stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
108d1c64b323808d6085fca05818fc581c6b003a
git.stella-ops.org/docs/modules/zastava/kit
History
StellaOps Bot 47168fec38 feat: Add VEX compact fixture and implement offline verifier for Findings Ledger exports 
- Introduced a new VEX compact fixture for testing purposes.
- Implemented `verify_export.py` script to validate Findings Ledger exports, ensuring deterministic ordering and applying redaction manifests.
- Added a lightweight stub `HarnessRunner` for unit tests to validate ledger hashing expectations.
- Documented tasks related to the Mirror Creator.
- Created models for entropy signals and implemented the `EntropyPenaltyCalculator` to compute penalties based on scanner outputs.
- Developed unit tests for `EntropyPenaltyCalculator` to ensure correct penalty calculations and handling of edge cases.
- Added tests for symbol ID normalization in the reachability scanner.
- Enhanced console status service with comprehensive unit tests for connection handling and error recovery.
- Included Cosign tool version 2.6.0 with checksums for various platforms.
2025-12-02 21:08:01 +02:00
..
ed25519.pub
feat: Add VEX compact fixture and implement offline verifier for Findings Ledger exports
2025-12-02 21:08:01 +02:00
README.md
feat: Add VEX compact fixture and implement offline verifier for Findings Ledger exports
2025-12-02 21:08:01 +02:00
verify.sh
feat: Add VEX compact fixture and implement offline verifier for Findings Ledger exports
2025-12-02 21:08:01 +02:00
zastava-kit.tzst
feat: Add VEX compact fixture and implement offline verifier for Findings Ledger exports
2025-12-02 21:08:01 +02:00
zastava-kit.tzst.dsse
feat: Add VEX compact fixture and implement offline verifier for Findings Ledger exports
2025-12-02 21:08:01 +02:00

README.md

Zastava Kit (offline bundle)

Contents

  • Schemas + DSSE: schemas/observer_event.schema.json(.dsse), schemas/webhook_admission.schema.json(.dsse).
  • Examples: schemas/examples/*.json (canonicalised, hashed).
  • Thresholds + DSSE: thresholds.yaml(.dsse).
  • Exports + DSSE: exports/observer_events.ndjson(.dsse), exports/webhook_admissions.ndjson(.dsse).
  • Verification assets: SHA256SUMS, kit/verify.sh, kit/ed25519.pub, schemas/README.md, evidence/README.md.

Build (deterministic)

From docs/modules/zastava:

tar --mtime @0 --owner 0 --group 0 --numeric-owner --sort=name \
  -cf - \
  SHA256SUMS schemas exports thresholds.yaml thresholds.yaml.dsse \
  schemas/examples schemas/README.md \
  schemas/observer_event.schema.json schemas/observer_event.schema.json.dsse \
  schemas/webhook_admission.schema.json schemas/webhook_admission.schema.json.dsse \
  exports/observer_events.ndjson exports/observer_events.ndjson.dsse \
  exports/webhook_admissions.ndjson exports/webhook_admissions.ndjson.dsse \
  evidence/README.md kit/README.md kit/verify.sh kit/ed25519.pub \
| zstd -19 --long=27 --no-progress > kit/zastava-kit.tzst

Sign the kit itself with the same Ed25519 key (base64url pub: mpIEbYRL1q5yhN6wBRvkZ_0xXz3QUJPueJJ8sn__GGc):

python - <<'PY'
from pathlib import Path
from base64 import urlsafe_b64encode
import json
from cryptography.hazmat.primitives.asymmetric import ed25519
from cryptography.hazmat.primitives import serialization

priv = serialization.load_pem_private_key(Path('/tmp/zastava-ed25519.key').read_bytes(), password=None)
pub = priv.public_key().public_bytes(encoding=serialization.Encoding.Raw, format=serialization.PublicFormat.Raw)
keyid = urlsafe_b64encode(pub).decode().rstrip('=')
pt = 'application/vnd.stellaops.zastava.kit+tzst;version=1'
payload = Path('kit/zastava-kit.tzst').read_bytes()
pae = b' '.join([b'DSSEv1', str(len(pt)).encode(), pt.encode(), str(len(payload)).encode(), payload])
sig = priv.sign(pae)
env = {
    'payloadType': pt,
    'payload': urlsafe_b64encode(payload).decode().rstrip('='),
    'signatures': [{'keyid': keyid, 'sig': urlsafe_b64encode(sig).decode().rstrip('=')}],
}
Path('kit/zastava-kit.tzst.dsse').write_text(json.dumps(env, indent=2, sort_keys=True) + '\n')
print('wrote kit/zastava-kit.tzst.dsse with keyid', keyid)
PY

Verify

  1. Verify the kit DSSE before unpacking (optional but recommended) using the public key shipped alongside the kit (run from docs/modules/zastava):
cd docs/modules/zastava
python - <<'PY'
import base64, json, sys
from pathlib import Path
from cryptography.hazmat.primitives.asymmetric import ed25519

root = Path('.')
pub = base64.urlsafe_b64decode((root / 'kit' / 'ed25519.pub').read_text().strip() + '==')
env = json.loads((root / 'kit' / 'zastava-kit.tzst.dsse').read_text())
payload = (root / 'kit' / 'zastava-kit.tzst').read_bytes()
pt = env['payloadType'].encode()
pae = b' '.join([b'DSSEv1', str(len(pt)).encode(), pt, str(len(payload)).encode(), payload])
sig = base64.urlsafe_b64decode(env['signatures'][0]['sig'] + '==')
ed25519.Ed25519PublicKey.from_public_bytes(pub).verify(sig, pae)
decoded_payload = base64.urlsafe_b64decode(env['payload'] + '==')
assert decoded_payload == payload
print('OK: kit DSSE verified')
PY
  1. Extract and run offline validation of the inner artefacts:
zstd -d kit/zastava-kit.tzst -c | tar -xf -
./kit/verify.sh

Notes

  • Private signing key is held offline; only the public key is shipped.
  • All files are deterministic (mtime=0, numeric owners) to keep hashes stable for Evidence Locker ingestion.