git.stella-ops.org/docs/modules/mirror/dsse-tuf-profile.md

# DSSE/TUF profile for Mirror thin bundles (v1 draft)

Applies to `mirror-thin-v1.*` artefacts in `out/mirror/thin/`.

## Keys
- Signing algorithm: ed25519
- Key IDs: `mirror-ed25519-test-1`
- Storage: keep private key only in sealed CI secret; public key published alongside metadata at `out/mirror/thin/tuf/keys/mirror-ed25519-test-1.pub`.

## DSSE envelope
- Payload type: `application/vnd.stellaops.mirror.manifest+json`
- Payload: `mirror-thin-v1.manifest.json`
- Signature: ed25519 over base64url(payload)
- Envelope path: `out/mirror/thin/mirror-thin-v1.manifest.dsse.json`
- Bundle meta DSSE (OK1/OK3/MS8): payload type `application/vnd.stellaops.mirror.bundle+json`, payload `mirror-thin-v1.bundle.json`, envelope path `mirror-thin-v1.bundle.dsse.json`.

## TUF metadata layout
```
out/mirror/thin/tuf/
  root.json
  snapshot.json
  targets.json
  timestamp.json
  keys/mirror-ed25519-test-1.pub
```

### Targets mapping (latest dev build 2025-12-02)
- `mirror-thin-v1.tar.gz` → targets entry with sha256 `fb1ce26388a1f1ab2eb90aae6d63ac05de326fbbd947fbf7a17b980232c9fc7d`
- `mirror-thin-v1.manifest.json` → sha256 `1affb0b796ff037117b46aa1f1d8056a9c80755e925af058ea72132ba158becf`
- `mirror-thin-v1.bundle.json` (top-level kit manifest) → sha256 `a3b16f5d1b74ffdf9aedbbfe9282d368dc3dcf70676c8ac7e8cdd984162e7f90`

### Determinism rules
- Sort keys in JSON; indent=2; trailing newline.
- `expires` set to `2026-01-01T00:00:00Z` for draft; update during release.
- Versions: root=1, targets=1, snapshot=1, timestamp=1 for this draft.
- Signatures should be stable; for test draft, placeholders are used until CI signing is wired.

## Status & TODO to productionize
- Draft signatures now generated with repo test key (`mirror-ed25519-test-1`) via `scripts/mirror/sign_thin_bundle.py`; replace with CI-held key before release.
- CI hook: set `MIRROR_SIGN_KEY_B64` (base64-encoded Ed25519 PEM) and run `scripts/mirror/ci-sign.sh` to build+sign+verify in one step.
- Rotate keys via TUF root role once CI secrets land.
- Add DSSE signer to assembler pipeline so `make-thin-v1.sh` emits envelope + TUF metadata automatically in CI.

### CI integration sketch (disabled until key is provided)
```
- name: Mirror thin bundle (signed)
  run: |
    export MIRROR_SIGN_KEY_B64="${{ secrets.MIRROR_SIGN_KEY_B64 }}"
    export OCI=1
    scripts/mirror/ci-sign.sh
  if: ${{ secrets.MIRROR_SIGN_KEY_B64 != '' }}
```