# Attestor Offline Verification Guide

> **Audience:** Attestor operators, AirGap owners, CI/Release engineers
>
> **Purpose:** Explain how to verify attestations and timestamp evidence in fully offline environments.

## 1. Offline Inputs

Offline verification expects all evidence to be bundled locally:

- DSSE envelopes + certificate chains.
- Rekor inclusion proofs + a pinned checkpoint.
- RFC3161 timestamp evidence with bundled TSA chain and revocation data:
  - `tsa/chain/` (PEM certificates, leaf -> root)
  - `tsa/ocsp/` (stapled OCSP responses)
  - `tsa/crl/` (CRL snapshots when OCSP is unavailable)

## 2. Bundle Layout Expectations

Minimum paths for timestamp verification:

- `manifest.json` with `timestamps[]` entries.
- `tsa/chain/*.pem` for each RFC3161 timestamp.
- `tsa/ocsp/*.der` or `tsa/crl/*.crl` (revocation evidence).

## 3. CLI Workflow (Offline)

Use the bundle verification flow aligned to domain operations:

```bash
stella bundle verify --bundle /path/to/bundle --offline --trust-root /path/to/tsa-root.pem --rekor-checkpoint /path/to/checkpoint.json
```

Notes:
- Offline mode fails closed when revocation evidence is missing or invalid.
- Trust roots must be provided locally; no network fetches are allowed.

## 4. Verification Behavior

- TSA chain is validated against the provided trust roots.
- Revocation evidence is verified using bundled OCSP/CRL data.
- Rekor proofs are verified against the pinned checkpoint when provided.

## 5. References

- `docs/modules/attestor/guides/timestamp-policy.md`
- `docs/modules/attestor/airgap.md`
- `docs/modules/airgap/guides/staleness-and-time.md`