# Signed SBOM Archive Format (SignedSbomArchiveBuilder)

## Module
Scanner

## Status
IMPLEMENTED

## Description
Service for building signed SBOM archive bundles (tar.gz with DSSE envelope, SBOM document, and Rekor receipt) suitable for offline transfer and air-gapped verification.

## Implementation Details
- **Archive Builder**:
  - `src/Scanner/StellaOps.Scanner.WebService/Services/SignedSbomArchiveBuilder.cs` - `SignedSbomArchiveBuilder` building tar.gz archives containing the SBOM document, DSSE envelope with signature, and Rekor transparency log receipt for offline verification
- **Export Endpoint**:
  - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/ExportEndpoints.cs` - Export endpoints providing download of signed SBOM archives
- **Tests**:
  - `src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/SignedSbomArchiveBuilderTests.cs` - Unit tests for archive building and content verification

## E2E Test Plan
- [ ] Build a signed SBOM archive for a scan result and verify the tar.gz contains the SBOM document, DSSE envelope, and Rekor receipt
- [ ] Extract the archive and verify the DSSE envelope signature validates against the signing key
- [ ] Verify the Rekor receipt in the archive matches the transparency log entry
- [ ] Transfer the archive to an air-gapped environment and verify offline verification succeeds using only the archive contents
- [ ] Verify the archive format is deterministic (same inputs produce byte-identical archives excluding timestamps)