git.stella-ops.org/docs/ops/evidence-locker-handoff.md

# Evidence Locker Handoff (Signals & Zastava)

## Inputs required (from Ops)
- `EVIDENCE_LOCKER_URL` (base URL, no trailing slash)
- `CI_EVIDENCE_LOCKER_TOKEN` (Bearer token with write to `zastava/*` and `signals/*`)
- **Signals production signing key** for final re-sign (one of):
  - `COSIGN_PRIVATE_KEY_B64` (base64 of private key) + optional `COSIGN_PASSWORD`, or
  - key file at `tools/cosign/cosign.key` + password.

## What’s ready (deterministic artefacts)
- Zastava tar: `evidence-locker/zastava/2025-12-02/zastava-evidence.tar`
  - sha256: `e1d67424273828c48e9bf5b495a96c2ebcaf1ef2c308f60d8b9ac019cf0f1c9`
- Signals tar (dev key): `evidence-locker/signals/2025-12-05/signals-evidence.tar`
  - sha256: `a17910b8e90aaf44d4546057db22cdc791105dd41feb14f0c9b7c8bac5392e0d`

## Publish both bundles (once URL/token are available)
```bash
export EVIDENCE_LOCKER_URL="<locker-base-url>"
export CI_EVIDENCE_LOCKER_TOKEN="<token>"
./tools/upload-all-evidence.sh
```

## Verify locally (hash + inner SHA lists)
- Zastava: `./tools/zastava-verify-evidence-tar.sh [path/to/zastava-evidence.tar]`
- Signals: `./tools/signals-verify-evidence-tar.sh [path/to/signals-evidence.tar]`

## Re-sign Signals for production trust (optional but recommended)
```bash
export COSIGN_PRIVATE_KEY_B64="<prod-key-b64>"
export COSIGN_PASSWORD="<pwd-if-any>"
OUT_DIR=evidence-locker/signals/2025-12-05 \
  tools/cosign/sign-signals.sh

# Rebuild + upload tar
./tools/signals-upload-evidence.sh
```

## Notes
- All packaging is deterministic (`tar --sort=name --mtime='UTC 1970-01-01' --owner=0 --group=0 --numeric-owner`).
- Tlog upload is disabled for offline parity; Evidence Locker trust comes from the provided keys.
- Upload scripts exit non-zero on hash mismatch to prevent pushing corrupted artefacts.