stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
108d1c64b323808d6085fca05818fc581c6b003a
git.stella-ops.org/docs/modules/mirror/dsse-tuf-profile.md
StellaOps Bot 47168fec38 feat: Add VEX compact fixture and implement offline verifier for Findings Ledger exports 
- Introduced a new VEX compact fixture for testing purposes.
- Implemented `verify_export.py` script to validate Findings Ledger exports, ensuring deterministic ordering and applying redaction manifests.
- Added a lightweight stub `HarnessRunner` for unit tests to validate ledger hashing expectations.
- Documented tasks related to the Mirror Creator.
- Created models for entropy signals and implemented the `EntropyPenaltyCalculator` to compute penalties based on scanner outputs.
- Developed unit tests for `EntropyPenaltyCalculator` to ensure correct penalty calculations and handling of edge cases.
- Added tests for symbol ID normalization in the reachability scanner.
- Enhanced console status service with comprehensive unit tests for connection handling and error recovery.
- Included Cosign tool version 2.6.0 with checksums for various platforms.
2025-12-02 21:08:01 +02:00

2.4 KiB
Raw Blame History

DSSE/TUF profile for Mirror thin bundles (v1 draft)

Applies to mirror-thin-v1.* artefacts in out/mirror/thin/.

Keys

  • Signing algorithm: ed25519
  • Key IDs: mirror-ed25519-test-1
  • Storage: keep private key only in sealed CI secret; public key published alongside metadata at out/mirror/thin/tuf/keys/mirror-ed25519-test-1.pub.

DSSE envelope

  • Payload type: application/vnd.stellaops.mirror.manifest+json
  • Payload: mirror-thin-v1.manifest.json
  • Signature: ed25519 over base64url(payload)
  • Envelope path: out/mirror/thin/mirror-thin-v1.manifest.dsse.json
  • Bundle meta DSSE (OK1/OK3/MS8): payload type application/vnd.stellaops.mirror.bundle+json, payload mirror-thin-v1.bundle.json, envelope path mirror-thin-v1.bundle.dsse.json.

TUF metadata layout

out/mirror/thin/tuf/
  root.json
  snapshot.json
  targets.json
  timestamp.json
  keys/mirror-ed25519-test-1.pub

Targets mapping (latest dev build 2025-12-02)

  • mirror-thin-v1.tar.gz → targets entry with sha256 fb1ce26388a1f1ab2eb90aae6d63ac05de326fbbd947fbf7a17b980232c9fc7d
  • mirror-thin-v1.manifest.json → sha256 1affb0b796ff037117b46aa1f1d8056a9c80755e925af058ea72132ba158becf
  • mirror-thin-v1.bundle.json (top-level kit manifest) → sha256 a3b16f5d1b74ffdf9aedbbfe9282d368dc3dcf70676c8ac7e8cdd984162e7f90

Determinism rules

  • Sort keys in JSON; indent=2; trailing newline.
  • expires set to 2026-01-01T00:00:00Z for draft; update during release.
  • Versions: root=1, targets=1, snapshot=1, timestamp=1 for this draft.
  • Signatures should be stable; for test draft, placeholders are used until CI signing is wired.

Status & TODO to productionize

  • Draft signatures now generated with repo test key (mirror-ed25519-test-1) via scripts/mirror/sign_thin_bundle.py; replace with CI-held key before release.
  • CI hook: set MIRROR_SIGN_KEY_B64 (base64-encoded Ed25519 PEM) and run scripts/mirror/ci-sign.sh to build+sign+verify in one step.
  • Rotate keys via TUF root role once CI secrets land.
  • Add DSSE signer to assembler pipeline so make-thin-v1.sh emits envelope + TUF metadata automatically in CI.

CI integration sketch (disabled until key is provided)

- name: Mirror thin bundle (signed)
  run: |
    export MIRROR_SIGN_KEY_B64="${{ secrets.MIRROR_SIGN_KEY_B64 }}"
    export OCI=1
    scripts/mirror/ci-sign.sh
  if: ${{ secrets.MIRROR_SIGN_KEY_B64 != '' }}