150b3730ef
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
api-governance / spectral-lint (push) Has been cancelled
29 lines
1.3 KiB
Markdown
29 lines
1.3 KiB
Markdown
# Mirror Bundles (Airgap 56-003)
|
|
|
|
Defines the mirror bundle format and validation workflow for sealed deployments.
|
|
|
|
## Contents
|
|
- Images/charts: OCI artifacts exported with digests + SBOMs.
|
|
- Manifests: `manifest.json` with entries:
|
|
- `bundleId`, `mirrorGeneration`, `createdAt`, `producer` (export center), `hashes` (sha256 list)
|
|
- `dsseEnvelopeHash` for signed manifest (if available)
|
|
- `files[]`: path, sha256, size, mediaType
|
|
- Transparency: optional TUF metadata (`timestamp.json`, `snapshot.json`) for replay protection.
|
|
|
|
## Validation steps
|
|
1. Verify `manifest.json` sha256 matches provided hash.
|
|
2. If DSSE present, verify signature against offline trust roots.
|
|
3. Validate Merkle root (if included) over `files[]` hashes.
|
|
4. For each OCI artifact, confirm digest matches and SBOM present.
|
|
5. Record `mirrorGeneration` and manifest hash; store in audit log and timeline event.
|
|
|
|
## Workflow
|
|
- Export Center produces bundle + manifest; Attestor/Excititor importers validate before ingest.
|
|
- Bundle consumers must refuse imports if any hash/signature fails.
|
|
- Keep format stable; any schema change bumps `manifestVersion` in `manifest.json`.
|
|
|
|
## Determinism
|
|
- Sort `files[]` by path; compute hashes with UTF-8 canonical paths.
|
|
- Use ISO-8601 UTC timestamps in manifests.
|
|
- Do not include host-specific paths or timestamps in tar layers.
|