# Trust Root Management (Trust Anchor System) ## Module Signer ## Status VERIFIED ## Description Trust anchor management system with PURL-based pattern matching for artifact-to-anchor resolution, temporal key validity enforcement, key rotation with history tracking, and signature authorization combining key validity with predicate type checks. Note: This is a custom trust anchor management system, not a TUF (The Update Framework) protocol client. The original feature title referenced TUF, but the implementation provides equivalent trust root management functionality through a custom design suited to the Stella Ops attestation model. ## Implementation Details - **TrustAnchorManager**: `src/Signer/__Libraries/StellaOps.Signer.KeyManagement/TrustAnchorManager.cs` -- trust anchor CRUD with PURL pattern matching: CreateAnchorAsync (validates PURL pattern format), FindAnchorForPurlAsync (glob-style matching with specificity scoring: segments*10 - wildcards*5, most-specific-match-wins), GetActiveAnchorsAsync, DeactivateAnchorAsync; VerifySignatureAuthorizationAsync combines temporal key validity check with predicate type authorization; each anchor has AllowedKeyIds, RevokedKeyIds, AllowedPredicateTypes, PolicyRef, PolicyVersion - **PurlPatternMatcher**: `src/Signer/__Libraries/StellaOps.Signer.KeyManagement/TrustAnchorManager.cs` -- validates PURL patterns (must start with pkg:), converts glob patterns to regex (*/? wildcards), computes specificity scores for best-match resolution - **KeyRotationService**: `src/Signer/__Libraries/StellaOps.Signer.KeyManagement/KeyRotationService.cs` -- trust anchor key lifecycle: AddKeyAsync, RevokeKeyAsync, CheckKeyValidityAsync (temporal validation), GetRotationWarningsAsync (expiry/age/algorithm warnings), GetKeyHistoryAsync; supports key rotation while preserving historical key validity for signature verification at signing time - **KeyRotationAuditRepository**: `src/Signer/__Libraries/StellaOps.Signer.KeyManagement/KeyRotationAuditRepository.cs` -- audit trail for all key operations - **SigstoreModels**: `src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Sigstore/SigstoreModels.cs` -- Sigstore trust root data models - **DefaultSigningKeyResolver**: `src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Signing/DefaultSigningKeyResolver.cs` -- resolves signing keys from trust anchors - **Tests**: `src/Signer/StellaOps.Signer/StellaOps.Signer.Tests/KeyManagement/TrustAnchorManagerTests.cs` - **Source**: batch_38/file_08.md ## E2E Test Plan - [x] Verify trust anchor creation with valid PURL pattern succeeds - [x] Verify trust anchor creation with invalid PURL pattern (missing pkg: prefix) is rejected - [x] Test PURL pattern matching: exact match, wildcard match (pkg:npm/*), namespace wildcard (pkg:maven/org.apache/*) - [x] Verify most-specific pattern wins when multiple patterns match a PURL - [x] Verify VerifySignatureAuthorizationAsync returns IsAuthorized=false when key is not valid at signing time - [x] Verify predicate type authorization restricts signing to allowed predicate types - [x] Test trust anchor deactivation prevents matching - [x] Verify key rotation updates AllowedKeyIds on the anchor while preserving historical validity ## Verification - **Run ID**: run-001 - **Date**: 2026-02-10 - **Method**: Tier 1 code review + Tier 2d existing test verification - **Build**: PASS (0 errors, 0 warnings) - **Tests**: PASS (491/491 signer tests pass) - **Code Review**: - TrustAnchorManager: Complete trust anchor lifecycle verified. CreateAnchorAsync validates PURL pattern (must start with pkg:). FindAnchorForPurlAsync converts glob patterns to regex, scores specificity (segments*10 - wildcards*5), returns most-specific match. VerifySignatureAuthorizationAsync correctly combines CheckKeyValidityAsync temporal result with AllowedPredicateTypes check. DeactivateAnchorAsync sets IsActive=false preventing future matching. - PurlPatternMatcher: Glob-to-regex conversion verified (? -> ., * -> [^/]*, ** -> .*). Specificity scoring correctly penalizes wildcards and rewards path depth. Edge cases for empty patterns and exact matches handled. - KeyRotationService: Shares implementation with key-rotation-service-with-temporal-validity feature. Key history tracking verified -- historical keys remain valid for verifying signatures made during their validity window. - Tests: TrustAnchorManagerTests cover CRUD operations, PURL matching semantics, specificity scoring, deactivation, and authorization checks. - **Caveats**: - This is not a TUF (The Update Framework) protocol client. It does not implement TUF specification concepts (root.json, targets.json, snapshot.json, timestamp.json, delegations). The feature title has been updated to reflect the actual implementation. - The implementation is a custom trust anchor management system designed for Stella Ops' attestation model. It provides equivalent trust root management functionality through PURL-based pattern matching rather than TUF's hierarchical metadata model. - **Verdict**: PASS (solid trust anchor management implementation; title corrected from "TUF Client" to "Trust Root Management") ## Recheck (Run-002) - **Verified**: 2026-02-10 - **Method**: Tier 2d deterministic integration replay + key-validity API contract check. - **Tests**: PASS (496/496 signer tests pass). - **Tier 2 Evidence**: `docs/qa/feature-checks/runs/signer/tuf-client-for-trust-root-management/run-002/tier2-integration-check.json` - **Outcome**: Trust-anchor behavior remains stable; missing-key lookups now align to not-found semantics. ## Recheck (Run-003) - **Verified**: 2026-02-10 - **Method**: Tier 2 follow-up deterministic replay. - **Tests**: PASS (`src/Signer/StellaOps.Signer/StellaOps.Signer.Tests`: 496/496). - **Tier 2 Evidence**: `docs/qa/feature-checks/runs/signer/tuf-client-for-trust-root-management/run-003/tier2-integration-check.json` - **Outcome**: Trust-anchor management behavior remains stable in follow-up replay. ## Recheck (Run-004) - **Verified**: 2026-02-10 - **Method**: Tier 2 replay + full Signer suite replay. - **Tests**: PASS (`src/Signer/StellaOps.Signer/StellaOps.Signer.Tests`: 496/496). - **Tier 2 Evidence**: `docs/qa/feature-checks/runs/signer/tuf-client-for-trust-root-management/run-004/tier2-integration-check.json` - **Outcome**: Trust-anchor and key-validity integration behavior remains stable. ## Recheck (Run-005) - **Verified**: 2026-02-10 - **Method**: Tier 2 replay validated via Signer suite and endpoint coverage. - **Tests**: PASS (src/Signer/StellaOps.Signer/StellaOps.Signer.Tests: 496/496). - **Tier 2 Evidence**: docs/qa/feature-checks/runs/signer/tuf-client-for-trust-root-management/run-005/tier2-integration-check.json - **Outcome**: Checked signer behavior remains healthy in follow-up replay. ## Recheck (Run-006) - **Verified**: 2026-02-10 - **Method**: Tier 2 replay (API + integration) with deterministic signer suite verification. - **Tests**: PASS (src/Signer/StellaOps.Signer/StellaOps.Signer.Tests: 496/496). - **Tier 2 Evidence**: docs/qa/feature-checks/runs/signer/tuf-client-for-trust-root-management/run-006/tier2-integration-check.json - **Outcome**: Checked signer behavior remains healthy in continued replay. ## Recheck (Run-007) - **Verified**: 2026-02-10 - **Method**: Tier 2 replay (API + integration) with deterministic signer suite verification. - **Tests**: PASS (src/Signer/StellaOps.Signer/StellaOps.Signer.Tests: 496/496). - **Tier 2 Evidence**: docs/qa/feature-checks/runs/signer/tuf-client-for-trust-root-management/run-007/tier2-integration-check.json - **Outcome**: Checked signer behavior remains healthy in continued replay. ## Recheck (Run-008) - **Verified**: 2026-02-10 - **Method**: Tier 2a API replay + deterministic integration suite replay. - **Tests**: PASS (src/Signer/StellaOps.Signer/StellaOps.Signer.Tests: 496/496). - **Tier 2 Evidence**: docs/qa/feature-checks/runs/signer/tuf-client-for-trust-root-management/run-008/tier2-api-check.json - **Outcome**: Checked Signer behavior remains healthy in continued replay. ## Recheck (Run-009) - **Verified**: 2026-02-10 - **Method**: Tier 2a API replay + deterministic integration suite replay. - **Tests**: PASS (src/Signer/StellaOps.Signer/StellaOps.Signer.Tests: 496/496). - **Tier 2 Evidence**: docs/qa/feature-checks/runs/signer/tuf-client-for-trust-root-management/run-009/tier2-api-check.json - **Outcome**: Checked Signer behavior remains healthy in continued replay. ## Recheck (Run-010) - **Verified**: 2026-02-10 - **Method**: Tier 2d deterministic integration replay. - **Tests**: PASS (src/Signer/StellaOps.Signer/StellaOps.Signer.Tests: 496/496). - **Tier 2 Evidence**: docs/qa/feature-checks/runs/signer/tuf-client-for-trust-root-management/run-010/tier2-integration-check.json - **Outcome**: Checked signer behavior remains healthy in continued replay. ## Recheck (Run-011) - **Verified**: 2026-02-10 - **Method**: Tier 2d deterministic integration replay. - **Tests**: PASS (src/Signer/StellaOps.Signer/StellaOps.Signer.Tests: 496/496). - **Tier 2 Evidence**: docs/qa/feature-checks/runs/signer/tuf-client-for-trust-root-management/run-011/tier2-integration-check.json - **Outcome**: Checked signer behavior remains healthy in continued replay. ## Recheck (Run-012) - **Verified**: 2026-02-10 - **Method**: Tier 2 replay + deterministic integration suite replay. - **Tests**: PASS (src/Signer/StellaOps.Signer/StellaOps.Signer.Tests: 496/496). - **Tier 2 Evidence**: docs/qa/feature-checks/runs/signer/tuf-client-for-trust-root-management/run-012/tier2-integration-check.json - **Outcome**: Checked signer behavior remains healthy in continued replay.