stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
150b3730ef592c761bd7064f0d09e4ea4d5a0df8
git.stella-ops.org/docs/airgap/mirror-bundles.md
StellaOps Bot 150b3730ef
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details
api-governance / spectral-lint (push) Has been cancelled
Details
up
2025-11-24 07:52:25 +02:00

1.3 KiB
Raw Blame History

Mirror Bundles (Airgap 56-003)

Defines the mirror bundle format and validation workflow for sealed deployments.

Contents

  • Images/charts: OCI artifacts exported with digests + SBOMs.
  • Manifests: manifest.json with entries:
    • bundleId, mirrorGeneration, createdAt, producer (export center), hashes (sha256 list)
    • dsseEnvelopeHash for signed manifest (if available)
    • files[]: path, sha256, size, mediaType
  • Transparency: optional TUF metadata (timestamp.json, snapshot.json) for replay protection.

Validation steps

  1. Verify manifest.json sha256 matches provided hash.
  2. If DSSE present, verify signature against offline trust roots.
  3. Validate Merkle root (if included) over files[] hashes.
  4. For each OCI artifact, confirm digest matches and SBOM present.
  5. Record mirrorGeneration and manifest hash; store in audit log and timeline event.

Workflow

  • Export Center produces bundle + manifest; Attestor/Excititor importers validate before ingest.
  • Bundle consumers must refuse imports if any hash/signature fails.
  • Keep format stable; any schema change bumps manifestVersion in manifest.json.

Determinism

  • Sort files[] by path; compute hashes with UTF-8 canonical paths.
  • Use ISO-8601 UTC timestamps in manifests.
  • Do not include host-specific paths or timestamps in tar layers.