stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
1bf6bbf3955ecbd8d20f5eeb767da5c7f8324b57
git.stella-ops.org/docs/features/unchecked/attestor/attestation-bundle-verification.md

2.9 KiB
Raw Blame History

Attestation Bundle Verification

Module

Attestor

Status

IMPLEMENTED

Description

Sigstore bundle verification with dedicated verifier and bundler services for validating attestation integrity.

Implementation Details

  • Sigstore Bundle Verifier: src/Attestor/__Libraries/StellaOps.Attestor.Bundle/Verification/SigstoreBundleVerifier.cs -- verifies Sigstore bundles including signature validation and transparency log verification.
  • Bundle Verification Result: BundleVerificationResult.cs -- result model with pass/fail status and detailed error messages.
  • Sigstore Bundle Model: src/Attestor/__Libraries/StellaOps.Attestor.Bundle/Models/SigstoreBundle.cs -- represents a Sigstore bundle with VerificationMaterial, TransparencyLogEntry, and InclusionProof.
  • Bundle Builder: src/Attestor/__Libraries/StellaOps.Attestor.Bundle/Builder/SigstoreBundleBuilder.cs -- constructs Sigstore bundles from attestation components.
  • Bundle Serializer: src/Attestor/__Libraries/StellaOps.Attestor.Bundle/Serialization/SigstoreBundleSerializer.cs -- JSON serialization/deserialization of Sigstore bundles.
  • Attestation Bundler: src/Attestor/__Libraries/StellaOps.Attestor.Bundling/Services/AttestationBundler.cs -- high-level bundling service implementing IAttestationBundler. Aggregates multiple attestations into bundles.
  • Bundle Aggregator: IBundleAggregator.cs -- interface for aggregating attestations.
  • Bundle Store: IBundleStore.cs -- persistence interface for bundles.
  • Org Key Signing: Signing/KmsOrgKeySigner.cs -- signs bundles with organization-level KMS keys.
  • Verification Engine: src/Attestor/StellaOps.Attestor.Verify/AttestorVerificationEngine.cs -- top-level verification engine that orchestrates bundle and attestation verification.
  • Tests: __Tests/StellaOps.Attestor.Bundle.Tests/SigstoreBundleVerifierTests.cs, SigstoreBundleBuilderTests.cs, SigstoreBundleSerializerTests.cs, __Tests/StellaOps.Attestor.Bundling.Tests/AttestationBundlerTests.cs

E2E Test Plan

  • Build a Sigstore bundle via SigstoreBundleBuilder with a signed attestation, inclusion proof, and verification material, then verify it via SigstoreBundleVerifier
  • Serialize a SigstoreBundle to JSON via SigstoreBundleSerializer, deserialize it back, and verify round-trip fidelity
  • Tamper with the inclusion proof in a bundle and verify SigstoreBundleVerifier returns a failed BundleVerificationResult with error details
  • Use AttestationBundler to aggregate 3+ attestations into a single bundle and verify the bundle contains all attestation entries
  • Sign a bundle with KmsOrgKeySigner and verify the org-level signature is present in the output
  • Run AttestorVerificationEngine against a valid bundle and verify all verification checks pass
  • Run AttestorVerificationEngine against a bundle with an invalid signature and verify it reports the specific check that failed