37cba83708
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
devportal-offline / build-offline (push) Has been cancelled
1.5 KiB
1.5 KiB
Offline Kit Import Verification Runbook
This runbook supports AIRGAP-MANIFEST-510-010/014. It validates bundle integrity before import, fully offline.
Inputs
- Manifest:
offline-kit/manifest.json - Bundle archive: e.g.,
offline-kit/bundle.tar.gz - Optional DSSE/JWS signature + public key for the manifest.
Quick steps (offline)
src/AirGap/scripts/verify-manifest.sh offline-kit/manifest.json offline-kit/bundle.tar.gz \
offline-kit/manifest.sig offline-kit/manifest.pub.pem
What it does:
- Computes SHA-256 of manifest and bundle, compares with
hashes.manifestSha256andhashes.bundleSha256. - If signature + pubkey are provided, verifies the manifest signature with OpenSSL.
Expected manifest fields
tools[],feeds[],policies[]with SHA-256.chunks[]entries for every payload file (path, sha256, size, kind).stalenessWindowHoursandavScanstatus.hashes.manifestSha256andhashes.bundleSha256must match the files on disk.- Optional
signatures[](dsse/jws-detached) withenvelopeDigest.
Failure handling
- Hash mismatch → stop; regenerate bundle.
- Signature failure → stop; re-validate trust roots.
- Missing AV scan → treat as policy violation; rerun scans and update manifest.
Outputs
- Exit 0 when all checks pass.
- Exit 2–5 for missing tools/hash/signature verification issues (see script).
References
- Schema:
docs/airgap/manifest.schema.json - Sample:
docs/airgap/samples/offline-kit-manifest.sample.json - Script:
src/AirGap/scripts/verify-manifest.sh