stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
108d1c64b323808d6085fca05818fc581c6b003a
git.stella-ops.org/docs/modules/mirror/dsse-revision-decision.md
StellaOps Bot e53a282fbe
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Manifest Integrity / Audit SHA256SUMS Files (push) Has been cancelled
Details
Manifest Integrity / Validate Schema Integrity (push) Has been cancelled
Details
Manifest Integrity / Validate Contract Documents (push) Has been cancelled
Details
Manifest Integrity / Validate Pack Fixtures (push) Has been cancelled
Details
Manifest Integrity / Verify Merkle Roots (push) Has been cancelled
Details
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Details
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Details
Signals CI & Image / signals-ci (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
Details
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Details
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
Details
feat: Add native binary analyzer test utilities and implement SM2 signing tests 
- Introduced `NativeTestBase` class for ELF, PE, and Mach-O binary parsing helpers and assertions.
- Created `TestCryptoFactory` for SM2 cryptographic provider setup and key generation.
- Implemented `Sm2SigningTests` to validate signing functionality with environment gate checks.
- Developed console export service and store with comprehensive unit tests for export status management.
2025-12-07 13:12:41 +02:00

1.5 KiB
Raw Blame History

DSSE Revision Decision

Decision ID: DECISION-MIRROR-001 Status: DEFAULT-APPROVED Effective Date: 2025-12-06 48h Window Started: 2025-12-06T00:00:00Z

Decision

The Mirror bundle DSSE envelope format follows the in-toto v1.0 specification with StellaOps extensions for offline verification.

Rationale

  1. in-toto v1.0 is the industry standard for software supply chain attestations
  2. DSSE (Dead Simple Signing Envelope) provides a clean JSON wrapper
  3. Existing tooling (cosign, rekor) supports this format
  4. Aligns with Evidence Locker DSSE patterns already implemented

Specification

{
  "payloadType": "application/vnd.in-toto+json",
  "payload": "<base64-encoded-in-toto-statement>",
  "signatures": [
    {
      "keyid": "<key-id>",
      "sig": "<base64-signature>"
    }
  ]
}

StellaOps Extensions

  • _stellaops.revision: Bundle revision number
  • _stellaops.timestamp: ISO-8601 UTC timestamp
  • _stellaops.merkleRoot: SHA-256 Merkle root of bundle contents

Impact

  • Tasks unblocked: ~5
  • Sprint files affected: SPRINT_0150_mirror_dsse

Reversibility

To change the DSSE format:

  1. Propose new format in docs/modules/mirror/dsse-proposal.md
  2. Get Security Guild sign-off
  3. Update all affected sprint files
  4. Ensure backward compatibility for existing bundles

References