stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
108d1c64b323808d6085fca05818fc581c6b003a
git.stella-ops.org/docs/modules/signals/evidence/README.md
StellaOps Bot bc0762e97d up
2025-12-09 00:20:52 +02:00

115 lines
4.6 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Signals DSSE Evidence Staging (runtime/signals gaps)
Artifacts prepared 2025-12-05 (UTC) for DSSE signing and Evidence Locker ingest:
| Artifact | Path | Predicate |
|----------|------|-----------|
| Decay config | `docs/modules/signals/decay/confidence_decay_config.yaml` | `stella.ops/confidenceDecayConfig@v1` |
| Unknowns manifest | `docs/modules/signals/unknowns/unknowns_scoring_manifest.json` | `stella.ops/unknownsScoringManifest@v1` |
| Heuristics catalog | `docs/modules/signals/heuristics/heuristics.catalog.json` | `stella.ops/heuristicCatalog@v1` |
| Checksums | `docs/modules/signals/SHA256SUMS` | — |
## CI Automated Signing
- `.gitea/workflows/signals-dsse-sign.yml` ƒ?" DSSE signing of decay/unknowns/heuristics on push or manual dispatch.
- `.gitea/workflows/signals-reachability.yml` ƒ?" reachability smoke (SIGNALS-24-004/005), DSSE signing, and optional Evidence Locker upload.
- `.gitea/workflows/signals-evidence-locker.yml` ƒ?" production re-sign + deterministic tar upload; defaults to `evidence-locker/signals/2025-12-05`.
### Prerequisites (CI Secrets or Repo Vars)
| Secret/Var | Description |
|--------|-------------|
| `COSIGN_PRIVATE_KEY_B64` | Base64-encoded cosign private key (required for production) |
| `COSIGN_PASSWORD` | Password for encrypted key (if applicable) |
| `CI_EVIDENCE_LOCKER_TOKEN` | Token for Evidence Locker push |
| `EVIDENCE_LOCKER_URL` | Base URL for locker PUT (e.g., `https://locker.example.com`) |
### Trigger
- **Automatic**: Push to `main` affecting `docs/modules/signals/**`, `tools/cosign/sign-signals.sh`, or Signals sources (reachability workflow).
- **Manual**: Workflow dispatch with `allow_dev_key=1` for testing; `out_dir` input defaults to `evidence-locker/signals/2025-12-05`.
### Output
Signed artifacts uploaded as workflow artifacts and, when secrets/vars are present, pushed to Evidence Locker. Evidence tar SHA256 is emitted in job logs.
## Development Signing (Local Testing)
A development key pair is available for smoke tests. Recent dev bundles live under `docs/modules/signals/dev-smoke/2025-12-04/` and `docs/modules/signals/dev-smoke/2025-12-05/`.
```bash
# Sign with dev key
COSIGN_ALLOW_DEV_KEY=1 COSIGN_PASSWORD=stellaops-dev \
OUT_DIR=docs/modules/signals/dev-smoke/2025-12-05 \
tools/cosign/sign-signals.sh
# Verify signature
cosign verify-blob \
--key tools/cosign/cosign.dev.pub \
--bundle docs/modules/signals/dev-smoke/2025-12-05/confidence_decay_config.sigstore.json \
docs/modules/signals/decay/confidence_decay_config.yaml
```
**Note**: Dev key signatures are NOT suitable for Evidence Locker or production use; tlog upload is disabled.
## Production Signing (Manual)
For production signing without CI:
```bash
# Option 1: Place key file
cp /path/to/production.key tools/cosign/cosign.key
OUT_DIR=evidence-locker/signals/2025-12-05 tools/cosign/sign-signals.sh
# Option 2: Use base64 env var
export COSIGN_PRIVATE_KEY_B64=$(cat production.key | base64 -w0)
export COSIGN_PASSWORD=your-password
OUT_DIR=evidence-locker/signals/2025-12-05 tools/cosign/sign-signals.sh
```
## Evidence Locker Paths
Post-signing, artifacts go to:
- `evidence-locker/signals/2025-12-05/confidence_decay_config.sigstore.json`
- `evidence-locker/signals/2025-12-05/unknowns_scoring_manifest.sigstore.json`
- `evidence-locker/signals/2025-12-05/heuristics_catalog.sigstore.json`
- `evidence-locker/signals/2025-12-05/SHA256SUMS`
Deterministic tarball (dev-key signing 2025-12-05) for locker push/testing:
```
evidence-locker/signals/2025-12-05/signals-evidence.tar sha256=a17910b8e90aaf44d4546057db22cdc791105dd41feb14f0c9b7c8bac5392e0d
```
Verification helper:
```
./tools/signals-verify-evidence-tar.sh [path/to/signals-evidence.tar]
```
Local locker upload (once creds are available):
```bash
export EVIDENCE_LOCKER_URL="<locker-base-url>"
export CI_EVIDENCE_LOCKER_TOKEN="<token>"
./tools/signals-upload-evidence.sh
# or to push both Signals and Zastava in one go
./tools/upload-all-evidence.sh
```
CI upload path:
- Workflow: `.gitea/workflows/signals-evidence-locker.yml`
- Secrets required: `CI_EVIDENCE_LOCKER_TOKEN`, `EVIDENCE_LOCKER_URL`
- Artifact name: `signals-evidence-2025-12-05`
- Retention input (optional): `retention_target` (default 180 days)
## Post-Signing Checklist
1. Verify signatures against public key
2. Update sprint tracker (SPRINT_0140) Delivery Tracker rows 57
3. Add signer ID to Execution Log
4. Copy to offline kit bundle for air-gap parity
## Notes
- All timestamps use UTC ISO-8601 format
- Signatures disable tlog upload (`--tlog-upload=false`) for offline compatibility
- See `tools/cosign/README.md` for detailed key management and CI setup
Reference in New Issue View Git Blame Copy Permalink