stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
main
git.stella-ops.org/docs/features/checked/attestor/hash-stable-proofs.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

2.9 KiB
Raw Permalink Blame History

Hash-stable proofs (deterministic attestation outputs)

Module

Attestor

Status

VERIFIED

Description

Determinism is enforced and tested at multiple levels: attestation type determinism, DSSE envelope determinism, canonical payload determinism, with dedicated benchmark harness.

Implementation Details

  • RFC 8785 Canonicalizer: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Json/Rfc8785JsonCanonicalizer.cs (with .DecimalPoint, .NumberSerialization, .StringNormalization, .WriteMethods) -- deterministic JSON serialization per RFC 8785 (JCS). Ensures identical logical JSON always produces identical byte output.
  • Content-Addressed ID Generator: Identifiers/ContentAddressedIdGenerator.cs (with .Graph) -- generates SHA-256-based IDs from canonicalized content, guaranteeing hash stability.
  • Deterministic Merkle Tree: Merkle/DeterministicMerkleTreeBuilder.cs (with .Helpers, .Proof) -- builds Merkle trees with deterministic leaf ordering and hash computation.
  • DSSE Envelope: Signing/DsseEnvelope.cs -- deterministic envelope structure with canonical payload encoding.
  • Proof Chain Signer: Signing/ProofChainSigner.cs (with .Verification) -- deterministic signing ensuring same payload + key = same signature.
  • Statement Builder: Builders/StatementBuilder.cs (with .Extended) -- builds in-toto statements with deterministic field ordering.
  • Predicate Schema Validator: Json/PredicateSchemaValidator.cs (with .Validators, .DeltaValidators) -- validates predicates conform to schemas ensuring structural consistency.
  • SBOM Canonicalizer: __Libraries/StellaOps.Attestor.StandardPredicates/Canonicalization/SbomCanonicalizer.Elements.cs -- deterministic SBOM element ordering.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/DeterminismTests.cs, Rfc8785JsonCanonicalizerTests.cs

E2E Test Plan

  • Serialize the same predicate twice via Rfc8785JsonCanonicalizer and verify byte-identical output
  • Generate a ContentAddressedId from a predicate, serialize/deserialize the predicate, regenerate the ID, and verify they match
  • Build two DSSE envelopes from the same payload and key, verify the envelopes are byte-identical
  • Build a DeterministicMerkleTreeBuilder tree from leaves in different insertion orders and verify the root hash is identical
  • Create an in-toto statement via StatementBuilder, serialize with JCS, re-parse, re-serialize, and verify byte-identical output
  • Canonicalize an SBOM via SbomCanonicalizer with components in random order and verify the output is sorted deterministically
  • Run the determinism benchmark harness and verify zero hash mismatches across 1000+ iterations

Verification

Check Result
Tier 0 - Source Verification PASS
Tier 1 - Build + Code Review PASS
Tier 2 - Behavioral Verification PASS
Verified Date 2026-02-13
Run ID run-001