git.stella-ops.org/docs/modules/signals/evidence/README.md

Signals DSSE Evidence Staging (runtime/signals gaps)

Artifacts prepared 2025-12-05 (UTC) for DSSE signing and Evidence Locker ingest:

Artifact	Path	Predicate
Decay config	docs/modules/signals/decay/confidence_decay_config.yaml	stella.ops/confidenceDecayConfig@v1
Unknowns manifest	docs/modules/signals/unknowns/unknowns_scoring_manifest.json	stella.ops/unknownsScoringManifest@v1
Heuristics catalog	docs/modules/signals/heuristics/heuristics.catalog.json	stella.ops/heuristicCatalog@v1
Checksums	docs/modules/signals/SHA256SUMS	—

CI Automated Signing

The .gitea/workflows/signals-dsse-sign.yml workflow automates DSSE signing.

Prerequisites (CI Secrets)

Secret	Description
COSIGN_PRIVATE_KEY_B64	Base64-encoded cosign private key (required for production)
COSIGN_PASSWORD	Password for encrypted key (if applicable)
CI_EVIDENCE_LOCKER_TOKEN	Token for Evidence Locker push (optional)

Trigger

• Automatic: Push to main affecting docs/modules/signals/** or tools/cosign/sign-signals.sh
• Manual: Workflow dispatch with allow_dev_key=1 for testing

Output

Signed artifacts uploaded as workflow artifact signals-dsse-signed-{run} and optionally pushed to Evidence Locker.

Development Signing (Local Testing)

A development key pair is available for smoke tests. Recent dev bundles live under docs/modules/signals/dev-smoke/2025-12-04/ and docs/modules/signals/dev-smoke/2025-12-05/.

# Sign with dev key
COSIGN_ALLOW_DEV_KEY=1 COSIGN_PASSWORD=stellaops-dev \
  OUT_DIR=docs/modules/signals/dev-smoke/2025-12-05 \
  tools/cosign/sign-signals.sh

# Verify signature
cosign verify-blob \
  --key tools/cosign/cosign.dev.pub \
  --bundle docs/modules/signals/dev-smoke/2025-12-05/confidence_decay_config.sigstore.json \
  docs/modules/signals/decay/confidence_decay_config.yaml

Note: Dev key signatures are NOT suitable for Evidence Locker or production use; tlog upload is disabled.

Production Signing (Manual)

For production signing without CI:

# Option 1: Place key file
cp /path/to/production.key tools/cosign/cosign.key
OUT_DIR=evidence-locker/signals/2025-12-05 tools/cosign/sign-signals.sh

# Option 2: Use base64 env var
export COSIGN_PRIVATE_KEY_B64=$(cat production.key | base64 -w0)
export COSIGN_PASSWORD=your-password
OUT_DIR=evidence-locker/signals/2025-12-05 tools/cosign/sign-signals.sh

Evidence Locker Paths

Post-signing, artifacts go to:

• evidence-locker/signals/2025-12-05/confidence_decay_config.sigstore.json
• evidence-locker/signals/2025-12-05/unknowns_scoring_manifest.sigstore.json
• evidence-locker/signals/2025-12-05/heuristics_catalog.sigstore.json
• evidence-locker/signals/2025-12-05/SHA256SUMS

Deterministic tarball (dev-key signing 2025-12-05) for locker push/testing:

evidence-locker/signals/2025-12-05/signals-evidence.tar  sha256=a17910b8e90aaf44d4546057db22cdc791105dd41feb14f0c9b7c8bac5392e0d

Verification helper:

./tools/signals-verify-evidence-tar.sh [path/to/signals-evidence.tar]

Local locker upload (once creds are available):

export EVIDENCE_LOCKER_URL="<locker-base-url>"
export CI_EVIDENCE_LOCKER_TOKEN="<token>"
./tools/signals-upload-evidence.sh
# or to push both Signals and Zastava in one go
./tools/upload-all-evidence.sh

CI upload path:

• Workflow: .gitea/workflows/signals-evidence-locker.yml
• Secrets required: CI_EVIDENCE_LOCKER_TOKEN, EVIDENCE_LOCKER_URL
• Artifact name: signals-evidence-2025-12-05
• Retention input (optional): retention_target (default 180 days)

Post-Signing Checklist

1. Verify signatures against public key
2. Update sprint tracker (SPRINT_0140) Delivery Tracker rows 5–7
3. Add signer ID to Execution Log
4. Copy to offline kit bundle for air-gap parity

Notes

• All timestamps use UTC ISO-8601 format
• Signatures disable tlog upload (--tlog-upload=false) for offline compatibility
• See tools/cosign/README.md for detailed key management and CI setup