attestor -- stella attestor hsm test # Schedule key rotation via Helm values helm upgrade stellaops ./charts/stellaops \ --set attestor.keyRotation.enabled=true \ --set attestor.keyRotation.scheduleBeforeExpiryDays=30 ``` ## Verification ``` stella doctor run --check check.compliance.attestation-signing ``` ## Related Checks - `check.compliance.evidence-rate` — monitors evidence generation success rate, which depends on signing - `check.compliance.provenance-completeness` — verifies provenance records exist for releases (requires working signing) - `check.compliance.evidence-integrity` — verifies signatures on stored evidence - `check.crypto.hsm` — validates HSM/PKCS#11 module availability used by the signing key