---
checkId: check.verification.signature
plugin: stellaops.doctor.verification
severity: fail
tags: [verification, signatures, dsse, rekor]
---
# Signature Verification

## What It Checks
Requires the verification plugin plus a test artifact. In offline mode it looks for DSSE-style signature material in the bundle. In online mode it checks `Sigstore:Enabled` and verifies the Rekor log endpoint is reachable.

The check reports info when Sigstore is disabled, and fails when the offline bundle is missing or Rekor cannot be reached.

## Why It Matters
Signature verification is the minimum control that proves the artifact under review was signed by the expected supply-chain path.

## Common Causes
- `Sigstore__Enabled` is false
- Rekor URL is unreachable from the Doctor workload
- Offline bundles were exported without signatures

## How to Fix

### Docker Compose
```yaml
services:
  doctor-web:
    environment:
      Sigstore__Enabled: "true"
      Sigstore__RekorUrl: https://rekor.sigstore.dev
```

```bash
docker compose -f devops/compose/docker-compose.stella-ops.yml exec doctor-web curl -fsS https://rekor.sigstore.dev/api/v1/log
```

For offline verification:

```bash
stella verification bundle export --include-signatures --output /var/lib/stella/verification/offline-bundle.json
```

### Bare Metal / systemd
Ensure the Doctor host trusts the CA chain used by the Rekor endpoint or use the approved internal Rekor deployment.

### Kubernetes / Helm
Prefer an internal Rekor service URL in disconnected or regulated clusters.

## Verification
```bash
stella doctor --check check.verification.signature
```

## Related Checks
- `check.attestation.rekor.connectivity` - validates the transparency log path more directly
- `check.verification.artifact.pull` - signature checks need a reachable artifact reference